SignPath

Documentation  ❯  Trusted Build Systems   ❯   Azure DevOps

Prerequisites

  • On SignPath.io: Use the predefined Trusted Build System Azure DevOps (dev.azure.com).
  • Create an artifact configuration with the following format:
      <?xml version="1.0" encoding="utf-8" ?>
      <artifact-configuration xmlns="http://signpath.io/artifact-configuration/v1">
        <zip-file>
          <directory path="*">
            ... the files you want to sign
          </directory>
        </zip-file>
      </artifact-configuration>
    

    See Artifact Configurations for more details.

    Root folder in artifact configuration

    Azure DevOps allows to publish whole directories as artifacts. When downloading the artifacts, they provide a zip archive including a folder with the name of artifact as specified in the pipeline definition. The artifact configuration needs to map this format.

  • In your Azure DevOps organization, install the SignPath Azure DevOps Extension
  • In the Azure DevOps project settings, create a Service Connection of type SignPath
  • Use the provided task in your build pipelines to sign the artifact

Azure DevOps Server

SignPath hosts an instance of the Azure DevOps connector which is linked to dev.azure.com For integrating self-hosted Azure DevOps Server instances, contact our support team.

Checks performed by SignPath

The Azure DevOps connector performs the following checks:

  • A build was actually performed by an Azure DevOps pipeline, not by some other entity in possession of the API token
  • Origin metadata is provided by Azure DevOps, not the build script, and can therefore not be forged
  • The artifact is stored on the Azure DevOps server before it is submitted for signing

Usage

The SignPath extension provides a SubmitSigningRequest task that can be integrated into a Azure DevOps pipeline definition:

steps:

# required for the artifact to be available on the Azure DevOps server
- task: PublishBuildArtifacts@1
  inputs:
    PathtoPublish: '$(Build.SourcesDirectory)/your-artifact'
    ArtifactName: 'unsigned-artifact'

- task: SubmitSigningRequest@1
  inputs:
    serviceConnectionName: 'my-signpath-service-connection'
    projectSlug: '<SignPath project slug>'
    artifactConfigurationSlug: 'azure-devops'
    signingPolicySlug: '<SignPath signing policy slug>'
    parameters: |
      version: ${{ convertToJson(parameters.someUserInput) }}
      myparam: "another param"
    azureDevOpsArtifactName: 'unsigned-artifact'
    waitForCompletion: true
    outputArtifactDirectory: '$(Build.SourcesDirectory)/signed'

Task inputs

Parameter Default Value Description
serviceConnectionName (mandatory) The name of the service connection used for authentication.
projectSlug (mandatory) The SignPath project slug.
signingPolicySlug (mandatory) The SignPath signing policy slug.
artifactConfigurationSlug   The SignPath artifact configuration slug. If not specified, the default is used.
azureDevOpsArtifactName (mandatory) The name of the Azure DevOps artifact. Must be uploaded using the PublishBuildArtifact task before it can be signed.
waitForCompletion (mandatory) If true, the action will wait for the signing request to complete. Defaults to true.
outputArtifactDirectory   Path to where the signed artifact will be extracted. If not specified, the task will not download the signed artifact from SignPath.
waitForCompletionTimeoutInSeconds 600 Maximum time in seconds that the action will wait for the signing request to complete.
serviceUnavailableTimeoutInSeconds 600 Total time in seconds that the action will wait for a single service call to succeed (across several retries).
downloadSignedArtifactTimeoutInSeconds 300 HTTP timeout when downloading the signed artifact. Defaults to 5 minutes.
parameters   Multiline-string of values that map to user-defined parameters in the Artifact Configuration. Use one line per parameter with the format <name>: "<value>" where <value> needs to be a valid JSON string.

Action output variables

The action supports the following output parameters:

  • SigningRequestId: The id of the newly created signing request. Available to subsequent tasks as an environment variable <TASKNAME>_SIGNINGREQUESTID.
  • SigningRequestWebUrl: The url of the signing request in SignPath. Available to subsequent tasks as an environment variable <TASKNAME>_SIGNINGREQUESTWEBURL.
  • SignPathApiUrl: The base API url of the SignPath API. Available to subsequent tasks as an environment variable <TASKNAME>_SIGNPATHAPIURL.
  • SignedArtifactDownloadUrl: The url of the signed artifact in SignPath. Available to subsequent tasks as an environment variable <TASKNAME>_SIGNEDARTIFACTDOWNLOADURL.

Sign up for news and special offers