How To Integrate Jenkins with SignServer for Automated Code Signing

Introduction

This guide demonstrates an integration between SignServer and Jenkins for automated code signing in a CI/CD Pipeline.

When code is changed in the Git repository of the Java project, the Jenkins Pipeline will automatically build and test the Java project, and then digitally sign the resulting artifact with standard Java code .jar file signing. The signature operation is performed by a remote SignServer instance, where the code signing keys are securely stored and the signing operation is audit logged.

The integration includes the following:

  • Using the SignServer JArchive CMS Signer for JAR signing.
  • Using a Jenkinsfile for Pipeline configuration.
  • A simple Java/Maven project in a Git repository.
  • Running a Jenkins Pipeline, building and delivering the app.
    Once the process is completed, the script output shows the call to the SignServer SignClient and displays that the file is successfully signed using SignServer.
  • Using Client Certificate Authentication to authorize Jenkins to sign files in SignServer.

The integration guide makes some simplifications regarding as CA structure, profiles and authorized certificates, etc. These can be configured in multiple ways matching most policies and procedures.

Compliance

You may have compliance requirements for issuing code signing certificates - check with your product and compliance teams for code signing certificate compliance.

A good practice is to issue code signing certificates compliant with the Baseline Requirements for Code Signing Certificates from the CA/Browser Forum (CA/B Forum). Note that certificate policy identifiers and other extensions specified by the CA/B Forum guidelines are excluded from this guide for simplicity.

A typical compliance requirement is to have separate CAs for code signing. This is easy to achieve in EJBCA which allows managing an unlimited number of CAs in a single instance but is not demonstrated in this guide for simplicity.