### Install KSP and Configuration with PowerShell Wait Source: https://docs.signpath.io/crypto-providers/windows Installs the KSP and configuration components, waiting for completion in PowerShell and checking for errors. ```powershell msiexec /i SignPath.Windows.KSP.msi /qn /L* install.log ADDLOCAL=KSP,SignPathConfigAndEnv | Out-Host; if ($LASTEXITCODE -ne 0) { throw "msiexec exited with $LASTEXITCODE" } ``` -------------------------------- ### Install Notation Plugin on Linux Source: https://docs.signpath.io/crypto-providers/notation Installs the SignPath notation plugin on Linux by downloading, extracting, and registering the binary. Cleans up temporary files afterward. ```bash # download and extract the plugin binary curl -s https://download.signpath.io/cryptoproviders/notation-plugin/6-latest/linux/x64/notation-signpath.tar.gz \ | tar -C /tmp -xzf - notation-signpath # install the plugin notation plugin install --file /tmp/notation-signpath # clean up rm /tmp/notation-signpath ``` -------------------------------- ### Install Notation Plugin on Windows Source: https://docs.signpath.io/crypto-providers/notation Installs the SignPath notation plugin on Windows by downloading, extracting, and registering the executable. Cleans up temporary files afterward. ```powershell # download an extract the plugin binary Invoke-WebRequest "https://download.signpath.io/cryptoproviders/notation-plugin/6-latest/windows/x64/notation-signpath.zip" ` -OutFile "${env:TEMP}\notation-signpath.zip" Expand-Archive -DestinationPath "${env:TEMP}\notation-signpath" "${env:TEMP}\notation-signpath.zip" # install the plugin notation plugin install --file "${env:TEMP}\notation-signpath\notation-signpath.exe" # clean up Remove-Item -Recurse -Confirm:$false ${env:TEMP}\notation-signpath* ``` -------------------------------- ### Linux Sample Invocation Source: https://docs.signpath.io/crypto-providers/cryptoki Example of how to run a scenario script on Linux for jar signing. Ensure the OrganizationId and ApiToken are set. ```bash ./RunScenario.sh -Scenario JarSigner -OrganizationId "$OrganizationId" -ApiToken "$ApiToken" -ProjectSlug "hash-signing" -SigningPolicySlug "test-signing" ``` -------------------------------- ### File Set Example Source: https://docs.signpath.io/artifact-configuration/syntax Demonstrates how to use a file set to apply the same signing operation to multiple files. This is an alternative to enumerating individual file entries. ```xml ``` ```xml ``` -------------------------------- ### Azure DevOps Artifact Configuration Example Source: https://docs.signpath.io/trusted-build-systems/azure-devops Defines the structure for files to be included in a zip archive for signing. ```xml ... the files you want to sign ``` -------------------------------- ### Run OpenSSL Scenario Source: https://docs.signpath.io/crypto-providers/cryptoki Example of running an OpenSSL scenario using a script. Ensure OrganizationId and ApiToken are set. ```bash ./RunScenario.sh -Scenario OpenSSL -OrganizationId "$OrganizationId" -ApiToken "$ApiToken" -ProjectSlug "hash-signing" -SigningPolicySlug "test-signing" -OpenSslDgst ``` -------------------------------- ### Signing a PE File Source: https://docs.signpath.io/artifact-configuration/syntax Example of signing a Portable Executable (PE) file using the directive. ```xml ``` -------------------------------- ### Authenticode Signing with SHA1 and SHA256 Source: https://docs.signpath.io/artifact-configuration/reference This example demonstrates signing a file first with the SHA1 algorithm and then again with the default SHA-256 algorithm, appending the new signature. It explicitly specifies the hash algorithms for clarity. ```xml ``` -------------------------------- ### Enable CryptoTokenKit Extension Source: https://docs.signpath.io/crypto-providers/macos Start the SignPathCryptoTokenKit.app with optional parameters to load certificates into the macOS keychain. Ensure the API token is set as an environment variable. ```bash export SIGNPATH_API_TOKEN=... open SignPathCryptoTokenKit.app --args \ --project-slug MyProject \ --signing-policy-slug release-signing \ --organization-id 0241f767-69c8-448d-ad5e-8bd453916068 ``` -------------------------------- ### Unattended Installation with PowerShell Wait Source: https://docs.signpath.io/crypto-providers/windows Ensures msiexec completes before proceeding in a PowerShell session, useful for build scripts. ```powershell msiexec /i SignPath.Windows.KSP.msi /qn /L* install.log | Out-Host; if ($LASTEXITCODE -ne 0) { throw "msiexec exited with $LASTEXITCODE" } ``` -------------------------------- ### Verifying and Signing Nested Files in MSI Source: https://docs.signpath.io/artifact-configuration/syntax An example demonstrating verification of an already signed third-party DLL and signing of the main application executable within an MSI package, followed by signing the MSI itself. ```xml ``` -------------------------------- ### Sign Maven Artifact Source: https://docs.signpath.io/crypto-providers/gpg Illustrates signing Maven artifacts during the installation process. This requires the Maven GPG plugin to be configured. ```bash #!/bin/bash # Assumes Maven and the GPG plugin are configured, and GPG_KEY_ID is set. # Navigate to your Maven project directory # cd /path/to/your/maven/project # Install the Maven project, which will trigger signing mvn install -Dgpg.keyid="$GPG_KEY_ID" echo "Maven artifacts have been installed and signed." ``` -------------------------------- ### Signing PE File with Wildcard Path Source: https://docs.signpath.io/artifact-configuration/syntax Example of specifying a PE file using a wildcard in the 'path' attribute, allowing for versioned filenames. ```xml ``` -------------------------------- ### Sign Package with productsign Source: https://docs.signpath.io/crypto-providers/macos Use the productsign command-line tool to sign an installer package. The --sign parameter requires a descriptor of the code signing identity provided by the SignPath CryptoTokenKit. ```bash productsign --timestamp --sign "XX6NBJ3UUF" MyInstaller.pkg MyInstaller-signed.pkg ``` -------------------------------- ### DSSE Signing of SLSA Verification Summary Attestations Source: https://docs.signpath.io/artifact-configuration/reference This example demonstrates how to create a DSSE signature file for SLSA Verification Summary Attestations. The output file will contain both the original file and the enveloped signature. ```xml ``` -------------------------------- ### Unattended KSP Installation Source: https://docs.signpath.io/crypto-providers/windows Install the Windows CNG KSP provider silently using msiexec for automated deployments. ```powershell msiexec /i SignPath.Windows.KSP.msi /qn /L* install.log ``` -------------------------------- ### Install SignPath PowerShell Module Source: https://docs.signpath.io/powershell Installs the SignPath module from the PowerShell Gallery. It is recommended to specify version ranges in automated scenarios to ensure compatibility. ```powershell Install-Module -Name SignPath ``` -------------------------------- ### Deep-sign MSI Installer Source: https://docs.signpath.io/artifact-configuration/examples This configuration signs nested PE files within an MSI installer, then re-packages and signs the MSI itself. It also allows for restricting the MSI file name. ```xml ``` -------------------------------- ### Initialize GPG Signing with SignPath Source: https://docs.signpath.io/crypto-providers/gpg Initializes GPG for hash signing using a helper function. It configures the SignPath Crypto Provider, sets up GnuPG's home directory, fetches the private key, and imports the GPG public key. ```bash #!/bin/bash # This script is a conceptual example and requires the actual helper function implementation. # Assumes InitializeSignPathCryptoProviderGpgSigning is available in the environment. # Set your GPG key ID, project slug, and signing policy slug GPG_KEY_ID="YOUR_GPG_KEY_ID" SIGNPATH_PROJECT_SLUG="your-project-slug" SIGNPATH_SIGNING_POLICY_SLUG="your-signing-policy-slug" # Call the helper function to initialize GPG signing InitializeSignPathCryptoProviderGpgSigning \ "$GPG_KEY_ID" \ "$SIGNPATH_PROJECT_SLUG" \ "$SIGNPATH_SIGNING_POLICY_SLUG" # Verify the GPG key ID is set echo "GPG Key ID: $GPG_KEY_ID" ``` -------------------------------- ### Jarsigner Sample for Signing a JAR Source: https://docs.signpath.io/crypto-providers/cryptoki A concrete example of signing a JAR file named 'myapp.jar' using jarsigner with specific SignPath Cryptoki parameters. This includes setting the keystore to NONE, specifying the PKCS11 provider, and defining the signature algorithm. ```bash jarsigner -keystore NONE -storetype PKCS11 -providerClass "sun.security.pkcs11.SunPKCS11" -providerArg pkcs11.config -sigalg "SHA256withRSA" -storepass "CONFIG" myapp.jar "$ProjectSlug/$SigningPolicySlug" ``` -------------------------------- ### Retrieve Signing Policy Details Source: https://docs.signpath.io/crypto-providers/rest-api This example shows the JSON response when retrieving details about a signing policy, including its slug, project slug, key size, RSA parameters, certificate, and key type. ```json { "signingPolicies": [ { "signingPolicySlug": "test-signing", "projectSlug": "hash-signing-test", "keySizeInBits": 2048, "rsaParameters": { "publicExponent": "AQAB", "modulus": "2e4JTm..." }, "signingPolicyId": "eacd4b78-6038-4450-9eec-4acd1c7ba6f1", "certificateBytes": "MIIC5zCC...", "keyType": "Rsa", "publicKeyBytes": "MIIBCgKC..." } ] } ``` -------------------------------- ### Webhook Authentication Header Example Source: https://docs.signpath.io/build-system-integration When configuring webhooks, ensure you include the 'Authentication' header with the correct method, such as 'Bearer', followed by your token. ```text Bearer JEAG1OrTXZ/t4URp5URt40DLBlA3WtcJmbwfeosyBkTABr6r ``` -------------------------------- ### Sample SignPath Crypto Providers Configuration Source: https://docs.signpath.io/crypto-providers/index This JSON snippet shows a sample configuration file for SignPath Crypto Providers. It includes settings for the API URL, organization ID, API token, and logging levels for both console and file output. Ensure sensitive values like OrganizationId and ApiToken are properly handled. ```json { "ApiUrl": "https://app.signpath.io/Api", "OrganizationId": "$OrganizationId", "ApiToken": "$ApiToken", "Log": { "Console": { "Level": "warning" }, "File": { "Level": "info", "Directory": "C:\\SignPath\\Logs" } } } ``` -------------------------------- ### Test API Health Check Source: https://docs.signpath.io/crypto-providers/cryptoki Use this command to test connectivity to the SignPath API and verify that the 'openssl' and 'ca-certificates' packages are correctly installed and configured. ```bash curl https://app.signpath.io/Api/healthz ``` -------------------------------- ### Signing PE File with User-Defined Parameter Source: https://docs.signpath.io/artifact-configuration/syntax Demonstrates using a user-defined parameter `${version}` within the 'path' attribute to specify a PE file, allowing for dynamic versioning. ```xml ``` -------------------------------- ### Webhook Notification Payload Example Source: https://docs.signpath.io/build-system-integration This JSON payload is posted by SignPath to your specified URL for each completed signing request. It contains essential details about the request. ```json { "OrganizationId": "094f5736-6b8c-4ca7-9514-0933c8b928e2", "SigningRequestId": "b4596ce6-1b8d-4527-9cce-16b3e174fb3d", "Status": "Completed" } ``` -------------------------------- ### Run pkcs11-tool Scenario Script Source: https://docs.signpath.io/crypto-providers/cryptoki This script executes the pkcs11-tool scenario, useful for testing PKCS #11 module interactions. It requires organization and API tokens, along with project and signing policy slugs. ```bash ./RunScenario.sh -Scenario Pkcs11Tool -OrganizationId "$OrganizationId" -ApiToken "$ApiToken" -ProjectSlug "hash-signing" -SigningPolicySlug "test-signing" ``` -------------------------------- ### Signing PE Files Using Wildcards Source: https://docs.signpath.io/artifact-configuration/syntax Example of using wildcards in the 'path' attribute to sign multiple PE files within a zip archive. 'max-matches="unbounded"' allows any number of matches. ```xml ```