/signsvc

YubiKey Authenticode code-signing service

Primary LanguageGoApache License 2.0Apache-2.0

Simple YubiKey Authenticode code-signing service

The purpose of this project is to perform remote code-signing on a Linux host running Docker where a USB YubiKey (or other device) containing a code-signing certificate is attached. This way other hosts (e.g. Jenkins agent nodes) can send a file to be signed to this service, receiving a signed file as a response, without the need of having physical access to the YubiKey.

Build the signsvc service

go build

Build the Docker container image

Create the .env file containing the variables related to your setup:

USERNAME=user
PASSWORD=secret
PIN="12345678"
CERT="certificate.cer"
TS_URL="http://timestamp.digicert.com"

Generate a self-signed certificate or replace cert.pem and key.pem with a certificate and its private key generated by a CA:

mkdir -p cert
openssl req -x509 -newkey rsa:4096 -keyout cert/key.pem \
-out cert/cert.pem -days 3650 -nodes

Build the Docker image:

docker build -t signsvc -f docker/Dockerfile .

Run the Docker container

docker run -d \
  --device /dev/bus/usb \
  --device /dev/usb \
  -p 9115:443 \
  --restart unless-stopped \
  --name signsvc signsvc

Send a signature request

The following curl command will send a binary file with a POST API request, receiving the signed file in the response.

curl -sSL -F file=@file.msi -u user:secret https://remote_addr:9115/sign \
-o file_signed.msi --cacert cert/cert.pem --fail