Skip to content

Jenkins

Jenkins integration

This integration guide has instructions for Jenkins integration with LAAVAT PKI and Signing Platform.

In order to use Jenkins, a cloud-native Service Principal needs to be added to Azure AD as a registered application. By registering an application, the client ID and client secret are obtained, and they are used to retrieve an access token for the LAAVAT PKI and Signing Platform.

Since the LAAVAT PKI and Signing Platform uses AD group information to grant access for specific operation(e.g., digest signing), a Azure native group needs to be created. This cloud native Service Principal is added to that group. The Azure group ids need to be present in the LAAVAT PKI and Signing Platform.

Integration environment

These integration instructions are tested with the following Jenkins and Jenkins plugin versions

  1. Jenkins version 2.222.3
  2. Jenkins Plugins:
    1. HTTP Request Plugin 1.8.26
    2. Pipeline Utility Steps 2.5.0

Common settings to enable communication to LAAVAT PKI and Signing Platform

Service Principal clientid and client secret

Credentials need to be added to the Jenkins credential store before you can access LAAVAT PKI and Signing Platform on the Jenkins pipeline. The credentials in Jenkins case are Azure AD Application (client) ID and client secret.

  1. Open credentials view
  2. Click add credentials Add Credentials
  3. Select Username password Select Username password
  4. Type the clientid
  5. Type the client secret
  6. Fill in an ID for this credential
  7. Optional: Add a description of this credential Filled username password

Jenkins pipeline examples

Jenkins pipeline to send digest signing

This is an example setup to show how to do digest signing.

This is an example setup to show how to submit digests for signing to the LAAVAT PKI and Signing Platform from Jenkins pipeline.

  1. Parameters required for the pipeline Params 1 Params 2 Params 3 Params 4 Params 5 Params 6 Params 7 Params 8 Params 9 Params 10 Params 11 Params 12 Params 13 Params 14 Params 15 Params 16 Params 17 Params 18
  2. The shell script is below as an example in text format.
#!/bin/bash
cd clients/python3
python3 -m venv venv
source venv/bin/activate
python -m pip install --upgrade pip
pip install -r requirements.txt
cd ../../python3
python setup.py install
cd ../clients/python3
chmod 755 *.py
TOKEN=$(curl --location --request GET "https://login.microsoftonline.com/${addirectorytenantid}/oauth2/v2.0/token" --form 'grant_type=client_credentials' --form "client_secret=${SECRET}" --form "client_id=${CLIENTID}" --form "scope=${resourceAPI}/.default"|jq -r '.access_token')

(venv) $ ./signing-tool.py -c -t ${TOKEN} -a ${DevBaseURL} imagesigning add ${operationType} -P ${productid} --operid ${operid} -p ${payload} -O signeddig.test -H ${hashalgorithm}