Cloud Code Signing Integration with GitHub Actions

SSL Support Team

2 years ago

This guide article demonstrates how eSigner is integrated with GitHub Actions for automated code signing in a Continuous Integration/Continuous Delivery (CI/CD) setup. eSigner is our cloud-based signing platform that is trusted by software developers all over the world to conduct enterprise code signing without the need for USB tokens or other specialized hardware. One of eSigner’s components is CodeSignTool: a privacy-driven command line utility that is highly effective for developers who want to automate code signing. The following sections demonstrate how you can sign a Java code (Maven) on GitHub Actions using eSigner CodeSignTool.

SSL.com’s EV Code Signing certificates help protect your code from unauthorized tampering and compromise with the highest level of validation, and are available for as little as $249 per year. You can also use your EV Code Signing certificate at scale in the cloud using eSigner.

ORDER NOW

Usage

– name: Sign Artifact with CodeSignTool

uses: sslcom/actions-codesigner@develop

with:

CodeSignTool Commands:

– get_credential_ids: Output the list of eSigner credential IDs associated with a user.

– credential_info: Output key and certificate information related to a credential ID.

– sign: Sign and timestamp code object.

– batch_sign: Sign and timestamp multiple code objects with one OTP.

– hash: Pre-compute hash(es) for later use with batch_hash_sign command.

– batch_sign_hash: Sign hash(es) pre-computed with hash command.

command: sign

SSL.com account username.

username: ${{secrets.ES_USERNAME}}

SSL.com account password.

password: ${{secrets.ES_PASSWORD}}

Credential ID for signing certificate.

credential_id: ${{secrets.CREDENTIAL_ID}}

OAuth TOTP Secret (https://www.ssl.com/how-to/automate-esigner-ev-code-signing)

totp_secret: ${{secrets.ES_TOTP_SECRET}}

Path of code object to be signed.

file_path: ${GITHUB_WORKSPACE}/test/src/build/HelloWorld.jar

Directory where signed code object(s) will be written.

output_path: ${GITHUB_WORKSPACE}/artifacts

Inputs

username: SSL.com account username. (Required)
password: SSL.com account password (Required)
credential_id: Credential ID for signing certificate. If credential_id is omitted and the user has only one eSigner code signing certificate, CodeSignTool will default to that. If the user has more than one code signing certificate, this parameter is mandatory. (Required)
totp_secret: OAuth TOTP Secret. You can access detailed information on https://www.ssl.com/how-to/automate-esigner-ev-code-signing (Required)
file_path: Path of code object to be signed. (Required)
output_path: Directory where signed code object(s) will be written. If output_path is omitted, the file specified in -file_path will be overwritten with the signed file.

Go to top

Java Code (Maven) JAR Signing Example Workflow

Prepare the components of the workflow

Create a Github folder on your editor. Include workflows with the folder and create a yml file under the folder.
1. Name your project and the type of workflow involved
```
Name: Maven Build and Sign
```
1. Trigger this workflow on a push
```
on: push
```
1. Create an environment variable
- Environment variables are used to make the samples more readable. In the screenshot above of the example workflow, the PROJECT_NAME, PROJECT_VERSION, and MAVEN_VERSION were optionally omitted. Signing can still proceed even with these omissions.
```
env:

  PROJECT_NAME: HelloWorld

  PROJECT_VERSION: 0.0.1

  MAVEN_VERSION: 3.8.5

  JAVA_VERSION: 17
```
1. Define the jobs on your editor
```
jobs:

  build-and-sign-jar:
```
1. Run job on Ubuntu Runner
```
    runs-on: ubuntu-latest
```
1. Create a name. When the workflow runs, this is the name that is logged.
```
  name: CodeSigner on Java with Maven
```

Outline the steps for checking out the source code, setting up the Java and Maven environment, and creating Artifact Directory.

1) Check out the source code so that the workflow can access it.

   steps:

- uses: actions/checkout@v2

2) Set up the Java and Maven environment for the workflow to use.

    - name: Install Maven and Java

        uses: s4u/setup-maven-action@v1.3.1

        with:

          java-version: '${{env.JAVA_VERSION}}'

          maven-version: '${{env.MAVEN_VERSION}}'

3) Create Artifact Directory to store signed and unsigned artifact files

 - name: Create Directory

        shell: bash

        run: |

          mkdir ${GITHUB_WORKSPACE}/artifacts

          mkdir ${GITHUB_WORKSPACE}/packages

4) Build a maven project or solution and all of its dependencies.

After the jar file has been created, copy to ‘packages’ folder for signing

In this written signing example workflow, multiple project types were created. This is why files of different project types were kept by creating subfolders. A subfolder named ‘java’ was created for Java projects. In the demo screenshot above, there was no need to create a subfolder named ‘java’ so this was not included in the script.

 - name: Build Java Project

        shell: bash

        run: |

          mvn clean install -f java/pom.xml

          cp java/target/${{env.PROJECT_NAME}}-${{env.PROJECT_VERSION}}.jar ${GITHUB_WORKSPACE}/packages/${{env.PROJECT_NAME}}.jar

Outline the steps for the Sign and Upload jobs

The Sign job is the step where the created JAR (artifact) files will be signed with CodeSignTool.

 - name: Sign Artifact

        uses: sslcom/actions-codesigner@develop

        with:

Sign and timestamp code object.

command: sign

SSL.com account username.

username: ${{secrets.ES_USERNAME}}

SSL.com account password.

password: ${{secrets.ES_PASSWORD}}

Credential ID for signing certificate.

credential_id: ${{secrets.CREDENTIAL_ID}}

OAuth TOTP Secret (https://www.ssl.com/how-to/automate-esigner-ev-code-signing)

totp_secret: ${{secrets.ES_TOTP_SECRET}}

Path of code object to be signed. (DLL, JAR, EXE, MSI files vb… )

  file_path: ${GITHUB_WORKSPACE}/packages/${{env.PROJECT_NAME}}.jar

Directory where signed code object(s) will be written.

output_path: ${GITHUB_WORKSPACE}/artifacts

The upload job is the step where artifacts from your workflow will be uploaded allowing you to share data between jobs and store data once a workflow is complete

 - name: Upload Signed Files

        uses: actions/upload-artifact@v2

        with:

          name: ${{env.PROJECT_NAME}}.jar

          path: ./artifacts/${{env.PROJECT_NAME}}.jar

Get a build artifact uploader from Github Marketplace

Review your coding script

Over-all the coding script for the buld, sign, and upload jobs should look like the image below. Make sure to correct any errors such as wrong spelling or erroneous line breaks in the script so that the signing process will run smoothly.

ORDER NOW

Define your Environment Variables

Go to the location of your project on your Github account. Click the Actions tab. Click the New repository secret button to place the values for each environment variable required in signing your code.

Create a new repository on the command line

Proceed to the location of your project on Github and copy each component of the push command.

Push the project

Include each push command line in your code editor. Upon completion, the code will be automatically pushed on Github.

Wait for the artifact to be signed with eSigner CodeSignTool

Upload the signed file

Click on the signed file to upload it.

Note: Make sure to correct typographical errors or erroneous line breaks in the script so that the signing process will run smoothly.

Sample Github Actions Pipeline

Check out the sample Github Actions pipeline we have created on github.com/SSLcom/codesigner-github-sample

Other CI/CD Remote Signing Integration Guides

Go to top

Need Custom Solutions?

With our expert knowledge and five-star support staff, we’re ready and willing to work with you on custom solutions or enterprise-level high-volume signing discounts. Fill out the form below and we’ll be in touch.