Modern agile development and delivery practices enable frequent updates of deployed services. While this has the potential of increasing flexibility and user value of the services, it may also introduce security risks. Code signing ensures that a trusted organization has released the deliverables and that the code has not been altered or corrupted before being deployed in the target environment.
Development organizations need efficient ways of integrating code signing into the automated continuous integration (CI) and continuous delivery (CD) toolchains. Signature formats differ between different execution platforms but PKI based signatures are the common cornerstone for any secure best practice system for distribution and deployment of SW deliverables.
Jenkins is an open source automation server that enables developers to build, test, and deploy their software. PrimeKey’s SignServer, a server-side code signing solution, is multi-tenant and supports multiple code signing formats.
The PrimeKey SignServer reference integration for Jenkins enables using a Jenkins pipeline with the build, test, and deliver stages for a Java application built using Maven. SignServer is remotely accessed by the build pipeline enabling a centralized secure private key storage in Hardware Security Modules (HSMs). In the delivery stage of the build pipeline, Jenkins uses the connection to SignServer to sign the deliverable.
In order to optimize communication and minimize overhead, PrimeKey SignClient is used to generate a hash on the client-side and send the hash to SignServer for signing. This means that the full deliverable does not need to be transferred over the network. All generated signatures are kept in a central audit log that enables keeping track of all signed deliverables that have been released.
Based on the APIs supported in SignServer for appending a signature to a deliverable, combined with scripts used in the setup of a Jenkins CI/CD pipeline, SignServer can be used in combination with Jenkins to build a secure CI/CD pipeline.
In addition, to ensure mutual authentication, a TLS client certificate is configured in Jenkins, and SignServer is configured to accept code signing only from clients authenticated using client certificates. The TLS client certificates used in the solution can be issued using a CA set up for example PrimeKey EJBCA. EJBCA can also be used to issue the code signing certificates. By connecting SignServer and EJBCA, the code signing certificates may also be automatically renewed, enabling stable and smooth lifecycle management.
Learn more about the integration between SignServer and Jenkins for automated code signing in a CI/CD Pipeline:
Let us demonstrate the code signing capabilities of PrimeKey SignServer running on Azure integrated with Jenkins in a CI/CD Pipeline: