The CI/CD method of high volume and frequent deployments is a cornerstone of agile teams and efficient software delivery life cycles. However, automated pipelines can put a company at risk of debilitating cyber attacks. Despite code signing being automated in some form, the protection of private keys and signing certificates is usually done manually, which then exposes a company to predatory cybercriminals.
Practices such as sharing of private keys puts the pipeline at risk to hackers. A leak in the pipeline can lead to delayed production, financial loss, and compromised products and services.
Recall that the 2020 major supply-chain attack against SolarWinds’ Orion IT monitoring software and many of its clients in government was due to its software build platform being infiltrated and malware injected in its pipeline.
SSL.com’s eSigner cloud code signing service protects your private keys and signing credentials while enabling easy integration with CI/CD services and automated signing , all while keeping your CI/CD pipeline well-oiled.
Enhance Your Pipeline With SSL.com Automated Cloud Code Signing
With SSL.com’s eSigner-based automated code signing, the entire length of your CI/CD pipeline can be secured. Even with an asynchronous work setup, your team of engineers can have the assurance that the software pieces they are sharing with each other are authentic and free of unauthorized changes.
The best feature of our code signing service is that we provide automated authentication with speed and scalability. You no longer have to suffer with a manual-based sign-in authorization or code signing operation which stagnates your software build. No more worries about shared private keys at risk of being compromised. No more worrying about external hardware such as USB tokens for Extended Validation code signing certificates. No more delays in production. You will have an unclogged pipeline that delivers on schedule.
eSigner: Code Signing as a Service
eSigner Automation Platforms
The eSigner toolkit has two signing platforms that offer solutions for code signing automation.
CodeSignTool: CodeSignTool is a command-line utility for EV code signing certificates that can be used across various platforms, including Windows, macOS, and Linux. It is especially useful for signing sensitive files since only the hashes of the files are sent to SSL.com for signing, instead of the code itself. CodeSignTool is also ideal for creating automated processes, such as the signing of multiple files in batches or Continuous Integration/Continuous Delivery (CI/CD) pipeline workflows. For more details regarding supported commands, options, and parameters for CodeSignTool, please refer to our article, eSigner CodeSignTool Command Guide. And for a guide on how to use CodeSignTool to sign objects without being prompted for manual OTP entry for each file, please read our guide article, Automate eSigner EV Code Signing.
APIs: Through eSigner CSC API, SSL.com’s enterprise customers can access the same Cloud Signing Consortium (CSC) and Code Signing APIs that power CodeSignTool for the development of their own front-end code signing apps. To know how to use our API, please read our article, eSigner API and eSigner Express for Cloud Document and EV Code Signing.
Secure your files
Our automated code signing is based on an API that is a RESTful service. If a company wants to have thousands of software pieces signed in an automated way, you can write a script that can call our Code Signing API. This requires only the hash of the file to be sent over the wire ensuring that the full file does not leave your network premises. SSL.com’s eSigner supports both Extended Validation (EV) and Organization Validation (OV).
Our eSigner-based automated code signing secures various software development workspaces including multiple automation servers (Jenkins, Github Actions, Gitlab CI, Circle CI, and Travis CI) and programming languages.
Build smoothly
With a hash-based automated code signing, your CI/CD work flows can achieve both speed and security. SSL.com’s eSigner enables you to sign vast amounts of software volume, leading to quicker delivery to customers.
Experience well-managed signings
Automated code signing with eSigner avoids errors such as private keys not being secured by your engineers when building their automation scripts.
With SSL.com’s eSigner-powered automated code signing, you can allot signing and management roles to specific employees. You will know who the code signer was and when the signing was performed. At any point in time, you can control or change signing privileges.
Using eSigner, secure code signing can be implemented throughout your entire pipeline, from start to finish. This protects you from supply chain attacks that have been observed as caused by malware being injected by hackers at the earlier phases of an insecure software build.
eSigner CKA (Cloud Key Adapter)
SSL.com’s eSigner CKA is a Microsoft Crypto Next Generation (CNG) plugin that allows Windows tools such as certutil.exe and signtool.exe to use the eSigner Cloud Signature Consortium (CSC)-compliant API for code signing operations.
eSiger CKA supports automated EV code signing added for CI/CD environments. This enhances the security of the DevOps pipeline by ensuring that the software components being shared by engineers are authenticated with an SSL.com EV Code Signing certificate. Hackers are therefore prevented from compromising your software build process because a malicious file that they attempt to inject will be identified as not having been signed with eSigner CKA. Even if your engineers work on differing schedules and locations, they can be assured that the piece of software they share with one another on your CI/CD platform is legitimate.
To find out how to install and use eSigner CKA, head over to our article: How to Automate EV Code Signing With Signtool.exe or Certutil.exe Using eSigner CKA (Cloud Key Adapter).
Specific CI/CD Service Integration Guides
eSigner Cloud Code Signing can be integrated into almost any CI/CD service. Below are specific guides for a few of the most popular services using tools mentioned above.
- Cloud Code Signing Integration with CircleCI
- Cloud Code Signing Integration with GitHub Actions
- Cloud Code Signing Integration with GitLab CI
- Cloud Code Signing Integration with Travis CI
- Cloud Code Signing Integration with Jenkins CI
- Cloud Code Signing Integration with Azure DevOps
- Cloud Code Signing Integration with BitBucket
For Github users who need a library for integrating EV Code Signing eSigner with GitHub Actions CI/CD so that they can use eSigner code signing in their automated release process, click this link to access useful resources.
Summary
Automated code signing with SSL.com’s eSigner provides a protected and centrally-managed environment for securing your software components, private keys, credentials, and signing records. Because eSigner can seamlessly be integrated with the top CI/CD services, software engineers and managers can focus more on their primary role of developing programs without having to worry about code compromise. eSigner’s advantageous features can be summed up in the following points:
- A dynamic interface allows integration with various CI/CD services.
- Software components in every stage of the CI/CD pipeline can be signed and secured.
- All code signing activities in the pipeline can be automated.
- Cloud signing allows for a convenient approach to enterprise code signing
For information on an eSigner subscription and code signing certificates, including high-volume and custom solutions, please reach out to sales@ssl.com or fill out the form below.
