1. Home
  2. /
  3. Use cases
  4. /
  5. Connect a Jenkins CI pipeline to SignServer

Connect a Jenkins CI pipeline to SignServer

SignServer and Jenkins integration automates the code signing process within the CI/CD pipeline, eliminating the need for manual intervention.

hero-sub-2-white
Jenkins banner

Automated Code Signing with Jenkins and SignServer

Jenkins is an open-source platform automating various stages of the software development lifecycle, including building, testing, and deploying applications. 

With the integration between Jenkins and SignServer, each code build and deployment through Jenkins can be automatically signed by SignServer.

How to get started

Consider a typical Java project as an example. When there are code changes in the Git repository, the Jenkins Pipeline automatically initiates an integrated workflow. It starts by building and testing the project, then proceeds to digitally sign the resulting artifact using standard Java code .jar file signing. 

In this example, the signing operation is done remotely by a SignServer instance that securely generates signatures and manages the code signing keys in an HSM. Using SignServer, signing keys aren't stored on laptops or anywhere else. In addition, SignServer makes sure every signing process generates audit logs, so you know what's going on.

The integration includes the following:

  • Using the SignServer JArchive CMS Signer for JAR signing.
  • Using a Jenkinsfile for Pipeline configuration.
  • A simple Java/Maven project in a Git repository.
  • Running a Jenkins Pipeline, building and delivering the app. Once the process is completed, the script output shows the call to the SignServer SignClient and displays that the file is successfully signed using SignServer.
  • Using Client Certificate Authentication to authorize Jenkins to sign files in SignServer.

Prerequisites 

The integration requires these servers to be available: 

  • EJBCA CA
  • SignServer Code Signing
  • Jenkins CI

Network traffic between the instances must be allowed. Our example is running in AWS and the most straightforward way is to allow all local virtual private cloud (VPC) traffic to the nodes, see SignServer Cloud AWS Launch Guide.

 

Documentation

Tutorials/documentation

Documentation

Check out the supplementary documentation.

Docker Hub

Get your hands on the SignServer Docker container by downloading it now from Docker Hub.

Discussions

Join our discussions to ask questions and share ideas.

Related open-source projects