The following plugin provides functionality available through Pipeline-compatible steps. Read more about how to integrate steps into your Pipeline in the Steps section of the Pipeline Syntax page.

For a list of other such plugins, see the Pipeline Steps Reference page.

Venafi CodeSign Protect

View this plugin on the Plugins site

venafiCodeSignWithJarSigner: Venafi CodeSign Protect: sign with jarsigner

  • tppName : String
    The Venafi Trust Protection Platform (TPP) to use for signing. You can define TPPs under "Manage Jenkins" -> "Configure System" -> "Venafi Code Signing".
  • certLabel : String
    The label of the certificate (inside the TPP) to use for code signing. You can obtain a list of labels with 'pkcs11config listcertificates'.
  • credential
      Nested Object
    • credentialsId : String
  • extraArgs (optional)

    This plugin invokes Jarsigner under the hood. Here you can specify extra custom CLI arguments to pass to Jarsigner.

    These arguments will be appended to the Jarsigner CLI invocation, and take precedence over any arguments implicitly passed by this plugin.

      Array / List of Nested Object
    • argument : String
  • file : String (optional)

    The path to the file to be signed.

    Either a path or a glob must be given.

  • glob : String (optional)

    A glob that specifies the files to be signed.

    Either a path or a glob must be given.

  • timestampingServers (optional)

    Specifies one or more timestamping authority servers to use during signing. Specifying this is strongly recommended, because it allows signed files to be usable even after the original signing certificate has expired.

    If you specify more than one server, then a random one will be used.

    Tip: here are some public timestamping authorities that you can use:

    • http://timestamp.digicert.com
    • http://timestamp.globalsign.com
    • http://timestamp.comodoca.com/authenticode
    • http://tsa.starfieldtech.com
      Array / List of Nested Object
    • address : String
  • venafiClientToolsDir : String (optional)

    Specify the path to the directory in which Venafi CodeSign Protect client tools are installed. If not specified, it's autodetected as follows:

    • Linux: /opt/venafi/codesign
    • macOS: /Library/Venafi/CodeSigning
    • Windows: autodetected from the registry, or (if that fails): C:\Program Files\Venafi CodeSign Protect

venafiVerifyWithJarSigner: Venafi CodeSign Protect: verify with jarsigner

  • tppName : String
    The Venafi Trust Protection Platform (TPP) that contains the certificate that the signed file(s) were signed by. You can define TPPs under "Manage Jenkins" -> "Configure System" -> "Venafi Code Signing".
  • certLabel : String
    The label of the certificate (inside the TPP) that was used for signing the file(s). You can obtain a list of labels with 'pkcs11config listcertificates'.
  • credential
      Nested Object
    • credentialsId : String
  • file : String (optional)

    The path to the file to be verified.

    Either a path or a glob must be given.

  • glob : String (optional)

    A glob that specifies the files to be verified.

    Either a path or a glob must be given.

  • venafiClientToolsDir : String (optional)

    Specify the path to the directory in which Venafi CodeSign Protect client tools are installed. If not specified, it's autodetected as follows:

    • Linux: /opt/venafi/codesign
    • macOS: /Library/Venafi/CodeSigning
    • Windows: autodetected from the registry, or (if that fails): C:\Program Files\Venafi CodeSign Protect

venafiCodeSignWithSignTool: Venafi CodeSign Protect: sign with signtool

  • tppName : String
    The Venafi Trust Protection Platform (TPP) to use for signing. You can define TPPs under "Manage Jenkins" -> "Configure System" -> "Venafi Code Signing".
  • fileOrGlob : String

    A path or a glob that specifies the file(s) to be signed.

  • credential
      Nested Object
    • credentialsId : String
  • appendSignatures : boolean (optional)
    If the target file(s) already have signatures, then append a new signature instead of overwriting the existing signatures.
  • extraArgs (optional)

    This plugin invokes Signtool under the hood. Here you can specify extra custom CLI arguments to pass to Signtool.

    These arguments will be appended to the Signtool CLI invocation. If they overlap with any arguments implicitly passed by this plugin, then Signtool will raise an error.

      Array / List of Nested Object
    • argument : String
  • sha1 : String (optional)

    The SHA-1 hash of the certificate (inside the TPP) to use for code signing.

    Normally you should use 'Signing certificate subject name' instead, but if that name is ambiguous, then use the SHA-1 hash to select a specific signing certificate.

    Either a subject name or SHA-1 hash of the signing certificate must be given.

  • signToolPath : String (optional)
    The full path to signtool.exe. If not specified, we assume that it's in PATH.
  • signatureDigestAlgos (optional)

    The digest algorithm(s) to use to creating signatures.

    If none specified, 'sha256' is used as the default algorithm. This is very secure, but may not be compatible with older Windows versions. If you need compatibility with older Windows versions, you should specify 'sha1' and 'sha256' (in that order).

    When multiple digest algorithms are specified, they are applied in the order specified.

      Array / List of Nested Object
    • algorithm : String
  • subjectName : String (optional)

    The Common Name ("Issued to" or "CN") of the certificate (inside the TPP) to use for code signing.

    You can obtain a list of Common Names with 'cspconfig listcertificates' and checking what comes after 'CN='.

    Either a subject name or SHA-1 hash of the signing certificate must be given.

  • timestampingServers (optional)

    Specifies one or more timestamping authority servers to use during signing. Specifying this is strongly recommended, because it allows signed files to be usable even after the original signing certificate has expired.

    If you specify more than one server, then a random one will be used.

    Tip: here are some public timestamping authorities that you can use:

    • http://timestamp.digicert.com
    • http://timestamp.globalsign.com
    • http://timestamp.comodoca.com/authenticode
    • http://tsa.starfieldtech.com
      Array / List of Nested Object
    • address : String
  • useMachineConfiguration : boolean (optional)
  • venafiClientToolsDir : String (optional)
    Specify the path to the directory in which Venafi CodeSign Protect client tools are installed. If not specified, it's autodetected from the registry. If that fails, we fallback to C:\Program Files\Venafi CodeSign Protect.

venafiVerifyWithSignTool: Venafi CodeSign Protect: verify with signtool

  • tppName : String
    The Venafi Trust Protection Platform (TPP) that contains the certificate that the signed file(s) were signed by. You can define TPPs under "Manage Jenkins" -> "Configure System" -> "Venafi Code Signing".
  • fileOrGlob : String

    A path or a glob that specifies the file(s) to be verified.

  • credential
      Nested Object
    • credentialsId : String
  • signToolPath : String (optional)
    The full path to signtool.exe. If not specified, we assume that it's in PATH.
  • useMachineConfiguration : boolean (optional)
  • venafiClientToolsDir : String (optional)
    Specify the path to the directory in which Venafi CodeSign Protect client tools are installed. If not specified, it's autodetected from the registry. If that fails, we fallback to C:\Program Files\Venafi CodeSign Protect.

Was this page helpful?

Please submit your feedback about this page through this quick form.

Alternatively, if you don't wish to complete the quick form, you can simply indicate if you found this page helpful?

    


See existing feedback here.