The purpose of this project is to perform remote code-signing on a Linux host running Docker where a USB YubiKey (or other device) containing a code-signing certificate is attached. This way other hosts (e.g. Jenkins agent nodes) can send a file to be signed to this service, receiving a signed file as a response, without the need of having physical access to the YubiKey.
go build
Create the .env file containing the variables related to your setup:
USERNAME=user
PASSWORD=secret
PIN="12345678"
CERT="certificate.cer"
TS_URL="http://timestamp.digicert.com"
Generate a self-signed certificate or replace cert.pem and key.pem with a certificate and its private key generated by a CA:
mkdir -p cert
openssl req -x509 -newkey rsa:4096 -keyout cert/key.pem \
-out cert/cert.pem -days 3650 -nodes
Build the Docker image:
docker build -t signsvc -f docker/Dockerfile .
docker run -d \
--device /dev/bus/usb \
--device /dev/usb \
-p 9115:443 \
--restart unless-stopped \
--name signsvc signsvc
The following curl command will send a binary file with a POST API request, receiving the signed file in the response.
curl -sSL -F file=@file.msi -u user:secret https://remote_addr:9115/sign \
-o file_signed.msi --cacert cert/cert.pem --fail