Code signing from multiple build machines against one dongle

[arctus]

Hi,

Sorry if my question sounds stupid :)
Our organization certificate expires soon and after 3 years I have found that there are quite some changes made to the process .. (lucky me)

I was wondering how are you guys solving the issue with multiple build machines against one dongle problem? I really don't want to host the key in cloud HSM (the procedure after June 1 is really complicated and pricey) and I would love to maintain same level of flexibility that we had before (where we have Linux/Mac and Windows machines able to sign files from same pfx).

So to make a long story short, is there a possibility to host kind'a a signing server in-house and use it with jsign or other tools? I would be really happy if you could refer me to any known solutions.

[ebourg]

That's an excellent question, and I'm about to face the same issue in the near future :) One solution is to use a PKCS#11 proxy that allows one to use a remote USB token. But it's insecure and it doesn't support concurrent accesses. If no simple and clean solution emerges by the time my certificate expires I'll probably write a simple signing server and integrate it into Jsign.

[JeffB1912]

Sooo, I am not really a programmer, but I do have a need for a REST API type of integration so multiple users can sign code against 1 central managed key. When Jsign is invoked what gets sent to the "simple signing server" I am somewhat comfortable setting up a flask app to host API calls and have done a little tinkering and got it to accept various things and work behind the scene with python, powershell, then return objects.
I might be able to put together a API like you mention that would be a simple one, but when jsign is invoked does it send the entire file to the API to be signed? I know many of the codesign services that are pay-for advertise that just the hash is sent when xyz signer tool is invoked to sign code, then the sign webapp returns a signed hash, and xyz signer tool embeds the signed hash in the code that was signed.
so was hoping for some ideas, and thoughts or direction if you could provide them. If I get a general direction I would be more then happy to share whatever I create.
Thank you in advance for any guidance!
Jeff

[ebourg]

I confirm that only the hash would have to be sent over the API. That's how the AWS/Azure/Google Cloud signing APIs work.

[JeffB1912]

OK I will try sending test data and try signing, need to see it matters how I sign, I dont think it matters as long as the certificate is valid and the EKU is for code signing. and ensure certificate chain works. I have a valid public domain that is trusted.

[JeffB1912]

I hate to pester, just curious I got flask app up and running that will accept anythign thst is sent to it so I can see how to handle the hash and any other data that maybe sent when jsign is invoked to send to a url.
question how do I invoke jsign to send to a custom url that I am using?
trying this:
java.exe -jar "...chocolatey\lib\jsign\tools\jsign.jar" -replace -a myALIAS -keystore http://MYIP/ -storetype JKS -keypass supersecret -storepass supersecret "setupexe"

error:

java.exe : jsign: Failed to load the keystore http:// 1.2.3.4
I tried various flags, but really I need to know how to send to custom url.
Thanks again so much!

[ebourg]

This won't work, the JKS store type is for private keys stored in a local file in the JKS format. A custom store type has to be implemented first.

[arctus]

I have been chatting with the technical support of several CAs and they see a means to promote their "cloud" signing option, however, what some of them offer is to host the same certificate in several dongles. That would mean we could buy one certificate and let's say 5 dongles for 5 machines which should not be super expensive. However, I really would like to have a simple solution rather than maintain USB forwarding between the metal, VM, and docker.

[ebourg]

Would a docker image hosting a simple REST server and having exclusive access to the USB token work for your use case? Or would you need something more refined, with a web GUI, fine-grained access control and audit trail log?

[arctus]

no need for gui, access control or audit trail log. Environment is closed without access to the internet and in a separate environment that only a handful of people can connect to.