### Install KSP and Configuration with PowerShell Wait
Source: https://docs.signpath.io/crypto-providers/windows
Installs the KSP and configuration components, waiting for completion in PowerShell and checking for errors.
```powershell
msiexec /i SignPath.Windows.KSP.msi /qn /L* install.log ADDLOCAL=KSP,SignPathConfigAndEnv | Out-Host; if ($LASTEXITCODE -ne 0) { throw "msiexec exited with $LASTEXITCODE" }
```
--------------------------------
### Install Notation Plugin on Linux
Source: https://docs.signpath.io/crypto-providers/notation
Installs the SignPath notation plugin on Linux by downloading, extracting, and registering the binary. Cleans up temporary files afterward.
```bash
# download and extract the plugin binary
curl -s https://download.signpath.io/cryptoproviders/notation-plugin/6-latest/linux/x64/notation-signpath.tar.gz \
| tar -C /tmp -xzf - notation-signpath
# install the plugin
notation plugin install --file /tmp/notation-signpath
# clean up
rm /tmp/notation-signpath
```
--------------------------------
### Install Notation Plugin on Windows
Source: https://docs.signpath.io/crypto-providers/notation
Installs the SignPath notation plugin on Windows by downloading, extracting, and registering the executable. Cleans up temporary files afterward.
```powershell
# download an extract the plugin binary
Invoke-WebRequest "https://download.signpath.io/cryptoproviders/notation-plugin/6-latest/windows/x64/notation-signpath.zip" `
-OutFile "${env:TEMP}\notation-signpath.zip"
Expand-Archive -DestinationPath "${env:TEMP}\notation-signpath" "${env:TEMP}\notation-signpath.zip"
# install the plugin
notation plugin install --file "${env:TEMP}\notation-signpath\notation-signpath.exe"
# clean up
Remove-Item -Recurse -Confirm:$false ${env:TEMP}\notation-signpath*
```
--------------------------------
### Linux Sample Invocation
Source: https://docs.signpath.io/crypto-providers/cryptoki
Example of how to run a scenario script on Linux for jar signing. Ensure the OrganizationId and ApiToken are set.
```bash
./RunScenario.sh -Scenario JarSigner -OrganizationId "$OrganizationId" -ApiToken "$ApiToken" -ProjectSlug "hash-signing" -SigningPolicySlug "test-signing"
```
--------------------------------
### File Set Example
Source: https://docs.signpath.io/artifact-configuration/syntax
Demonstrates how to use a file set to apply the same signing operation to multiple files. This is an alternative to enumerating individual file entries.
```xml
```
```xml
```
--------------------------------
### Azure DevOps Artifact Configuration Example
Source: https://docs.signpath.io/trusted-build-systems/azure-devops
Defines the structure for files to be included in a zip archive for signing.
```xml
... the files you want to sign
```
--------------------------------
### Run OpenSSL Scenario
Source: https://docs.signpath.io/crypto-providers/cryptoki
Example of running an OpenSSL scenario using a script. Ensure OrganizationId and ApiToken are set.
```bash
./RunScenario.sh -Scenario OpenSSL -OrganizationId "$OrganizationId" -ApiToken "$ApiToken" -ProjectSlug "hash-signing" -SigningPolicySlug "test-signing" -OpenSslDgst
```
--------------------------------
### Signing a PE File
Source: https://docs.signpath.io/artifact-configuration/syntax
Example of signing a Portable Executable (PE) file using the directive.
```xml
```
--------------------------------
### Authenticode Signing with SHA1 and SHA256
Source: https://docs.signpath.io/artifact-configuration/reference
This example demonstrates signing a file first with the SHA1 algorithm and then again with the default SHA-256 algorithm, appending the new signature. It explicitly specifies the hash algorithms for clarity.
```xml
```
--------------------------------
### Enable CryptoTokenKit Extension
Source: https://docs.signpath.io/crypto-providers/macos
Start the SignPathCryptoTokenKit.app with optional parameters to load certificates into the macOS keychain. Ensure the API token is set as an environment variable.
```bash
export SIGNPATH_API_TOKEN=...
open SignPathCryptoTokenKit.app --args \
--project-slug MyProject \
--signing-policy-slug release-signing \
--organization-id 0241f767-69c8-448d-ad5e-8bd453916068
```
--------------------------------
### Unattended Installation with PowerShell Wait
Source: https://docs.signpath.io/crypto-providers/windows
Ensures msiexec completes before proceeding in a PowerShell session, useful for build scripts.
```powershell
msiexec /i SignPath.Windows.KSP.msi /qn /L* install.log | Out-Host; if ($LASTEXITCODE -ne 0) { throw "msiexec exited with $LASTEXITCODE" }
```
--------------------------------
### Verifying and Signing Nested Files in MSI
Source: https://docs.signpath.io/artifact-configuration/syntax
An example demonstrating verification of an already signed third-party DLL and signing of the main application executable within an MSI package, followed by signing the MSI itself.
```xml
```
--------------------------------
### Sign Maven Artifact
Source: https://docs.signpath.io/crypto-providers/gpg
Illustrates signing Maven artifacts during the installation process. This requires the Maven GPG plugin to be configured.
```bash
#!/bin/bash
# Assumes Maven and the GPG plugin are configured, and GPG_KEY_ID is set.
# Navigate to your Maven project directory
# cd /path/to/your/maven/project
# Install the Maven project, which will trigger signing
mvn install -Dgpg.keyid="$GPG_KEY_ID"
echo "Maven artifacts have been installed and signed."
```
--------------------------------
### Signing PE File with Wildcard Path
Source: https://docs.signpath.io/artifact-configuration/syntax
Example of specifying a PE file using a wildcard in the 'path' attribute, allowing for versioned filenames.
```xml
```
--------------------------------
### Sign Package with productsign
Source: https://docs.signpath.io/crypto-providers/macos
Use the productsign command-line tool to sign an installer package. The --sign parameter requires a descriptor of the code signing identity provided by the SignPath CryptoTokenKit.
```bash
productsign --timestamp --sign "XX6NBJ3UUF" MyInstaller.pkg MyInstaller-signed.pkg
```
--------------------------------
### DSSE Signing of SLSA Verification Summary Attestations
Source: https://docs.signpath.io/artifact-configuration/reference
This example demonstrates how to create a DSSE signature file for SLSA Verification Summary Attestations. The output file will contain both the original file and the enveloped signature.
```xml
```
--------------------------------
### Unattended KSP Installation
Source: https://docs.signpath.io/crypto-providers/windows
Install the Windows CNG KSP provider silently using msiexec for automated deployments.
```powershell
msiexec /i SignPath.Windows.KSP.msi /qn /L* install.log
```
--------------------------------
### Install SignPath PowerShell Module
Source: https://docs.signpath.io/powershell
Installs the SignPath module from the PowerShell Gallery. It is recommended to specify version ranges in automated scenarios to ensure compatibility.
```powershell
Install-Module -Name SignPath
```
--------------------------------
### Deep-sign MSI Installer
Source: https://docs.signpath.io/artifact-configuration/examples
This configuration signs nested PE files within an MSI installer, then re-packages and signs the MSI itself. It also allows for restricting the MSI file name.
```xml
```
--------------------------------
### Initialize GPG Signing with SignPath
Source: https://docs.signpath.io/crypto-providers/gpg
Initializes GPG for hash signing using a helper function. It configures the SignPath Crypto Provider, sets up GnuPG's home directory, fetches the private key, and imports the GPG public key.
```bash
#!/bin/bash
# This script is a conceptual example and requires the actual helper function implementation.
# Assumes InitializeSignPathCryptoProviderGpgSigning is available in the environment.
# Set your GPG key ID, project slug, and signing policy slug
GPG_KEY_ID="YOUR_GPG_KEY_ID"
SIGNPATH_PROJECT_SLUG="your-project-slug"
SIGNPATH_SIGNING_POLICY_SLUG="your-signing-policy-slug"
# Call the helper function to initialize GPG signing
InitializeSignPathCryptoProviderGpgSigning \
"$GPG_KEY_ID" \
"$SIGNPATH_PROJECT_SLUG" \
"$SIGNPATH_SIGNING_POLICY_SLUG"
# Verify the GPG key ID is set
echo "GPG Key ID: $GPG_KEY_ID"
```
--------------------------------
### Jarsigner Sample for Signing a JAR
Source: https://docs.signpath.io/crypto-providers/cryptoki
A concrete example of signing a JAR file named 'myapp.jar' using jarsigner with specific SignPath Cryptoki parameters. This includes setting the keystore to NONE, specifying the PKCS11 provider, and defining the signature algorithm.
```bash
jarsigner -keystore NONE -storetype PKCS11 -providerClass "sun.security.pkcs11.SunPKCS11" -providerArg pkcs11.config -sigalg "SHA256withRSA" -storepass "CONFIG" myapp.jar "$ProjectSlug/$SigningPolicySlug"
```
--------------------------------
### Retrieve Signing Policy Details
Source: https://docs.signpath.io/crypto-providers/rest-api
This example shows the JSON response when retrieving details about a signing policy, including its slug, project slug, key size, RSA parameters, certificate, and key type.
```json
{
"signingPolicies": [
{
"signingPolicySlug": "test-signing",
"projectSlug": "hash-signing-test",
"keySizeInBits": 2048,
"rsaParameters": {
"publicExponent": "AQAB",
"modulus": "2e4JTm..."
},
"signingPolicyId": "eacd4b78-6038-4450-9eec-4acd1c7ba6f1",
"certificateBytes": "MIIC5zCC...",
"keyType": "Rsa",
"publicKeyBytes": "MIIBCgKC..."
}
]
}
```
--------------------------------
### Webhook Authentication Header Example
Source: https://docs.signpath.io/build-system-integration
When configuring webhooks, ensure you include the 'Authentication' header with the correct method, such as 'Bearer', followed by your token.
```text
Bearer JEAG1OrTXZ/t4URp5URt40DLBlA3WtcJmbwfeosyBkTABr6r
```
--------------------------------
### Sample SignPath Crypto Providers Configuration
Source: https://docs.signpath.io/crypto-providers/index
This JSON snippet shows a sample configuration file for SignPath Crypto Providers. It includes settings for the API URL, organization ID, API token, and logging levels for both console and file output. Ensure sensitive values like OrganizationId and ApiToken are properly handled.
```json
{
"ApiUrl": "https://app.signpath.io/Api",
"OrganizationId": "$OrganizationId",
"ApiToken": "$ApiToken",
"Log": {
"Console": {
"Level": "warning"
},
"File": {
"Level": "info",
"Directory": "C:\\SignPath\\Logs"
}
}
}
```
--------------------------------
### Test API Health Check
Source: https://docs.signpath.io/crypto-providers/cryptoki
Use this command to test connectivity to the SignPath API and verify that the 'openssl' and 'ca-certificates' packages are correctly installed and configured.
```bash
curl https://app.signpath.io/Api/healthz
```
--------------------------------
### Signing PE File with User-Defined Parameter
Source: https://docs.signpath.io/artifact-configuration/syntax
Demonstrates using a user-defined parameter `${version}` within the 'path' attribute to specify a PE file, allowing for dynamic versioning.
```xml
```
--------------------------------
### Webhook Notification Payload Example
Source: https://docs.signpath.io/build-system-integration
This JSON payload is posted by SignPath to your specified URL for each completed signing request. It contains essential details about the request.
```json
{
"OrganizationId": "094f5736-6b8c-4ca7-9514-0933c8b928e2",
"SigningRequestId": "b4596ce6-1b8d-4527-9cce-16b3e174fb3d",
"Status": "Completed"
}
```
--------------------------------
### Run pkcs11-tool Scenario Script
Source: https://docs.signpath.io/crypto-providers/cryptoki
This script executes the pkcs11-tool scenario, useful for testing PKCS #11 module interactions. It requires organization and API tokens, along with project and signing policy slugs.
```bash
./RunScenario.sh -Scenario Pkcs11Tool -OrganizationId "$OrganizationId" -ApiToken "$ApiToken" -ProjectSlug "hash-signing" -SigningPolicySlug "test-signing"
```
--------------------------------
### Signing PE Files Using Wildcards
Source: https://docs.signpath.io/artifact-configuration/syntax
Example of using wildcards in the 'path' attribute to sign multiple PE files within a zip archive. 'max-matches="unbounded"' allows any number of matches.
```xml
```