Azure DevOpsクライアントツール拡張
GPG signing with DigiCert® Software Trust Manager Jenkins plugin is a streamlined keypair-based signing workflow that improves software security and seamlessly integrates with DevOps processes to sign binaries on Windows and Linux.
This plugin accelerates the installation and configuration of clients and signature tools to help developers become signing-ready for Jenkins pipeline.
GPG signing with DigiCert® Software Trust Manager plugin can be used to set up client tools task.
You can download GPG signing with DigiCert® Software Trust Manager from Jenkins Marketplace or by navigating to Jenkins homepage or dashboard > Manage Jenkins > Manage Plugins.
Prerequisites
DigiCert ONE account
DigiCert ONE client authentication certificate
Download GPG signing with Software Trust Manager
Jenkins build system
Any agent with OS that supports Java on Jenkins
JDK installed on the agent
DigiCert® Software Trust Manager access setup (given below)
User authentication
DigiCert® Software Trust Manager requires multifactor authentication. You will need to set up two credential types, namely an API token and an authentication certificate before you can access keypairs, certificates, and to sign code.
Create an API token
The API token is an authentication method used to verify the user and their permissions as set in DigiCert ONE®. The client authentication provides the first factor authentication.
To generate an API token:
Sign in to DigiCert ONE.
Select the profile icon.
Select Admin Profile.
Scroll down to API Tokens.
Select Create API token.
注記
The information shown after creating an API token cannot be accessed again, securely store all the information specified on the screen to use it later.
Create an authentication certificate
The client authentication certificate is an authentication method used to verify the user and their permissions as set in DigiCert ONE. The client authentication certificate provides the second factor authentication.
To create a client authentication certificate:
Sign in to DigiCert ONE.
Navigate to DigiCert® Software Trust Manager > Profile icon > Admin Profile.
Scroll down to Authentication certificates.
Select Create authentication certificate.
注記
The information shown after creating an client authentication certificate cannot be accessed again, securely store all the information specified on the screen to use it later.
Azure を安全に利用するためのベストプラクティス
Azure DevOps PipelineのユーザーがDigiCert® Software Trust Managerを使用してコードに署名する際には、セキュリティと説明責任を確保するために、シークレットとセキュアファイルを使用してください。この後にあるコード例では、シークレットとセキュアファイルを使用することを前提としています。
シークレット
シークレットは Azure DevOps Pipelineの変数を暗号化したもので、ユーザーはその情報の値を知ることなく情報を入力することができます。たとえば、APIキーの場合、Azureのすべての協力者があなたに固有の APIキーが何であるかを知って欲しくはありませんが、彼らはDigiCert® Software Trust Managerを通じて署名ツールを採用する際にそれを使用する必要が出てくるかもしれません。"(api_key)"が名前で値がAPIキーそのものである変数をセットアップすることができます。次に、 この値を秘密にするを選択して、値を暗号化します。また、 Azure Key Vault Secrets を使用することもできます。
Configure Jenkins secrets
The client tools need these environment variables to connect with DigiCert® Software Trust Manager.
注記
Only Jenkins user's with the Credentials > Create permission can add new global credentials.
To add new global credentials:
Log in to Jenkins.
Navigate to: Jenkins homepage or dashboard > Manage Jenkins > Manage Credentials > Store > Jenkins > System > Global credentials (unrestricted).
Select Add credentials.
Select the Scope you want to use:
Scope
Description
Global
Apply the scope of the credential/s to the Pipeline project/item "object" and all its descendant objects.
System
Apply the scope of the credential/s to a single object only.
Add the following types of credentials.
ID
Credential type
Description
SM_API_KEY
Secret text
Copy and paste your Software Trust Manager API token in the Secret field.
SM_CLIENT_CERT_FILE
Secret file
Select choose file and upload your Software Trust Manager client authentication certificate.
SM_CLIENT_CERT_PASSWORD
Secret text
Copy and paste your Software Trust Manager client certificate password in the Secret field.
SM_HOST
Secret text
Copy and paste your Software Trust Manager host environment in the Secret field.
Integration with Jenkins
Environment variables setup for Jenkins plugin in pipeline script
The client tools need these environment variables to connect with DigiCert® Software Trust Manager to provide its service.
To integrate as environment variables that are part of the pipeline:
pipeline { agent any environment { SM_API_KEY = credentials('SM_API_KEY') SM_HOST = credentials('SM_HOST') SM_CLIENT_CERT_PASSWORD = credentials('SM_CLIENT_CERT_PASSWORD') SM_CLIENT_CERT_FILE = credentials('SM_CLIENT_CERT_FILE') }
注記
Alternatively, integrate environment variables at an operating system environment level.
To add a stage to the pipeline script and call the plugin to perform Software Trust Manager setup for standard keypairs:
stages { stage('GPG set up using Software Trust Manager') { steps { SoftwareTrustManagerGPGSetup() } } }
Generate GPG master key
To generate a GPG master key, use:
stage ('generate gpg master key using smctl '){ steps { bat 'gpg keypair generate <master key alias> --key-alg "<algorithm>" --key-size <RSA key size>|--curve "<ECDSA curve name>" --can-sign "<YES or NO>" --gpg-key-type "MASTER" --uids "name=<name>,email=<email>", "name=<name>,email=<email>" ' } }
To download GPG keyring, use:
stage ('Download GPG keyring'){ steps { bat 'smctl gpg keyring download <GPG master key keypair ID> <GPG master key keypair ID>' } }
To list GPG public and private keys:
stage ('List gpg public and private keys'){ steps { bat 'gpg –list-keys <file path to keyring> ' bat 'gpg --list-secret-keys <file path to keyring> ' } }
Sign
注記
Install the signing tools you want to use before attempting to sign.
To sign using SMCTL, use:
stage ('GPG signing '){ steps { bat 'gpg --sign <unsigned file name>' } }