Skip to content

cloudbase/signsvc

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Simple YubiKey Authenticode code-signing service

The purpose of this project is to perform remote code-signing on a Linux host running Docker where a USB YubiKey (or other device) containing a code-signing certificate is attached. This way other hosts (e.g. Jenkins agent nodes) can send a file to be signed to this service, receiving a signed file as a response, without the need of having physical access to the YubiKey.

Build the signsvc service

go build

Build the Docker container image

Create the .env file containing the variables related to your setup:

USERNAME=user
PASSWORD=secret
PIN="12345678"
CERT="certificate.cer"
TS_URL="http://timestamp.digicert.com"

Generate a self-signed certificate or replace cert.pem and key.pem with a certificate and its private key generated by a CA:

mkdir -p cert
openssl req -x509 -newkey rsa:4096 -keyout cert/key.pem \
-out cert/cert.pem -days 3650 -nodes

Build the Docker image:

docker build -t signsvc -f docker/Dockerfile .

Run the Docker container

docker run -d \
  --device /dev/bus/usb \
  --device /dev/usb \
  -p 9115:443 \
  --restart unless-stopped \
  --name signsvc signsvc

Send a signature request

The following curl command will send a binary file with a POST API request, receiving the signed file in the response.

curl -sSL -F [email protected] -u user:secret https://remote_addr:9115/sign \
-o file_signed.msi --cacert cert/cert.pem --fail

About

YubiKey Authenticode code-signing service

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published