Using Fortanix Data Security Manager with GitLab for Code Signing

1.0 Introduction

The objective of this article is to facilitate a secure and efficient secret management process. It outlines the steps required for code signing using GitLab from Fortanix-Data-Security-Manager (DSM) within GitLab build environments.

Follow the instructions to implement this integration effectively, enhancing data security and optimizing CI/CD pipelines.

1.1 Prerequisites

Ensure that you must have the following:

• Access to a Fortanix DSM account with appropriate administrative privileges. For more information, refer to Getting Started with Fortanix Data Security Manager.

• A GitLab account with access to the project where you intend to set up the integration. For more information, refer to Getting Started with GitLab.

• Knowledge about the process of saving secrets in Fortanix DSM, including generating and importing the secret.

• Access to necessary permissions in Fortanix DSM and GitLab for group, application, plugin, variable, and secret management.

2.0 Procedure

Perform the following steps are involved in managing the secrets in a GitLab pipeline through Fortanix DSM:

1. Authentication within Fortanix DSM.

2. Configuring Fortanix DSM, which includes creating groups and applications.

3. Storing secrets securely within Fortanix DSM.

4. Accessing and retrieving secrets from Fortanix DSM for utilization within the GitLab pipeline.

3.0 Code Signing Configuration

Perform the following steps to set up code signing securely in your GitLab environment:

1. Log in to your Fortanix DSM account using your credentials and appropriate administrative privileges.

2. Import keystore_password and key_password as secrets in Fortanix DSM. Ensure that they are marked as exportable.

3. In GitLab, go to Settings → CI/CD Variables and add the following new variables:

   • FORTANIX_API_ENDPOINT

   • FORTANIX_API_KEY

   • FORTANIX_SECRET_NAME

   • FORTANIX_SECRET_NAME_1 (for keystore_password)

   • FORTANIX_SECRET_NAME_2 (for key_password)

     

4. Under the top level of your GitLab project, locate the .gitlab-ci.yaml configuration file and edit this file as following to define the CI/CD pipeline for the integration:

   stages:
   - build
   
   build:
   stage: build
   image: ubuntu
   
   script:
   - apt-get update -qy
   - apt install jq -y
   - apt install curl -y
   - apt-get install wget
   - apt-get install unzip
   - apt-get install -y openjdk-8-jre-headless openjdk-8-jdk # Install Java
   - keystore_password=$(curl -s -X POST -H "Authorization:Basic ${FORTANIX_API_KEY}" ${FORTANIX_API_ENDPOINT}/crypto/v1/keys/export -d "{\"name\":\"${FORTANIX_SECRET_NAME_1}\"}" | jq -r .value)
   - key_password=$(curl -s -X POST -H "Authorization:Basic ${FORTANIX_API_KEY}" ${FORTANIX_API_ENDPOINT}/crypto/v1/keys/export -d "{\"name\":\"${FORTANIX_SECRET_NAME_2}\"}" | jq -r .value)
   - echo "yes" | keytool -genkeypair -alias mykey -keyalg RSA -keysize 2048 -keystore keystore.jks -storepass $keystore_password -keypass $key_password -dname "CN=test"
   - wget https://download.jar-download.com/cache_jars/com.github.sushantmimani/HelloWorld/0.7.0/jar_files.zip
   - unzip jar_files.zip
   - jarsigner -keystore keystore.jks -storepass $keystore_password -keypass $key_password -signedjar signed.jar HelloWorld-0.7.0.jar mykey

   The pipeline must automatically run after editing the .gitlab-ci.yaml file.
   If not, select Build → Pipelines → Run pipeline to initiate the integration process.

   

5. On GitLab UI, navigate to Build → Jobs from the left navigation panel to review the latest output.