diff --git a/docs/_data/menus/about-us.yml b/docs/_data/menus/about-us.yml index 396708d0..c4b560fc 100644 --- a/docs/_data/menus/about-us.yml +++ b/docs/_data/menus/about-us.yml @@ -4,9 +4,6 @@ - text: Team path: team -- text: Blog - path: blog - - text: Jobs path: jobs diff --git a/docs/_data/menus/documentation.yml b/docs/_data/menus/documentation.yml index 35cbd577..b7c81236 100644 --- a/docs/_data/menus/documentation.yml +++ b/docs/_data/menus/documentation.yml @@ -32,13 +32,5 @@ - separator: true -- text: PowerShell cmdlets - path: powershell - -- text: Crypto Providers - path: crypto-providers - -- separator: true - - text: Product updates path: changelog \ No newline at end of file diff --git a/docs/_data/menus/menus.yml b/docs/_data/menus/menus.yml index e3d4488f..f433dcae 100644 --- a/docs/_data/menus/menus.yml +++ b/docs/_data/menus/menus.yml @@ -1,14 +1,18 @@ - text: Product path: product subdir: true - -- text: Code Signing - path: code-signing + +- text: Use Cases + path: use-cases subdir: true - text: Documentation path: documentation subdir: true + +- text: Blog + path: blog + subdir: false - text: About us path: about-us diff --git a/docs/_data/menus/product.yml b/docs/_data/menus/product.yml index b34de6fa..d2257650 100644 --- a/docs/_data/menus/product.yml +++ b/docs/_data/menus/product.yml @@ -3,25 +3,3 @@ - text: Editions path: editions - -- separator: true - -- text: For DevOps teams - path: devops - -- text: For InfoSec teams - path: infosec - -- text: For Open Source projects - path: open-source - -- separator: true - -- text: Office macro signing - path: office-macros - -- text: Thales DPoD Cloud HSM - path: thales-dpod - -- text: PKI Consortium best practices - path: pkic-best-practices diff --git a/docs/_data/menus/use-cases.yml b/docs/_data/menus/use-cases.yml new file mode 100644 index 00000000..c0235df0 --- /dev/null +++ b/docs/_data/menus/use-cases.yml @@ -0,0 +1,8 @@ +- text: DevOps + path: devops + +- text: InfoSec + path: infosec + +- text: Open Source + path: open-source \ No newline at end of file diff --git a/docs/use-cases/dev-sec-ops.html b/docs/use-cases/dev-sec-ops.html new file mode 100644 index 00000000..d805b589 --- /dev/null +++ b/docs/use-cases/dev-sec-ops.html @@ -0,0 +1,132 @@ +--- +title: SignPath for DevOps +description: Using SignPath in a DevOps pipeline +--- + +{% include header.html %} + +
+
+

{{ page.title }}

+
+
+ +
+
+
+ {% include devops.svg %} +
+

Code Signing in the pipeline

+

+ With SignPath.io, code signing can be integrated into your existing continous deployment pipeline with just a few steps. You don't need to worry about connecting usb tokens to build servers, handling passwords prompts or securing your private keys. Signing just becomes one more step in your process, even for nested artifacts. Thanks to a clear separation of concerns, DevOps engineers can focus on the build and deployment process and leave the security concerns to their InfoSec colleagues.

+
+
+

Start free trial

+
+
+ +
+
+

Build process integration

+

+ SignPath.io is built with DevOps in mind. Adding a code signing step to your build process requires just a few lines of code by including our PowerShell script, calling the API directly or using one of our build system integrations. The artifact is then extracted, and all specified files are signed recursively. SignPath can be integrated in a synchronous and an asynchronous call, providing flexibility for different use cases. In the synchronous case, the build job waits for the uploaded artifact to be signed and continues with the following steps right away. In the asynchronous case, the signing request has to be approved and a second pipeline is then started for e.g. deploying the signed artifact. Deeper integration including origin verification is supported with AppVeyor, all other CI systems such as Jenkins, Travis, TeamCity or CircleCI can be integrated by using a generic REST call via PowerShell or cURL. +

+

View documentation

+
+ + {% raw %} +
+ + Submit-SigningRequest ` + -OrganizationId $SIGNPATH_ORGANIZATION_ID ` + -ApiToken $SIGNPATH_API_TOKEN ` + -ProjectSlug my_software ` + -SigningPolicySlug release-signing ` + -InputArtifactPath build/my-release.msi ` + -OutputArtifactPath build-signed/my-release.msi ` + -WaitForCompletion + + + result=$(curl "https://app.signpath.io/api/v1/${SIGNPATH_ORGANIZATION_ID}/SigningRequests" \ + -H "Authorization: Bearer ${SIGNPATH_API_TOKEN}" \ + -F "ProjectSlug=my_software" \ + -F "SigningPolicySlug=release-signing" \ + -F "Artifact=@./build/my-release.msi" \ + --retry 20 --retry-delay 30 --silent --verbose) + url=$( echo "$result" | grep -i '^< Location: ' | grep -io 'https://.*' | tr -d '\r' ) + curl "$url/SignedArtifact" --output "build-signed/my-release.msi" --silent \ + -H "Authorization: Bearer ${SIGNPATH_API_TOKEN}" + + + submitSigningRequest( + organizationId: "${params.SIGNPATH_ORGANIZATION_ID}", + ciUserTokenCredentialId: "${params.SIGNPATH_CI_USER_CREDENTIAL_ID}", + projectSlug: "my_software", + signingPolicySlug: "release-signing", + inputArtifactPath: "build/my-release.msi", + outputArtifactPath: "build-signed/my-release.msi", + waitForCompletion: true + ) + + + - uses: signpath/github-action-submit-signing-request@v0.4 + with: + api-token: '${{ secrets.SIGNPATH_API_TOKEN }}' + organization-id: '${{ vars.SIGNPATH_ORGANIZATION_ID }}' + project-slug: 'my_software' + signing-policy-slug: 'release-signing' + github-artifact-id: '${{ steps.upload-unsigned-artifact.outputs.artifact-id }}' + output-artifact-directory: './build-signed' + wait-for-completion: 'true' + + + deploy: + - provider: Webhook + url: https://app.signpath.io/API/v1/$(SIGNPATH_ORGANIZATION_ID)/Integrations/AppVeyor?ProjectSlug=my_software&SigningPolicySlug=release-siging + authorization: + secure: VGhpcyBpcyBub3QgdGhlIHNlY3JldCB0b2tlbiB5b3UgYXJlIGxvb2tpbmcgZm9yLi4uIC0gU2lnblBhdGguaW8= + + + - task: SignPathSubmitSigningRequest@2 + inputs: + organizationId: '$(SIGNPATH_ORGANIZATION_ID)' + ciUserToken: '$(SIGNPATH_API_TOKEN)' + projectSlug: 'my_software' + signingPolicySlug: 'release-siging' + inputArtifactPath: './build/my-release.msi' + outputArtifactPath: './build-signed/my-release.msi' + waitForCompletion: 'sync' + +
+ {% endraw %} +
+ +
+
+ +
+
+
+
+ +

Origin verification for enhanced security

+

For selected CI systems, SignPath can provide even more transparency by verifying that each signed artifact stems from a specific code repository, branch and source code commit. By integrating the origin information in the signature, each signed artifact can be traced back to the source code that it was build from.

+
+
+ {% include user_big.svg %} +

Manual approval steps

+

+ Security critical tasks such as code signing often include manual approval steps in order to increase the security and avoid malicious code to be deployed into a production system. SignPath.io allows you to configure multiple security restrictions, including manual approvals. All details necessary to validate the artifact, such as its origin, SHA256 hash and contents are readily available in the web application.

+
+
+
+
+ +{% include footer.html %} diff --git a/docs/use-cases/info-sec.html b/docs/use-cases/info-sec.html new file mode 100644 index 00000000..010103ec --- /dev/null +++ b/docs/use-cases/info-sec.html @@ -0,0 +1,75 @@ +--- +title: SignPath for InfoSec +description: Using SignPath to secure your internal supply chain +--- + +{% include header.html %} + +
+
+

{{ page.title }}

+
+
+ +
+
+

SignPath makes Code Signing secure

+

How secure are your private keys? Who has access to them and how is their usage regulated? Stolen or misused code signing certificates are a severe threat to ISPs and their customers. The only way to prevent breaches and reduce the risks of successful attacks is to protect your private keys and to estabalish a secure, transparent process.

+

CA Security Council best practices

+
+
+ +
+
{% include chain.svg %}
+
+

Chain attacks

+

Don't be the weakest link

+

+ A stolen code signing certificate does not only put your organization at risk, but also all your customers. ISPs are increasingly becoming a target with the sole purpose of attacking one or several of their customers. IT organizations are reacting and demand their suppliers not only to sign their code, but to establish secure code signing processes. +

+

Read about media coverage

+
+
+ +
+
{% include devops.svg %}
+
+

Agility and Security

+

Free your developers to move fast

+

+ Define clear policies on how code signing certificates may be used - give your development teams the freedom to implement them for their processes. SignPath provides a clear separation of duties, where security teams stay on top of private key access and policy enforcement and development teams can focus on delivering software. +

+

See our DevOps integration

+
+
+ +
+
{% include incident-management.svg %}
+
+

Incident management

+

Be prepared and take informed decisions

+

+ SignPath allows you to lock down the code signing process and define multiple gates to ensure only malware-free, approved software from trusted build systems is signed. Every usage of your private key is logged, making it possible to trace any misuse. +

+

Read about certificate revocation

+
+
+ +
+
+
+

Secure storage of private keys

+

Rest assured that your private keys can never be compromised

+

+ SignPath provides a FIPS-certified Hardware Security Module (HSM) to generate and store the private keys for your certificates. The HSM is located in a physically secured data center. Every signing operation takes place on the HSM ensuring that the private key is never exposed. The key infrastructure of SignPath fulfills all requirements for Extended Validation (EV) certificates without having to deal with USB tokens or spending money on dedicated hardware. +

+

+ For customers who prefer direct control over their key material, SignPath offers dedicated Thales DPoD Cloud HSM instances. Use this option for local key backups, importing and exporting options, and to guarantee key availability independently from your SignPath subscription. (Export and backup options require cloning domains or key wrapping.) +

+

Read about storage options for private keys

+
+
+ + + +{% include footer.html %} \ No newline at end of file diff --git a/docs/use-cases/open-source.html b/docs/use-cases/open-source.html new file mode 100644 index 00000000..cdc0824c --- /dev/null +++ b/docs/use-cases/open-source.html @@ -0,0 +1,75 @@ +--- +title: SignPath for Open Source projects +description: Using SignPath to sign free and open source projects - for free +--- + +{% include header.html %} + +
+
+

{{ page.title }}

+
+
+ +
+
+
+
+

Open Source is ubiquituous

+

+ Open source software has become one of the pillars upon which modern software development builds. Without the thousands of high-quality open source libraries and tools, developed and maintained by contributors from all around the world, many of today's popular services and applications would be unthinkable. Due to the enormous success, open source projects enjoy the advantages of free resources for hosting, building and deploying their content. +

+
+
+

Challenges of code signing

+

+ When it comes to code signing, community-driven projects still face a number of burdens: As they constitute no legal entity, certificate authorities (CAs) refuse to grant a code signing certificate to open source projects (only to individual contributors) and their services are also not yet provided for free. This is where the SignPath Foundation comes into play. Under the umbrella of the SignPath Foundation, open source projects can apply for a free code signing certificate. In order to use the free certificate, the build process has to be fully automated and integrated with SignPath.io, to ensure that the resulting binary results directly from the source code checked into the repository. +

+
+
+

Contact us +

+
+ +
+
+

Transparency matters

+
+ +

+ One of the many advantages of open source software is the transparency it provides in respect to which code is executed on your system. However, for compiled programs, this only holds true if the build process is also transparent and reproducible. SignPath tightly integrates with online build systems to ensure that the library or program that is code signed was built only from code checked into the repository. +

+
+
+
+ +
+
+

You're in good company

+
+ +
+ +

Git Extensions

+

Git Extensions is a graphical user interface for Git that allows you to control Git without using the commandline

+
+ + +
+ +

Vim for Windows

+

Vim is a highly configurable text editor for efficiently creating and changing any kind of text.

+
+ + +
+ +

MSBuildStructured Log

+

A logger for MSBuild that records a structured representation of executed targets, tasks, property and item values.

+
+ +
+
+
+ +{% include footer.html %}