How to Integrate a Jenkins CI CD Pipeline with Code Signing Certificate
Integrating Code Signing Certificate/Self Sign into Jenkins CI/CD Pipelines Test Env
Login Jenkins UI
Install the Credentials Plugin: Ensure the Jenkins Credentials Plugin is installed.
https://plugins.jenkins.io/credentials/
Located
Store Certificate in Jenkins:
Go to Jenkins Dashboard > Manage Jenkins > Manage Credentials.
Under Stores scoped to Jenkins, click System.
Click Global credentials (unrestricted).
Click Add Credentials.
Note:
Choose Secret file as the kind of credential.
Upload your
.pfxor.p12file.Provide an ID and description for the credential.
Now Provide an ID (e.g., self-codesign-yashviuat) & Click create.
Store the Certificate Password
Go to Jenkins Dashboard > Manage Jenkins > Manage Credentials.
Under Stores scoped to Jenkins, click System.
Click Global credentials (unrestricted).
Click Add Credentials.
Select Secret text as the kind of credential.
Yashv1234
Enter the password for the
.pfxfile.Provide an ID (e.g., self-codesign-yashviuat-key) and description & Click Create.
Configure sample Jenkins Pipeline Script
pipeline { agent any environment { CERT_FILE = credentials('self-codesign-yashviuat') // ID of the secret file credential CERT_PASSWORD = credentials('self-codesign-yashviuat-key') // ID of the secret text credential } stages { stage('Build') { steps { script { echo 'Building the application...' // Add build steps here } } } stage('Sign Code') { steps { script { echo 'Signing the application...' // Example for Windows using signtool bat """ signtool sign /f "${CERT_FILE}" /p "${CERT_PASSWORD}" /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 path\to\your\binary.exe """ } } } stage('Deploy') { steps { script { echo 'Deploying the application...' // Add deployment steps here } } } } }
To set up and run the pipeline
Install Required Plugins:
Go to Jenkins Dashboard > Manage Jenkins > Manage Plugins.
Install the following plugins (if not already installed):
Pipeline
Credentials Binding
1.install the plugin manually
official Jenkins plugin repository: https://plugins.jenkins.io/
download direct link: https://updates.jenkins.io/download/plugins/credentials-binding/687.v619cb_15e923f/credentials-binding.hpi
After download/installation not working then restart
After restart verify plugin
Create the Pipeline
1.Create a New Pipeline:
Go to Jenkins Dashboard > New Item.
Enter a name for your pipeline (e.g., CodeSignIntegrateUATyashvi-Pipeline).
Select Pipeline and click OK.
2.Configure the Pipeline:
In the pipeline configuration page, scroll down to the Pipeline section.
Paste the provided sample pipeline script into the Script box.
verify os & refining here sample script in my example
sample script
pipeline { agent any environment { CERT_FILE = credentials('self-codesign-yashviuat') // ID of the secret file credential CERT_PASSWORD = credentials('self-codesign-yashviuat-key') // ID of the secret text credential } stages { stage('Build') { steps { script { echo 'Building the application...' // Example: Create a dummy binary for testing sh ''' echo "This is a dummy binary." > dummy-binary chmod +x dummy-binary ''' } } } stage('Sign Code') { steps { script { echo 'Signing the application...' // Use osslsigncode to sign the binary sh """ osslsigncode sign -pkcs12 "${CERT_FILE}" -pass "${CERT_PASSWORD}" -in dummy-binary -out signed-binary """ } } } stage('Verify Signature') { steps { script { echo 'Verifying the signature...' // Verify the signed binary sh """ osslsigncode verify signed-binary """ } } } stage('Deploy') { steps { script { echo 'Deploying the application...' // Example: Print the signed binary content (for testing) sh ''' echo "Signed binary content:" cat signed-binary ''' } } } } }before running pipeline, run on jenkins linux agent
After pipeline faces error before build stage
Change script again
pipeline { agent any environment { CERT_FILE = credentials('self-codesign-yashviuat') // ID of the secret file credential CERT_PASSWORD = credentials('self-codesign-yashviuat-key') // ID of the secret text credential } stages { stage('Build') { steps { script { echo 'Building the application...' // Example: Create a dummy binary for testing sh ''' echo "This is a dummy binary." > dummy-binary chmod +x dummy-binary ''' } } } stage('Sign Code') { steps { script { echo 'Signing the application...' // Use osslsigncode to sign the binary withCredentials([file(credentialsId: 'self-codesign-yashviuat', variable: 'CERT_FILE'), string(credentialsId: 'self-codesign-yashviuat-key', variable: 'CERT_PASSWORD')]) { sh ''' # Verify the certificate file if ! openssl pkcs12 -info -in "$CERT_FILE" -passin pass:"$CERT_PASSWORD" -noout; then echo "Error: Invalid certificate or password." exit 1 fi # Sign the binary osslsigncode sign -pkcs12 "$CERT_FILE" -pass "$CERT_PASSWORD" -in dummy-binary -out signed-binary ''' } } } } stage('Verify Signature') { steps { script { echo 'Verifying the signature...' // Verify the signed binary sh ''' osslsigncode verify signed-binary ''' } } } stage('Deploy') { steps { script { echo 'Deploying the application...' // Example: Print the signed binary content (for testing) sh ''' echo "Signed binary content:" cat signed-binary ''' } } } } }
To meet the practical requirements of company Positiwise interview, I'm demonstrating free/cost effective, linux/PowerShell scripting based approach for generating self-signed certificates. This method is ideal for development and testing, showcasing my ability to quickly implement solutions without relying on external, potentially costly, resources/not company environment.
Env jenkins is running on linux let create self signed on linux
<sup>openssl req -x509 -newkey rsa:2048 -keyout private.key -out Yashvi_selfuatjenkins.crt -days 365 -nodes -subj "/CN=Yashvi Kothari e/O=Test Codesign self sign"</sup>
combine .crt and .key to have .pfx
openssl pkcs12 -export -out Yashvi_selfuatjenkins.pfx -inkey private.key -in Yashvi_selfuatjenkins.crtEnter password
verify pfx
openssl pkcs12 -info -in Yashvi_selfuatjenkins.pfx
Windows
Have to confirm that certificate store on windows machine is working so navigate using cd to cert store microsoft location and run test command in my directory structure and run basic certificate command
New-SelfSignedCertificate -DnsName "Yashvi_UATJenkins" -CertStoreLocation Cert:\CurrentUser\MyNow I have created powershell script in directory structure C:\Users\directory1\ADrive\Desktop\pfx_cert
It will prompt password,after entering i will note and save password parallely pfx is exported in our desired location.
When we use Self-Signed Certificates
& when we
If you’re using AWS, you can explore services like AWS Certificate Manager (ACM)/AWS Code Signer mainly codesigning or purchase a certificate from a trusted CA like DigiCert, Sectigo, or GlobalSign.
