Integrate Windows CSP with Jenkins build for CI/CD pipeline

DevOps or Build Engineers using Jenkins as a build system in their organization for building Windows native apps (executable and libraries) might wish to integrate Secure App Service Windows CSP to leverage secure digital signing of the files being built.

Below mentioned are the instructions to integrate Secure App Service (SAS) Windows CSP with Jenkins build for CI/CD pipeline:

Pre-requisites

  1. Installed Jenkins build system
  2. Windows OS (configured as Jenkins agent) with following sub requirements:
    • Windows SDK is installed with signtool.exe available either on PATH OS variable or directly referenced from the installed path of SDK
    • Secure App Service Windows CSP installed on the system
      • This can be verified by executing ‘certutil.exe -csplist’ and by looking for ‘Secure App Service Cryptographic Provider’ in the list.
    • SAS_CSP.properties file must be configured properly (The location of this file may vary based on the OS architecture. Please refer the README guide available with CSP) with valid username, password, partnercode, publisherid, signingservice, sasapiurl, pemfile and pempassword

Setup

With pre-requisites properly satisfied you can configure the build pipeline in Jenkins in the usual way with an exception where you would invoke signtool.exe after the binary/library is built for digitally signing the file using Secure App Service Windows CSP. Below is a sample build pipeline for the reference:

c#
node {
	stage('Preparation') {
		echo 'preparation stage'
		// Get some code from a GitHub repository
		git 'http://gitlab.local:4080/cc/demo-go.git'
	}
	stage('Build') {
		echo 'build stage'
		echo 'building go binary'
		// A go binary is built here for demo purpose and you are free to replace it with gcc, visualcpp or any other valid compiler producing valid PE+ format, recognized by Windows eco-system and can be signed using signtool.exe utility.
		bat 'go build -o demo.exe'
		// For Secure App Service Windows CSP to work, the associated certificate of the alias needs to be present on the local system. This is one of the methods supported by signtool.exe with digital signature being performed remotely.
		// Verify if the certificate is already downloaded from Secure App Service cloud. If downloaded ignore, PS: This is hardcoded for one alias only but can be parameterized based on alias name which is used to refer the keys and certificate on SAS cloud.
		if (!fileExists('FT5WinCSPCert.cer')) {
			echo 'getting certificate file using DigiCert CSP explicit utility'
			bat '"c:\\Program Files\\DigiCert\\Secure App Service Cryptographic Provider\\sas_generate_cert.exe" get FT5WinCSPCert'
		}
		echo 'signing binary using DigiCert csp'
		// Please refer the CSP README guide for more details on the parameters and its details
		bat '"C:\\Program Files (x86)\\Windows Kits\\10\\bin\\x64\\signtool.exe" sign /csp "Secure App Service Cryptographic Provider" /kc FT5WinCSPCert,demo-cc /f FT5WinCSPCert.cer demo.exe'
	}
}

Now proceed and build the project. The binary is now digitally signed using Secure App Service Windows CSP without even risking the private keys which are secured with Secure App Service cloud.

The same approach is supported for Java world also, where you can use jarsigner or any custom written Java code leveraging Java JCA/JCE architecture to perform digital signature.

We use cookies to ensure that we give you the best experience on our website. By using this site, you agree to the Terms of Service.