SSL.com

Cloud Code Signing Integration with Travis CI

This article shows how you can perform automated code signing on Travis CI by integrating eSigner CodeSignTool to your pipeline.  eSigner is our remote code signing platform that provides the same level of security as USB tokens and Networked HSMS but in a more efficient and intuitive manner.  Part of the eSigner toolkit is CodeSignTool: a secure command line utility that is ideal for performing enterprise code signing in various CI/CD environments including Travis.
SSL.com’s EV Code Signing certificates help protect your code from unauthorized tampering and compromise with the highest level of validation, and are available for as little as $249 per year. You can also use your EV Code Signing certificate at scale in the cloud using eSigner.

ORDER NOW

Environment Variables

Inputs

Java Code (Maven) JAR Signing Example Workflow

Create a project

Under the project, create a file for Travis

Define the components of the workflow

  1. Place the CPU Architecture to run the job on

arch: amd64

  1. Default language to run tests in

language: java

  1. Specify the operating system to run the job on

os: linux

  1. Write the Ubuntu distribution that will be used

dist: bionic

  1. Define environment variables globally. Job level property overrides global variables.

env:

  global:

    – PROJECT_NAME=”HelloWorld”

    – PROJECT_VERSION=”0.0.1″

    – TERM=dumb

    – ENVIRONMENT_NAME=”TEST”

  1. Specify the order of stages. All jobs in one stage must be completed before the next stage is executed.

stages:

  – build

  – sign

Outline the build stage  

jobs:

  include:

        – stage: build

  1. The job name

      name: build-maven

  1. The Ubuntu distribution to use

      dist: bionic

  1. Use docker command for signing  

      services:

        – docker

  1. Use dotnet-cli to build the project

      language: java

  1. Java version to build the project

      jdk:

      – oraclejdk17

  1. Cache m2 directory in order to speed up

      cache:

        directories:

        – $HOME/.m2

  1. Write the Before script to run before building the project

      before_script:

        # Create directories for artifacts

        – mkdir -p ${TRAVIS_BUILD_DIR}/artifacts

        – mkdir -p ${TRAVIS_BUILD_DIR}/packages

        # Set Maven build options

        – export MAVEN_CLI_OPTS=”–batch-mode –errors –fail-at-end –show-version -DinstallAtEnd=true -DdeployAtEnd=true”

  1. Write the script to build the project.

      script:

        # Build Maven project with Maven Options

        – mvn $MAVEN_CLI_OPTS clean install -f java/pom.xml

         # Copy built artifacts to artifacts directory

        – cp java/target/${PROJECT_NAME}-${PROJECT_VERSION}.jar ${TRAVIS_BUILD_DIR}/packages/${PROJECT_NAME}.jar

     

  1. Outline how to specify a list of files and directories that should be attached to the job if it succeeds.

      workspaces:

        create:

          name: maven-jar-artifacts

          paths:

            # Save artifact in order to use signing job

            – ${TRAVIS_BUILD_DIR}/packages/${PROJECT_NAME}.jar

Outline the sign stage

 – stage: sign

  1. Write the job name

      name: sign-jar-file

  1. Place the Ubuntu distribution to use

      dist: bionic

  1. Use Docker command for signing  

      services:

        – docker

     

  1. Define environment variables for specific jobs.

      env:

        COMMAND=”sign”

  1. Use dotnet-cli to build the project

      language: java

  1. Java version to build the project

      jdk:

      – oraclejdk17

  1. Before script to run before building the project

      before_script:

        # Create directories for artifacts

        – mkdir -p ${TRAVIS_BUILD_DIR}/artifacts

        – mkdir -p ${TRAVIS_BUILD_DIR}/packages

     

  1. Script to build the project

      script:

        # Docker Pull CodeSigner Docker Image

        – docker pull ghcr.io/sslcom/codesigner:latest

        # Sign artifact with CodeSigner Docker image

        – docker run -i –rm –dns 8.8.8.8 –network host –volume ${TRAVIS_BUILD_DIR}/packages:/codesign/examples

          –volume ${TRAVIS_BUILD_DIR}/artifacts:/codesign/output

          -e USERNAME=${USERNAME} -e PASSWORD=${PASSWORD} -e CREDENTIAL_ID=${CREDENTIAL_ID} -e TOTP_SECRET=${TOTP_SECRET}

          -e ENVIRONMENT_NAME=${ENVIRONMENT_NAME} ghcr.io/sslcom/codesigner:latest ${COMMAND}

          -input_file_path=/codesign/examples/${PROJECT_NAME}.jar -output_dir_path=/codesign/output

  1. Used to specify a list of files and directories that should be attached to the job if it succeeds.

      workspaces:

        use:

          – maven-jar-artifacts

        create:

          name: signed-jar-file

          paths:

            # Save signed artifact

            – ${TRAVIS_BUILD_DIR}/artifacts/${PROJECT_NAME}.jar

SSL.com’s EV Code Signing certificates help protect your code from unauthorized tampering and compromise with the highest level of validation, and are available for as little as $249 per year. You can also use your EV Code Signing certificate at scale in the cloud using eSigner.

ORDER NOW

Define the Environment Variables

Go to Travis and click the Settings button

Add the value for each variable

Scroll down to the Environment Variables section and click the Add button to add the value for each variable

Create a Github repo

Look for the push commands on Github

Write the push commands at a terminal on your editor

Wait for the build job to be completed

On Travis, the build job should start automatically after you have pushed the code.

Initiate the code signing stage

Click the sign section for CodeSignTool to start the signing process

Wait for your virtual machine to finish booting

Confirm if code signing is successful

You can refer to the SSL.com Github repository which contains the source codes of the docker image and describes how to use it: https://github.com/SSLcom/ci-images

Sample Travis CI Pipeline

Check out the sample Travis CI pipeline we have created on github.com/SSLcom/codesigner-travisci-sample

Other CI/CD Service Remote Signing Integration Guides

Need Custom Solutions? 

With our expert knowledge and five-star support staff, we’re ready and willing to work with you on custom solutions or enterprise-level high-volume signing discounts. Fill out the form below and we’ll be in touch.

Exit mobile version