Best Practices for Continuous Signing in CI/CD Pipelines

Written by Renato Ivanescu · June 27th, 2024 · 8min read

Nowadays, in the digital era, with the rising number of cyberattacks, it’s crucial to keep applications secure.

One solution to address this challenge is through implementing code signing into the development process. The signing process helps organizations guarantee that all software releases are secured and verified.

This article covers:

  • Importance, risks, and process of continuous signing in CI/CD
  • Code signing certificates and certificate options (Standard, EV, Cloud-based, Self-signed)
  • Integration tools and platforms (Azure DevOps, GitHub Actions, Jenkins, DigiCert Software Trust Manager, SSL.com’s eSigner, Azure Trusted Signing)
  • Best practices and recommendations for security and efficiency

What is Continuous Signing in CI/CD?

Continuous signing is the automated process of digitally signing software artifacts within the CI/CD pipeline. It guarantees that only trusted components are deployed to production, securing the software against potential threads.

What Are the Risks of Not Implementing Continuous Signing?

Failing to implement continuous signing in your CI/CD pipeline can expose your software and organization to risk. Here are the main concerns:

  • Unauthorized modifications to the codebase can go unnoticed. If third-party components or dependencies are compromised by attackers, malicious code could be executed within your environment. Continuous signing ensures that any change to the codebase is flagged and reviewed.
  • Users and security systems cannot verify the origin of your software. As a result, the software will be flagged as untrustworthy, affecting its reputation.
  • Delays in responding to security incidents due to the absence of audit logs. Without audit logs, tracing the origin of a security issue becomes challenging.

How Does Continuous Signing Work?

A CI/CD pipeline automates the building, testing, and deployment of software.

When continuous signing is integrated into the pipeline, an automatic signing process is triggered at every change to the codebase. The code is then automatically signed using a digital signature.

Here is how a continuous signing process works step-by-step:

1. The system detects any change made to the codebase.

2. Once a change is detected, the automated signing process starts.

3. A digital signature is generated using a private key. The key must be securely managed.

4. The digital signature is applied to the code or its compiled artifact.

continuous signing process works step-by-step

NoteSigning can occur at different stages, depending on the application.
For most applications, signing happens after the code is compiled to ensure the final artifact is verified. This is typical for desktop applications or mobile apps.
However, there are scenarios for pre-compilation signing, such as signing configuration files or scripts used in the build process. This is common for web apps, where files like CSS or JavaScript need to be signed.

5. Verify the digital signature and ensure the code has not been altered since the signature was applied.

6. Once the code has passed all verifications, deploy the code to production.

Now, having a clear understanding of how continuous signing works, let’s delve deeper into the foundation of this process: code signing certificates.

Code Signing Certificates

Code signing is a specific type of digital signing.

But what is digital signing?

Digital signing refers to cryptographic methods used to ensure the integrity of any digital content. These methods create a hash of the digital content and encrypt the hash with a private key. The digital signature is the resulting encrypted data.

Now, let’s get back to our discussion - the code signing.

This is a type of digital signature used to verify the authenticity of a software binary or file.

It is a part of software trust management. It’s important to understand the options for code signing certificates, so let’s explore the available solutions.

Certificate Authorities are common sources to get trusted code signing certificates. There are two types of certificates issued by CAs:

  • Standard Code Signing Certificates: These provide a basic level of trust for both an individual and an organization.
  • Extended Validation Code Signing Certificates: These offer a higher level of trust due to the strict validation of the organization that requests the certificate. This type of certificate provides enhanced security and offers additional benefits like confirming the organization’s legal status.

Cloud-based certificate solutions offer modern and flexible solutions for organizations that use cloud resources in their CI/CD pipelines. These solutions seamlessly integrate the signing process into cloud-based CI/CD workflows. By storing cryptographic keys in the cloud, the risks associated with on-premises key storage are reduced.

Self-signed certificates are suitable for internal development or testing. They have limited trust since they are not recognized by external entities. Also, they require manual installation and configuration on target machines.

Continuous Signing Options

Integrating the signing process into the CI/CD pipeline is essential to ensure software security.

This integration can be facilitated by various tools and services, ranging from cloud CI/CD platforms to specialized cloud signing providers.

Cloud CI/CD Platforms

Azure DevOps offers a set of development tools for software teams, providing a robust cloud-based CI/CD solution that supports various coding platforms.

This service enables continuous signing and integrates with Azure Trusted Signing and Azure Key Vault to securely manage the encryption keys.

Azure DevOps integrates with other Azure services for enhanced security and efficiency of the pipeline.

GitHub Actions provides automation capabilities within GitHub repositories, supporting the integration of the signing process into the CI/CD pipeline.

Developers can use this service to automate signing tasks. It integrates with various security tools and services, including third-party signing providers.

Jenkins is an open-source automation server that manages the software development lifecycle from build to deployment.

It supports continuous signing and can be integrated with many security tools like Azure Key Vault, to securely handle the keys for the signing process.

For comprehensive support in the continuous integration of the installer build process, explore Advanced Installer. It offers several integration options, including:

NoteAdvanced Installer provides robust solutions to streamline your CI process, ensuring a smooth and efficient workflow across various platforms.
Try it through our 30-day free trial.

Cloud Signing Providers

DigiCert Software Trust Manager is a digital solution designed to protect software integrity through code-signing workflow automation.

It integrates with popular CI/CD tools, including Azure Pipelines and Jenkins. This tool allows signing via console, command line, or API.

One of its key capabilities is securing signing keys in cloud Hardware Security Modules (HSMs) or on-premises with usage control options, ensuring high security for the signing keys. It also offers detailed audit logs to trace the signing process.

SSL.com’s eSigner is a cloud-based code-signing solution that streamlines the code-signing process within CI/CD pipelines.

It operates entirely in the cloud and can be used with CI/CD tools like GitHub Actions or Jenkins. Designed to handle high volumes of signing requests, this service offers networked HSMs in the cloud to store the keys and supports several code signing methods, including API access.

Azure Trusted Signing is a signing solution provided by Microsoft that simplifies the certificate signing process. It integrates with many developer tool sets.

TipAdvanced Installer is the first packaging tool in the industry to provide built-in support for Trusted Signing. You can find more information in our dedicated article: Trusted Signing Integration.

Best Practices and Recommendations for Continuous Signing

To enhance the security and efficiency of a CI/CD pipeline, implementing some good practices for continuous signing is essential. By doing so, you protect your software and build trust with the end users.

Here are some key practices:

  1. Integrate Signing Early: Implement signing as early as possible within the build process to ensure security from the earliest stage of development. Also, make the signing process fully integrated to reduce human error.
  2. Effective Key Management: Protect the signed code and prevent unauthorized access by managing the signing keys effectively. Key practices for secure key management include:

- Restrict access to signing keys to only those who absolutely need it.

- Store cryptographic keys in HSMs to protect the signing keys from unauthorized access and breaches. Alternatively, you can use a cloud-based key management solution with a similar level of security.

- Rotate signing keys periodically to minimize the risk of key compromise.

  1. Monitor and Audit: Monitor for unusual activities by auditing the signing process regularly.
  2. Plan for Security Breaches: Maintain continuous signing operations by planning for potential security breaches. Define recovery steps, including the revocation of compromised certificates.

In addition to these best practices, consider the following recommendations to ensure your pipeline adheres to the highest security standards and protects your code from potential threats:

  • Review and Update Practices: Try to adjust the policies to reflect technological changes.
  • Team Training: Train your team and provide resources to help integrate signing into workflows effectively.
  • Alert Systems: Implement alert systems for suspicious activities on your signing infrastructure.
  • Regular Audits: Regularly audit and update your infrastructure to maintain high security standards.

Conclusion

The purpose of continuous signing is to guarantee the genuineness and reliability of software.

For instance, if you follow proper rules you can improve your security by far more than before.

Choose an appropriate tool for signing, and protecting your certificates securely while employing automated steps that check any unauthorized changes.

This implies that if your CI/CD signing process is secure and effective, you will not only protect your software but also win the trust of your customers making every release safe at all times.

Learn more about code signing, certificate options, best practices, and tools to protect your software.

Explore Our Comprehensive Digital Signing Guide and Resources

Written by
See author's page
Renato Ivanescu

Renato is a technical writer for Advanced Installer and an assistant professor at the University of Craiova. He is currently a PhD. student, and computers and information technology are his areas of interest. He loves innovation and takes on big challenges.

Comments: