Cloud Code Signing Integration with Jenkins CI

This is a guide on how to do automated code signing on Jenkins with the use of eSigner CodeSignTool.

CodeSignTool is a command line utility that is suitable for high volume signings and seamlessly integrates with various CI/CD platforms. It forms part of eSigner: our remote signing service that offers an efficient, secure, and user-friendly approach to enterprise code signing.

SSL.com’s EV Code Signing Certificates help protect your code from unauthorized tampering and compromise with the highest level of validation, and are available for as little as $249 per year.

BUY YOUR SSL.COM EV CODE SIGNING CERTIFICATE

Create a Jenkins file and define the pipeline on your code editor

pipeline {

    agent any


    options {

        buildDiscarder(logRotator(numToKeepStr: "5"))

        disableConcurrentBuilds()

    }

Set the .NET tool on your code editor by configuring Jenkins

Click the Manage Jenkins tab on your Jenkins dashboard.

Scroll down the page and click Global Tool Configuration.

Scroll down and click .NET SDK Installations.

Copy the value for .NET SDK and paste it on your code editor.

tools {

        dotnetsdk "DOTNET_CORE_3.1.24"  

    }

Go to plugins.jenkins.io and install the .NET SDK plugin

Under Manage Jenkins on your Dashboard, check Manage Plugins to confirm if the .NET SDK plugin has been installed.

After confirming that the plugin has been installed, go back to .NET SDK INSTALLATIONS and make sure the correct version and release details of the .NET SDK plugin are set. Proceed to click the Save button.

Set the Environment Variables on your code editor

environment {

        USERNAME          = credentials('es-username')       // SSL.com account username.

        PASSWORD          = credentials('es-password')       // SSL.com account password.

        CREDENTIAL_ID     = credentials('es-crendential-id') // Credential ID for signing certificate.

        TOTP_SECRET       = credentials('es-totp-secret')    // OAuth TOTP Secret (https://www.ssl.com/how-to/automate-esigner-ev-code-signing)   

        ENVIRONMENT_NAME  = 'PROD'                           // SSL.com Environment Name. For Demo Account It can be 'TEST' otherwise it will be 'PROD'

    }

You will find the values for each variable on your Jenkins dashboard under Security > Manage Credentials.

 

Set the stages for creating artifacts directory, pulling docker image, building .NET, and code signing the artifact

 

        1) Create Artifact Directory for store signed and unsigned artifact files.
 stage('Create artifacts directory') {

            steps {

                sh 'mkdir ${WORKSPACE}/artifacts'

                sh 'mkdir ${WORKSPACE}/packages'

            }

        }
        2) Pull Codesigner Docker Image From Github Registry.
stage('Docker Pull Image') {

            steps {

                sh 'docker pull ghcr.io/sslcom/codesigner:latest'

            }

        }
        3) Build a dotnet project or solution and all of its dependencies. After the dll or exe file has been created, copy to ‘packages’ folder for signing.
stage('Build Dotnet') {

            steps {

                sh 'dotnet build dotnet/HelloWorld.csproj -c Release'

                sh 'cp dotnet/bin/Release/netcoreapp3.1/HelloWorld-0.0.1.dll ${WORKSPACE}/packages/HelloWorld.dll'

            }

        }
        4) This is the step where the created DLL (artifact) files will be signed with CodeSignTool.
stage('Sign and Save Dotnet Core DLL Artifact') {

            steps {

                sh 'docker run -i --rm --dns 8.8.8.8 --network host --volume ${WORKSPACE}/packages:/codesign/examples --volume ${WORKSPACE}/artifacts:/codesign/output 

                    -e USERNAME=${USERNAME} -e PASSWORD=${PASSWORD} -e CREDENTIAL_ID=${CREDENTIAL_ID} -e TOTP_SECRET=${TOTP_SECRET} -e ENVIRONMENT_NAME=${ENVIRONMENT_NAME} 

                    ghcr.io/sslcom/codesigner:latest sign -input_file_path=/codesign/examples/HelloWorld.dll -output_dir_path=/codesign/output'

            }

            post {

                always {

                    archiveArtifacts artifacts: "artifacts/HelloWorld.dll", onlyIfSuccessful: true

                }

            }

        }

    }

}

SSL.com’s EV Code Signing Certificates help protect your code from unauthorized tampering and compromise with the highest level of validation, and are available for as little as $249 per year.

BUY YOUR SSL.COM EV CODE SIGNING CERTIFICATE

Create a Github repo

Copy each of the push command components on Github.

Write the commands at a new terminal on your code editor to push the code.

After pushing the code, go to your Github account and copy the URL link of your project.

Proceed to your Jenkins account and click the Create a job link.

Choose Multibranch Pipeline, set the name for your project, and click the OK button.

Under Branch Sources, select Git and paste the URL link of your Github project.

Scroll down to Scan Multibranch Pipeline Triggers. Check the box for Periodically if not otherwise run. You can select 2 minutes.

Click the Save button.

Go back to your Jenkins account, click on your project, and confirm if the pipeline has started

Click on your Jenkins project and select Scan Multibranch Pipeline Now on the Dashboard.

Click Console Output

Scroll down and check if code signing is successful

Entire Script

Note: Make sure to correct typographical errors or erroneous line breaks in the script so that the signing process will run smoothly.

Define the pipeline

pipeline {

    agent any


    options {

        buildDiscarder(logRotator(numToKeepStr: "5"))

        disableConcurrentBuilds()

    }

Install Build Tools

tools {

        dotnetsdk "DOTNET_CORE_3.1.24"  //https://plugins.jenkins.io/dotnet-sdk

    }

Create an environment variable

environment {

        USERNAME          = credentials('es-username')       // SSL.com account username.

        PASSWORD          = credentials('es-password')       // SSL.com account password.

        CREDENTIAL_ID     = credentials('es-crendential-id') // Credential ID for signing certificate.

        TOTP_SECRET       = credentials('es-totp-secret')    // OAuth TOTP Secret (https://www.ssl.com/how-to/automate-esigner-ev-code-signing)

        ENVIRONMENT_NAME  = 'PROD'                           // SSL.com Environment Name. For Demo Account It can be 'TEST' otherwise it will be 'PROD'

    }

Script for the Build and Sign Stages

stages {

        // 1) Create Artifact Directory for store signed and unsigned artifact files

        stage('Create artifacts directory') {

            steps {

                sh 'mkdir ${WORKSPACE}/artifacts'

                sh 'mkdir ${WORKSPACE}/packages'

            }

        }


        // 2) Pull Codesigner Docker Image From Github Registry

        stage('Docker Pull Image') {

            steps {

                sh 'docker pull ghcr.io/sslcom/codesigner:latest'

            }

        }


        // 3) Build a dotnet project or solution and all of its dependencies.

        //    After it has been created dll or exe file, copy to 'packages' folder for signing

        stage('Build Dotnet') {

            steps {

                sh 'dotnet build dotnet/HelloWorld.csproj -c Release'

                sh 'cp dotnet/bin/Release/netcoreapp3.1/HelloWorld-0.0.1.dll ${WORKSPACE}/packages/HelloWorld.dll'

            }

        }


        // 4) This is the step where the created DLL (artifact) files will be signed with CodeSignTool.

        stage('Sign and Save Dotnet Core DLL Artifact') {

            steps {

                sh 'docker run -i --rm --dns 8.8.8.8 --network host --volume ${WORKSPACE}/packages:/codesign/examples --volume ${WORKSPACE}/artifacts:/codesign/output

                    -e USERNAME=${USERNAME} -e PASSWORD=${PASSWORD} -e CREDENTIAL_ID=${CREDENTIAL_ID} -e TOTP_SECRET=${TOTP_SECRET} -e ENVIRONMENT_NAME=${ENVIRONMENT_NAME}

                    ghcr.io/sslcom/codesigner:latest sign -input_file_path=/codesign/examples/HelloWorld.dll -output_dir_path=/codesign/output'

            }

            post {

                always {

                    archiveArtifacts artifacts: "artifacts/HelloWorld.dll", onlyIfSuccessful: true

                }

            }

        }

    }

}
You can refer to the SSL.com Github repository which contains the source codes of the docker image and describes how to use it: https://github.com/SSLcom/ci-images 

Sample Jenkins Pipeline

Check out the sample Jenkins pipeline we have created on github.com/SSLcom/codesigner-jenkins-sample

Other Remote Signing Integration Guides

Need Custom Solutions? 

With our expert knowledge and five-star support staff, we’re ready and willing to work with you on custom solutions or enterprise-level high-volume signing discounts. Fill out the form below and we’ll be in touch.

Subscribe To SSL.com’s Newsletter

Don’t miss new articles and updates from SSL.com

Stay Informed and Secure

SSL.com is a global leader in cybersecurity, PKI and digital certificates. Sign up to receive the latest industry news, tips, and product announcements from SSL.com.

We’d love your feedback

Take our survey and let us know your thoughts on your recent purchase.