Author: Surabhi Dahal

Reading Time : 4 minutes

XML signing is a process that involves adding a digital signature to an XML document to ensure its integrity, authenticity, and non-repudiation. By applying a digital signature to an XML document, the signer attests to the authenticity and integrity of the data, making it possible to verify the document’s origin and ensure that it has not been altered during transit or storage.

The digital signature is created using asymmetric encryption techniques, typically based on public-key infrastructure (PKI). The signer generates a private key that is kept securely and a corresponding public key that can be shared with others. The private key is used to encrypt a hash or digest of the XML document, creating the digital signature. The encrypted digest serves as a unique representation of the data and is appended to the XML document.

XML signing is crucial in various domains, including e-commerce, electronic invoicing, supply chain management, and government applications. It enables secure electronic document exchanges, establishes the authenticity of data, and ensures non-repudiation, meaning that the signer cannot later deny their involvement or the integrity of the document.

An Overview of the XML signing process:

1. A suitable cryptographic algorithm, such as RSA, DSA, or ECDSA, is chosen by the XML signer to produce the digital signature.
2. The XML document to be signed is prepared. This involves ensuring that the document adheres to the required XML syntax and structure.
3. XML canonicalization is applied to the document, which ensures that any variations in whitespace, attribute order, or namespace prefixes do not affect the validity of the signature. Canonicalization produces a standardized form of the XML document for signing.
4. A digest, also known as a hash, is calculated over the canonicalized XML document. The digest serves as a unique fingerprint of the document and is used in the signing process.
5. The digest is encrypted with the private key of the signer, creating the digital signature. The private key is kept securely by the signer and should not be accessible to unauthorized parties.
6. The digital signature is inserted into the XML document, typically as an additional element or attribute. This allows the signature to be associated with the signed data.

Encryption Consulting has a CodeSigning solution, “CodeSign Secure,” which can help you with tamper-proof storage for the keys and complete visibility and control of Code Signing activities. The private keys of the code-signing certificate can be stored in an HSM to eliminate the risks associated with stolen, corrupted, or misused keys. Within this solution we offer a utility tool, XML Signer, which can sign XML files. The steps listed below will assist you with using our tool with ease.

Prerequisite

In order to use XML Signer, the users must first set environment variables for the SSL Client Authentication Certificate path and certificate password. Ask the Encryption Consulting team if you don’t already have it.

Execute the below commands to set environment variables:

Mac or Linux

Windows

How to use the XML Signer utility?

Get the version of the XML Signer Utility

Execute the below command

Mac or Linux

Windows

Get the help of the XML Signer Utility

Execute the below command

Mac or Linux

Windows

Sign an XML Document

The Signer utility will generate the signed document with the same name with the postfix “_signed”

Use the sign subcommand to sign an XML document

-S: XML document to be signed.

-u: User name. A user name on Encryption Consulting server. Ask the Encryption Consulting team if you don’t already have it.

-k: Key/certificate name for signing/verification provided by Encryption Consulting server. Ask the Encryption Consulting team if you don’t already have it.

-a: Algorithm to be used for signing. One of the following options should be used:

• SHA224
• SHA256 (Default)
• SHA384
• SHA512

If the Algorithm is not provided, it will use SHA256 as a default.

-c: Certificate file provided by Encryption Consulting server.

-q: Execute quietly.

-h: Display help

Examples

Mac or Linux

Windows

Conclusion

XML signing ensures the integrity, authenticity, and non-repudiation of XML documents. It adds a digital signature that verifies the document’s origin and prevents tampering. XML signing is essential for secure data exchange, fostering trust in electronic transactions and reliable communication. It finds applications in e-commerce, invoicing, supply chain management, and more. By using tools and libraries, the XML signing process is simplified and can be integrated into various environments. To get your hands on our tool which can help you with XML Signing process please contact us on info@encryptionconsulting.com

Reading Time : 5 minutes

GitLab is a web-based Git repository manager that provides source code management, continuous integration/continuous development (CI/CD) pipeline automation, and several other features for software development. It is a comprehensive DevOps platform that enables experts to carry out every project work, from planning and managing the source code to monitoring and security.

Teams can collaborate and create better software as a result. GitLab offers comprehensive DevOps capabilities throughout every stage of the software development lifecycle. Its continuous integration (CI) capabilities automate the building and testing of code for development teams. The platform also includes security features that provide scan results within the native CI pipeline/workflow, and a dashboard that assists security professionals with managing vulnerabilities.

Codesigning

Code signing is a procedure that verifies the legitimacy of the author and the originality and authenticity of digital information, particularly software code. It also ensures that the information is not malicious code. Additionally, it guarantees that this information has not been altered, falsified, or canceled after being digitally signed. The digital signature is created using a private key that’s only available to the software’s publisher. When the software is downloaded and installed, the digital signature is checked against the public key to confirm that it matches and that the software hasn’t been modified. Code signing is important for ensuring the safety and security of software applications, as it helps prevent the distribution of malware and other malicious software.

Encryption Consulting has a CodeSigning solution, “CodeSign Secure,” which can help you with tamper-proof storage for the keys and complete visibility and control of Code Signing activities. The private keys of the code-signing certificate can be stored in an HSM to eliminate the risks associated with stolen, corrupted, or misused keys.

Integration of GitLab with CodeSigning.

To get started with this, you’ll first require a GitLab Account and a Runner, where you’ve signtool and ECSigning KSP installed and configured. Listing down the pre-requisites:

1. Self Hosted Runner which has ECSigning KSP, Signtool installed and configured. This runner should be provided with Administrative privileges.
2. A GitLab Account.

To set up the ECSigningKSP and Signtool, go through the following steps:

Download Windows SDK: (developer.microsoft.com/en-us/windows/downloads/windows-10-sdk/)

You can choose to install only the Windows SDK Signing Tools for Desktop Apps.

Open the winsdksetup.exe file. Remember the default path shown in the install path, as this will be helpful with running these commands from the command prompt.

On the Windows Kits Privacy page, either option for allowing Microsoft to collect insights is okay. Click next.

Accept the license agreement

Deselect every feature except for Windows SDK Signing Tools for Desktop Apps, then select install.

When prompted if you want to allow this app to make changes, select yes.

Click on windows search bar on task bar and type “Edit the system environment variables” and select the control panel option of the same name.

Click environment variables.

Before editing the variable list, navigate to where the Windows SDK is installed to using file explorer, you must copy the path of the folder which contains the signtool application, the default path is C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64, refer to the below screenshot. Make sure to right click and copy the path as shown. You can also see the signtool application at the bottom of the file list, this is the command you will run.

In the System Variables list, click new. Then type Path as the variable name, and copy and paste the aforementioned path. Then click OK on the environment variables window and system properties window.

To test the installation, open command prompt, and type signtool, and the output should be as shown below.

The default signtool installation location is, for example: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64

To set up KSP follow the steps below:

If you’re using our solution you can download the KSP using the steps below:

• Sign in to Code Sign Secure.

• Navigate to: Signing tools repository.

  

• Download “Encryption Consulting CNG-SigningKSP”

• Install the client tools using the .MSI installer. The .MSI installer automates much of the configuration. Navigate to where the downloaded file is saved and launch the installer.

  

• Click next when the installation wizard appears.

  

• Click next.

  

• In the Username field, type admin.

• In the Code field, copy the code from the Postman API Repository. Click on the GetLoginToken api and copy the code from the Body.

  Download PostMan from this link. Once downloaded, click the skip button at the bottom of the window. Once on dashboard, add a new collection using the plus sign button next to collections.

  GetLoginToken API (http://codesignsecureapi.encryptionconsulting.com/api/auth/GetLoginToken): This is the most important API, as this gives you a Bearer Token to use with the rest of the APIs, What should be in the body is shown below. The code serves as a password in order to get a the Bearer Token, the user field is the username, and the identity type field specifices the user type. Click Send to generate an output which has the Bearer Token listed at the bottom. Copy this token for use.

  

• Change the Identity Type to 1.
• Leave API BaseURL the same.

• Click next.

  

• Click next.

  

• You will then be notified that this program will make changes to your pc, click yes.

  

• Installation is now complete.

  

Please follow the steps below:

• Set Up a GitLab Account. Navigate to creating a New Blank Project.

• Scroll down to settings -> CI/CD and navigate to runner. Expand it.

  

• Install GitLab runner in your device using the link. This link is for Windows. You can look this link to see steps to Install it in your specific device.
• You can follow the documentation to set up your runner and register it as per your device.

To register a runner under Windows, run the following command:

1. .\gitlab-runner.exe register
2. Enter your GitLab instance URL (also known as the gitlab-ci coordinator URL). Example: https://gitlab.com
3. Enter the token you obtained to register the runner. You can access this from settings -> CI/CD -> Expand -> Project runners. Under project runners you can find token.
4. Enter a description for the runner. You can change this value later in the GitLab user interface. Example: Device
5. Enter the tags associated with the runner, separated by commas. You can change this value later in the GitLab user interface. Example: WindowsRunner
6. Enter any optional maintenance note for the runner.
7. Provide the runner executor. We’re operating this in Shell.

Once the runner is installed and configured, navigate to services in your device, scroll down to GitLab Runner and set log on as Administrator. Provide Admin Password here.

Once this is done, go to your project. You might have to rename the .ym file name. Rename it as .gitlab-ci.yml. Run the script below to perform codesigning.

 job1:
    tags:
        - WindowsRunner //The tag you provided while setting up the runner
    script:
        - signtool sign /csp "Encryption Consulting Key Storage provider" /kc evcodesigning /fd SHA256 /f "C:\Users\Administrator\Desktop\ForTesting\evcodesigning.pem" /tr http://timestamp.digicert.com /td SHA256 "C:\Users\Administrator\Desktop\ForTesting\AgentService.exe"

If you click on CI/CD -> jobs you’ll see it being successfully signed.

You’ll need to modify the command as per your variables

• kc evcodesigning: replace evcodesiging with your key name
• f “C:\Users\Administrator\Desktop\ForTesting\evcodesigning.pem”: replace location with location of your .pem file to perform codesiging. You can get this by using signing KSP. From command prompt reach to the directory having SigningKSP. Use command ECGetCert.ece <key name> to get pem file of your certificate. 
• tr http://timestamp.digicert.com: time stamping server
• td SHA256 “C:\Users\Administrator\Desktop\ForTesting\AgentService.exe”: location of file you want to get signed.

Conclusion

The article above demonstrates the process of integration your GitLab CI/CD pipeline with codesigning. It is a very simple process as you’re just required to set up a runner, connect it with a GitLab account and build the pipeline to run the job. Codesigning is crucial in today’s date as malicious software, files continue to grow. You can contact us at info@encryptionconsulting.com for any help regarding our code signing solution.

Reading Time : 5 minutes

GitHub Actions is a continuous integration and continuous development (CI/CD) platform that allows user to automate their build, test, and deployment pipeline. Users may design workflows that build and test every pull and push request to their repository or deploy merged pull requests to production. GitHub Actions is a powerful tool that allows developers to automate workflows within their GitHub repositories.

Each workflow is made up of one or more jobs, which are made up of one or more steps. Each step is a set of commands that are executed on a runner, which is a virtual machine that runs your workflows.

Getting Started with GitHub Actions

To get started with GitHub Actions, you’ll need a GitHub account and a repository. Once you’ve created your repository, you can create a new workflow by adding a YAML file to the .github/workflows directory in your repository.

Some of the terms that are used in the YAML file defining workflow are listed below. Let’s break down this workflow to understand how it works:

• name: This is the name of the workflow.

• on: This specifies when the workflow should be triggered. For example, the workflow can run when a pull request is opened on a branch.

• jobs: This is a list of jobs that will be executed as part of the workflow.

• run-on: This specifies the operating system and environment for the job. We can set up a self-hosted runner for our job. We are setting up a self-hosted runner for this.

• steps: This specifies a list of steps that will be executed as part of the job.

• uses: This is a shortcut for using an existing action from the GitHub Marketplace. In our script, we’re using the actions/checkout action to checkout the repository code.

• name: This is the name of the step.

• run: This is a shell command that will be executed as part of the step.

Codesigning Using GitHub Actions

Code signing is the process of digitally signing software code to verify its authenticity and integrity. It is a security measure that helps ensure that the code has not been tampered with and comes from a trusted source.

We can perform codesigning using GitHub actions. For this, we create a workflow in our desired repository in GitHub and perform codesigning using the script.

Prerequisites for performing this task include:

1. A GitHub repository (You’ll require an admin account).
2. A Runner where Signtool and ECSigning KSP is installed and configured.

Before we get started, we will need to configure a runner. Runner will be setup in the device where you have Signtool and ECSigning KSP installed and configured. To do so in your device follow the steps below.

To Setup and Configure Signtool follow the steps below:

Signtool can be downloaded as part of the Windows SDK. Download Windows SDK: (developer.microsoft.com/en-us/windows/downloads/windows-10-sdk/)

You can choose to install only the Windows SDK Signing Tools for Desktop Apps.

Open the winsdksetup.exe file. Remember the default path shown in the install path, as this will be helpful with running these commands from the command prompt.

On the Windows Kits Privacy page, either option for allowing Microsoft to collect insights is okay. Click next.

Accept the license agreement

Deselect every feature except for Windows SDK Signing Tools for Desktop Apps, then select install.

When prompted if you want to allow this app to make changes, select yes.

Click on windows search bar on task bar and type “Edit the system environment variables” and select the control panel option of the same name.

Click environment variables.

Before editing the variable list, navigate to where the Windows SDK is installed to using file explorer, you must copy the path of the folder which contains the signtool application, the default path is C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64, refer to the below screenshot. Make sure to right click and copy the path as shown. You can also see the signtool application at the bottom of the file list, this is the command you will run.

In the System Variables list, click new. Then type Path as the variable name, and copy and paste the aforementioned path. Then click OK on the environment variables window and system properties window.

To test the installation, open command prompt, and type signtool, and the output should be as shown below.

The default signtool installation location is, for example: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64

To set up KSP follow the steps below:

Encryption Consulting provides you with this solution, CodeSignSecure. This solution can help you with tamper-proof storage for the keys and complete visibility and control of Code Signing activities. The private keys of the code-signing certificate can be stored in an HSM to eliminate the risks associated with stolen, corrupted, or misused keys.

If you’re using our solution you can download the KSP using the steps below:

• Sign in to Code Sign Secure.

• Navigate to: Signing tools repository.

  

• Download “Encryption Consulting CNG-SigningKSP”

• Install the client tools using the .MSI installer. The .MSI installer automates much of the configuration. Navigate to where the downloaded file is saved and launch the installer.

  

• Click next when the installation wizard appears.

  

• Click next.

  

• In the Username field, type admin.

• In the Code field, copy the code from the Postman API Repository. Click on the GetLoginToken api and copy the code from the Body.

  Download PostMan from this link. Once downloaded, click the skip button at the bottom of the window. Once on dashboard, add a new collection using the plus sign button next to collections.

  GetLoginToken API (http://codesignsecureapi.encryptionconsulting.com/api/auth/GetLoginToken): This is the most important API, as this gives you a Bearer Token to use with the rest of the APIs, What should be in the body is shown below. The code serves as a password in order to get a the Bearer Token, the user field is the username, and the identity type field specifices the user type. Click Send to generate an output which has the Bearer Token listed at the bottom. Copy this token for use.

  

• Change the Identity Type to 1.
• Leave API BaseURL the same.

• Click next.

  

• Click next.

  

• You will then be notified that this program will make changes to your pc, click yes.

  

• Installation is now complete.

  

To set up the runner, follow the steps below:

Navigate to your Github Repository.

• Navigate to Settings of Repository
• Scroll down to Actions and select Runner from the dropdown menu.

• Click on New Self-Hosted Runner.

  

After doing so, you can click on the runner image (macOS/Linux/Windows) of your choice. The instructions below are for Windows. You’ll see several commands to be followed on the screen.

Run the commands that are shown in the configuration of the runner. The commands are also given below:

• mkdir actions-runner; cd actions-runner;
• Invoke-WebRequest -Url https://github.com/actions/runner/releases/download/v2.303.0/actions-runner-win-x64-2.303.0.zip -OutFile actions-runner-win-x64-2.303.0.zip
• Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory(“$PWD/actions-runner-win-x64-2.303.0.zip”, “$PWD”)
• ./config.cmd –url https://github.com/Encryption-Consulting-LLC/CodeSignSecure-Desktop –token <token_number>

Once you see Github Actions written on your screen, you’ll be asked for runner registration.

• Enter the name of the runner group to add this runner to: [press Enter for Default] (You can leave this to default).
• Enter the name of the runner: [press Enter for CLIENT] (You can enter the desired name for your runner).

• This runner will have the following labels: ‘self-hosted’, ‘Windows’, ‘X64’

  Enter any additional labels (ex., label-1,label-2): [press Enter to skip] (Please enter a label here, it can be anything, do not leave/skip this step. The same name will be used later to call runner in the script).

• The following will be prompted on your screen once it’s done

  • Runner successfully added
  • Runner connection is good
  • Runner settings

• Enter name of work folder: [press Enter for _work] (You can leave this to default or you can specify a folder of your choice)

  Settings Saved

• Would you like to run the runner as service? (Y/N) [press Enter for N] (Enter Y)

• User account to use for the service [press Enter for NT AUTHORITY\NETWORK SERVICE] (Make sure you enter Administrator here)

  (Administrator privilege is required to run the command. Hence it is MUST to set the user as an administrator)

• Password for the account CLIENT\Administrator (Provide password of your Administrator account)

• Once done, you’ll see the following prompt on your screen.

  It will be prompted as Service actions.runner.<repository name>.<runner_name>

  Granting file permissions to ‘CLIENT\Administrator’.

  Service actions.runner.Encryption-Consulting-LLC-CodeSignSecure-Desktop.TryThree successfully installed

  Service actions.runner.Encryption-Consulting-LLC-CodeSignSecure-Desktop.TryThree successfully set recovery option

  Service actions.runner.Encryption-Consulting-LLC-CodeSignSecure-Desktop.TryThree successfully set to delayed auto start

  Service actions.runner.Encryption-Consulting-LLC-CodeSignSecure-Desktop.TryThree successfully configured

  Waiting for service to start…

  Service actions.runner.Encryption-Consulting-LLC-CodeSignSecure-Desktop.TryThree started successfully

Once the runner is set up on your device, navigate to your repository in github.

Go to Actions.

Click on New Workflow

Click on set up a workflow yourself

This is what your editor will look like. You can rename your .yaml file or leave the name to default.

Add the script below to your editor after making some changes or updating the variables.

 name: Code Signing

on:
  push:
    branches: <[ Your Branch Name ]>

jobs:
  build:
    runs-on: <Your runner name>
    steps:
      - name: Checkout code
        uses: actions/checkout@v2
         
      - name: Sign code
        run: |
         signtool sign /csp "Encryption Consulting Key Storage provider" /kc <Key Name> /fd <hashing algorithm> /f "<Certificate Location>" /tr <timestampserver> /td SHA256 "<file path>"

Please replace the variables specified under <variable name>. A short description of expected variable is given below.

<file path>: This is where you provide the path of file that you want to sign. Example C:\<Folder_name>\<File_name>. Make sure you have provided a file name with the proper extension.

<key name>This refers to the cryptographic key used to sign the code. Example: evcodesigning

<certificate location>: An example of what can be put in this field is C:\testing.pem. The certificate.pem file MUST be included in this input. You can generate a pem file of the certificate for codesigning, if you have the key name using, ECSigningKSP. For doing so follow the commands below:

In your device where you have ECSigningKSP installed and configured, navigate to the folder of ECSigningKSP, which is usually present in “C:\Program Files\Encryption Consulting\SigningKSP”

In your command prompt reach to this directory.

Then use following command to get pem file of the certificate.

ECGetCert.exe <Key_Name>  (example: ECGetCert.exe evcodesigning)

Provide the location of the certificate saved.

<hashing algorithm>: You need provide the name of hashing algorithm such as SHA256, SHA384, or SHA512. It must be one of these three values.

<time stamp server>: A timestamp server provides proof that a digital signature was performed at a specific time, allowing verification in the future that a file was signed at a particular time. The one we generally use is http://timestamp.digicert.com

The Command I used for signing was

signtool sign /csp "Encryption Consulting Key Storage provider" /kc evcodesigning /fd SHA256 /f "C:\Users\Administrator\Desktop\ForTesting\evcodesigning.pem" /tr http://timestamp.digicert.com /td SHA256 "C:\Users\Administrator\Desktop\ForTesting\AgentService.exe"

The Script I used was:

 name: Code Signing
on:
  push:
    branches: [ Github_Actions ]

jobs:
  build:
    runs-on: runner
    steps:
      - name: Checkout code
        uses: actions/checkout@v2
         
      - name: Sign code
        run: |
         signtool sign /csp "Encryption Consulting Key Storage provider" /kc evcodesigning /fd SHA256 /f "C:\Users\Administrator\Desktop\ForTesting\evcodesigning.pem" /tr http://timestamp.digicert.com /td SHA256 "C:\Users\Administrator\Desktop\ForTesting\AgentService.exe"

Once you’ve edited your script, click on commit. You can commit directly to your default branch or commit to a new branch. Make sure you update the name of your branch inside the code. After committing the job will run.

Conclusion

Encryption Consulting provides you with codesigning solution known as CodeSign Secure. You can contact us to get your hands on the SigningKSP as well as keyname. Codesigning Using Github Actions is a simple process. A user will just have to configure the runner and run your script. You can contact us at info@encryptionconsulting.com for any assistance.

Reading Time : 5 minutes

Jenkins is an open-source automation tool that is widely used for continuous integration and continuous delivery (CI/CD) of software applications. Jenkins provides a web-based user interface that makes it easy to configure and manage jobs, which are automated tasks that can be scheduled to run at specific times or triggered by specific events. These jobs can be used to compile code, run tests, deploy applications, and perform many other tasks related to software development.

Some of the key features of Jenkins include:

• Easy installation and setup

  Jenkins is easy to install and configure and can be set up on a wide range of operating systems and platforms.

• Powerful job management

  Jenkins allows you to create and manage jobs, which are automated tasks that can be scheduled to run at specific times or triggered by specific events. Jobs can be used to compile code, run tests, deploy applications, and perform many other tasks related to software development.

• Wide range of plugins and integrations

  Jenkins has a large number of plugins and integrations available, which allows it to work with many different tools and technologies. This makes it highly customizable and flexible.

• Support for pipelines

  Jenkins provides strong support for pipelines, which are sets of stages that define a software development workflow. Pipelines can be defined using code, which makes them highly customizable and easy to version control.

• Built-in testing support

  Jenkins provides built-in support for many different types of tests, including unit tests, integration tests, and functional tests. This makes it easy to run tests as part of a continuous integration workflow, ensuring that any code changes are thoroughly tested before being deployed to production.

• Scalability

  Jenkins can be easily scaled to support large development teams and complex software development workflows.

• Open-source

  Jenkins is open-source software, which means that it is free to use and can be customized to meet the specific needs of your development team.

Codesigning Using Jenkins

Code signing is a procedure that verifies the legitimacy of the author and the originality and authenticity of digital information, particularly software code. It also ensures that the information is not malicious code. Additionally, it guarantees that this information has not been altered, falsified, or canceled after being digitally signed.

To perform codesigning using Jenkins go through the steps below.

Prerequisites for performing this task includes:

1. Jenkins Setup and Configured in your device
2. Signtool installed and configured
3. ECSigning KSP installed and configured.

To Setup and Configure Signtool follow the steps below:

Signtool can be downloaded as part of the Windows SDK. Download Windows SDK: (developer.microsoft.com/en-us/windows/downloads/windows-10-sdk/)

You can choose to install only the Windows SDK Signing Tools for Desktop Apps.

Open the winsdksetup.exe file. Remember the default path shown in the install path, as this will be helpful with running these commands from the command prompt.

On the Windows Kits Privacy page, either option for allowing Microsoft to collect insights is okay. Click next.

Accept the license agreement

Deselect every feature except for Windows SDK Signing Tools for Desktop Apps, then select install.

When prompted if you want to allow this app to make changes, select yes.

Click on windows search bar on task bar and type “Edit the system environment variables” and select the control panel option of the same name.

Click environment variables.

Before editing the variable list, navigate to where the Windows SDK is installed to using file explorer, you must copy the path of the folder which contains the signtool application, the default path is C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64, refer to the below screenshot. Make sure to right click and copy the path as shown. You can also see the signtool application at the bottom of the file list, this is the command you will run.

In the System Variables list, click new. Then type Path as the variable name, and copy and paste the aforementioned path. Then click OK on the environment variables window and system properties window.

To test the installation, open command prompt, and type signtool, and the output should be as shown below.

The default signtool installation location is, for example: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64

To set up KSP follow the steps below:

Encryption Consulting provides you with this solution, CodeSignSecure. This solution can help you with tamper-proof storage for the keys and complete visibility and control of Code Signing activities. The private keys of the code-signing certificate can be stored in an HSM to eliminate the risks associated with stolen, corrupted, or misused keys.

If you’re using our solution you can download the KSP using the steps below:

• Sign in to Code Sign Secure.

• Navigate to: Signing tools repository.

  

• Download “Encryption Consulting CNG-SigningKSP”

• Install the client tools using the .MSI installer. The .MSI installer automates much of the configuration. Navigate to where the downloaded file is saved and launch the installer.

  

• Click next when the installation wizard appears.

  

• Click next.

  

• In the Username field, type admin.

• In the Code field, copy the code from the Postman API Repository. Click on the GetLoginToken api and copy the code from the Body.

  Download PostMan from this link. Once downloaded, click the skip button at the bottom of the window. Once on dashboard, add a new collection using the plus sign button next to collections.

  GetLoginToken API (http://codesignsecureapi.encryptionconsulting.com/api/auth/GetLoginToken): This is the most important API, as this gives you a Bearer Token to use with the rest of the APIs, What should be in the body is shown below. The code serves as a password in order to get a the Bearer Token, the user field is the username, and the identity type field specifices the user type. Click Send to generate an output which has the Bearer Token listed at the bottom. Copy this token for use.

  

• Change the Identity Type to 1.
• Leave API BaseURL the same.

• Click next.

  

• Click next.

  

• You will then be notified that this program will make changes to your pc, click yes.

  

• Installation is now complete.

  

Once Jenkins is setup, we will require administrative privilege to run the command for signtool. To see we have set the administrative privilege for Jenkins, and if we haven’t, to set those

• Go to services on your system (You can just search for it)
• Scroll down to Jenkins. There in the “Log on As” column, you can see the user account set up for Jenkins. If it’s set to anything (Local Service/System, Network Service/System) other than “.\Administrator”, then we have to set it for Administrator.

• Double Click on Jenkins or Right Click > Properties to open Properties. Go to Log On.

  Select “This Account”

  Set it as “.\Administrator”. Give a password, preferably administrator password. Click on Apply once done.

  

Once we have set this we’ll now head to Jenkins. Whichever URL/hostname you specified earlier while setting up, navigating to that from your browser will lead you to Jenkins. In my system I have set it up as http://localhost:8080/ (It is also default).

In your Dashboard follow the steps below:

• From Dashboard click on New Item.

  

• Enter any item name and click on pipeline and click ok.

  

• In configuration page, under General put up a description as your wish.

  

• Scroll down to the bottom to find Pipeline.

  

• Write the script in the script box and click on save. You’ll need to edit your environment variable as per your setup

  pipeline {
      agent any
      environment {
          SM_KEY_NAME='evcodesigning'
          SM_CLIENT_CERT_FILE='C:\\Users\\Administrator\\Desktop\\ForTesting\\evcodesigning.pem'
          SM_HASHING_ALGORITHM='SHA256'
          SM_TIME_STAMP_SERVER="http://timestamp.digicert.com"
          SM_FILEPATH="C:\\Users\\Administrator\\Desktop\\ForTesting\\AgentService.exe"
      }
      stages {
          stage('Code Signing') {
              steps {
                  dir('C:\\Users\\Administrator\\Desktop\\ForTesting'){
                  bat 'signtool sign /csp "Encryption Consulting Key Storage provider" 
  /kc %SM_KEY_NAME% /fd 
   %SM_HASHING_ALGORITHM% /f %SM_CLIENT_CERT_FILE% /tr %SM_TIME_STAMP_SERVER% /td SHA256 %SM_FILEPATH%'
                  }
              }
          }
      }
  }
  

• Click on build now and you’ll see a build number running on the screen.

  

• If you click on the build number and go for console output you’ll see that your file has been signed.

  

In today’s digital landscape, malicious code and software threats are a constant concern for organizations of all sizes. Cybercriminals use a variety of tactics to compromise networks and steal sensitive data. One of the most common ways they do this is by distributing malware and other malicious code under the guise of legitimate software.

Organizations must have a comprehensive cybersecurity strategy that includes effective policies, procedures, and technology to prevent and detect attacks to safeguard themselves against these risks. Code-signing machine identities are one of the primary technologies used to secure networks against malicious code.

What are code-signing machine identities?

The process of code signing involves affixing a digital signature to executable code, scripts, and software in order to validate its authenticity and ensure its integrity. Code-signing machine identities are digital certificates that are used to sign code and are managed by code-sign in machines. Code-signing machine identities provide a way to verify the authenticity and integrity of code running on your network. By using digital certificates to sign software, you can ensure that the code has not been tampered with or modified since it was signed.

This helps to prevent malicious code from being introduced onto your network and reduces the risk of cyber-attacks. The digital certificates contain information about the code publisher, including their location and name, as well as a public key that is used to encrypt the signature. The private key, which is stored on the code signing machine, is used to sign the code. Digital certificates used for code signing are issued by a trusted third-party Certificate Authority (CA), and each certificate is unique and includes a distinct digital signature.

During the process of code signing, a signature is added to the code by creating a hash of the code, which is then encrypted with the private key of the code signing machine identity. Once this signature is added to the code, it can be verified by anyone who receives the code. To verify the signature, the recipient uses the public key included in the digital certificate to decrypt the signature and generates a hash of the code themselves. They can then compare the decrypted signature to their own hash of the code. If the hashes match, the recipient can be assured that the code has not been altered and was genuinely signed by the trusted source specified in the digital certificates.

Furthermore, code-signing machine identities facilitate the secure distribution and delivery of software updates, enabling organizations to deploy patches and updates to their networks confidently and quickly. This is crucial because it enables organizations to promptly address any security vulnerabilities or other problems that may arise in their software.

Using code-signing machine identities, organizations can guarantee the protection of their networks against malicious code, including viruses, spyware, and other forms of malware that could cause harm to their systems and data. Moreover, code-signing machine identities can assist organizations in meeting regulatory requirements for secure software development and distribution.

How do code-signing machine identities protect your network?

Code-signing machine identities provide several key benefits that help to protect networks from malicious code and software. These include

• Verification of code authenticity and integrity

  Code-signing machine identities provide a secure and dependable mechanism for verifying the authenticity and integrity of code. Malware can infiltrate a network via several methods, such as phishing emails or exploiting vulnerabilities in software. When malware infects a network, it can lead to various issues like data theft, system downtime, and financial losses. However, when code is signed with a code signing machine identity, the recipient can be certain that the code hasn’t been altered during distribution and that it actually originated from the trusted source denoted in the digital certificate. This mitigates the risk of malicious code being circulated as authentic software, which could compromise the network’s security.

• Secure distribution and delivery of software updates

  Additionally, code-signing machine identities furnish a secure means of delivering and distributing software updates. When organizations require the deployment of patches and updates to their networks, they can sign the updates using their code-signing machine identity and provide them to users. By doing so, they can guarantee that the updates are authentic and have not been tampered. Consequently, organizations can swiftly and confidently resolve security vulnerabilities and other software-related concerns without malicious code infiltrating their networks.

• Compliance with regulatory requirements

  Lastly, code-signing machine identities can aid organizations in adhering to regulatory demands for secure software development and distribution. Several industries, including healthcare and finance, have stringent regulations regarding the security of software and the methods employed to create and distribute it. BY adopting of code-signing machine identities, organizations can showcase their commitment to securing their software and conforming to these regulations.

Some other benefits of code-signing machine identities are

• Authentication

  By verifying that the code has been signed by a trusted source code signing machine identities enable authentication. This hinders the introduction of unauthorized or malevolent code into a network.

• Integrity

  By validating that the code has not been altered since it was signed, code signing machine identities ensures the codes integrity. This guarantees that there is no malware or other malicious code included in the code.

• Trust

  Code-signing machine identities help establish trust between software publishers and recipients. When a software publisher signs their code, they are essentially vouching for its authenticity and integrity. This helps recipients trust the code and reduces the risk of introducing malicious code onto the network.

• Compliance

  Code signing machine identities can assist companies in adhering to industry standards and laws by proving that they have put in place the necessary security measures to safeguard their software.

• User Experience

  Code signing machine identities can enhance the user experience by reducing security warnings and allowing for seamless installation and updates of software.

• Brand Reputation

  By using code signing machine identities, organizations and developers can safeguard their brand reputation by demonstrating that their software is trustworthy and secure.

Conclusion

The possibility of harmful code and software is a constant worry for various enterprises in this digital age. Code-signing machine identities offer a crucial layer of defense against these dangers by enabling the safe and secure distribution and delivery of software updates and assisting organizations in adhering to legal requirements. They also provide a way to confirm the reliability and authenticity of the code. Organizations can improve the security of their systems and data by implementing code-signing machine identities into their overall cybersecurity strategy. This will help enterprises safeguard their networks from malicious code and applications.

Reading Time: 4 minutes

When a program, script, or macro is downloaded, a popup window asking, “Are you sure you want to run this?” will appear during installation or execution. or “Do you want to let the next program affect this computer?” Code signing is being used in this popup. Code signing tools are crucial because they distinguish between legitimate software and malicious or rogue code.

Code signing is a procedure that verifies the legitimacy of the author and the originality and authenticity of digital information, particularly software code. It also ensures that the information is not malicious code. Additionally, it guarantees that this information has not been altered, falsified, or canceled after being digitally signed.

 Your projects developed in Visual Studio with Visual Basics and Visual C# can be published and updated using ClickOnce. ClickOnce is a Microsoft technology used to deploy and update Windows desktop applications over the internet. It allows developers to publish their applications on a web server or network file share and make them available to users via a single click without any complex installation or configuration process.

While you publish your project using ClickOnce, you can sign ClickOnce manifests using a certificate. This will help prove the legitimacy of your application, and this process is called Code signing. Codesigning with ClickOnce provides several security features to ensure that the application and its updates are downloaded from a trusted source and that users are protected against potential security threats. It adds an extra layer of security to your application and can help increase user trust.

When you publish your project using ClickOnce without codesigning, such application when run by the user, a dialogue box is often prompted with a security warning.

But no such warnings are prompted when you Sign ClickOnce manifests with a code signing certificate.

Encryption Consulting has a CodeSigning solution, “CodeSign Secure,” which can help you with tamper-proof storage for the keys and complete visibility and control of Code Signing activities. The private keys of the code-signing certificate can be stored in an HSM to eliminate the risks associated with stolen, corrupted, or misused keys.

This solution provides a tool and certificate for signing ClickOnce manifests. You will have to install and configure the tool and follow the steps below to proceed.

1. Install and Configure the tool (SigningKSP)

2. From the command prompt, reach the directory where ECGetCert.exe is located.

   

3. Run the command: ECGetCert.exe evcodesigning Here, evcodesigning is the certificate name that we are using for the codesigning purpose.

   This command will save evcodesigning.pem (certificatename.pem) file in the same directory

   

4. Open certmgr.msc and navigate to Personal -> certificates. If there is no certificate folder, right-click on personal -> All Tasks -> Import

   

5. A Certificate import wizard Opens. Click on next; the store location here is, by default, the current user.

   

6. On the next page, browse for the certificate. It should be saved in the same directory where EGGetCert. Exe is located. From there, select evcodesigning.pem (certificatename.pem). If you can’t see the file select all files at the bottom instead of X.509 certificate. Once the certificate is selected, click next.

   

   

7. On the other page, ensure that “Place all the certificates in the following store” is selected. Under that, the Certificate store is set to Personal. Click on next and then Click on Finish. You’ll see a dialogue box saying the import was successful.

   

   

8. Once the certificate import is done, you need the thumbprint value of your certificate. Click on Personal -> Certificates -> and then the imported certificate. Navigate to “Details” and scroll down to thumbprint. You can copy the value.

   

   Return to the command prompt. Run the following command. Ensure that you place the Thumbprint of your certificate in your command.

   certutil -f -repairstore -csp “Encryption Consulting Key Storage Provider” -user “My” 79656a9ce126fd0d1bb33f4dc73dba308f58b3ac

   

   

9. Once the command runs, navigate to the project in Visual Studio that you want to publish with ClickOnce.

10. In the Solution Explorer, Right Click on your project and navigate to Publish. Click on it.

    

11. A new dialogue box opens. Select ClickOnce and click on Next.

    

12. On the next page, choose a publish location or leave the default bin\publish and click Next.

    

13. You can choose the Install Location as per your choice or leave the default. Click on Next.

    

14. Select your settings in the next tab as you like and click Next

    

15. In Sign manifests, check the box “Sign the ClickOnce manifests” and click on select a certificate from the store.

    

    A dialogue box opens with a certificate, which was initially imported. Click OK to proceed.

    

    You can now see the certificate details in Sign manifests

    

16. Click on next to choose your configuration and click on Finish.

17. You’ll see Publish profile creation progress and a green tick when successful

    

18. You can see the Publish Profile created.

    

We have successfully signed ClickOnce manifests with Visual Studio. Click on Publish to publish your project.

Conclusion

With its digital signature and other security features, Signing ClickOnce manifests enables developers to establish the level of trust users should have in an application. This can decrease the probability that harmful software will be executed on a user’s machine. With the rapid increase in viruses and malware on applications online, it’s necessary to take such measures to prevent any damage. It’s always better to be safe than sorry.

To summarize, incorporating code signing into software security is crucial to safeguard it against malware attacks and tampering. Encryption Consulting’s Code Sign Secure offers various advantages, including seamless integration with development workflows, robust authentication and encryption, and customizable pricing options. To learn more about how you could use Code Sign Secure visit: www.encryptionconsulting.com/code-signing-solution/ or contact us at: info@encryptionconsulting.com