AppViewX AVX ONE Code Signing Integration with GitHub
The AppViewX AVX ONE Code Signing solution works with GitHub to enable the implementation of code signing policies for PowerShell script files. With this integration, DevOps teams can enhance security by automating the code signing process and uploading signed scripts to GitHub.
What Is Code Signing
The practice of digitally attesting to the file for reliability, authenticity and integrity of software, firmware, or mobile apps is known as code signing. To prove that the code originated from a verified source and has not been tampered with since it was signed, developers sign code in digital form using their private key and code signing certificate. This helps to ensure that the software or file you are installing, running or sharing is trusted by the end user.
The digital signature will be invalidated if the software or code is tampered with after it has been digitally signed, and users are warned that they should not rely on such software. The digital signature contains a timestamp, a piece of data showing the exact moment the file was signed. A code signing certificate typically has a validity period of one to three years. Starting on June 15, 2025, the Certificate Authority/Browser (CA/B) Forum has directed the maximum validity for code signing certificates to be reduced from 39 months to 460 days.
The certificate expires when its validity term has passed, and if a timestamp is not added, the digital signature loses its validity and raises security concerns. Hash signing or client-side hashing is a process in which the client hashes the code to be signed and sends the hash to the signing service instead of directly uploading the source code file. This method improves security by keeping the source code hidden from outside environments and minimizes performance lag brought on by uploading huge files.
Creating Signing Policy and Code Signing with AVX ONE
When creating a signing policy in the AppViewX AVX ONE Code Signing solution, you need to enter a set of parameters to ensure the secure and effective signing of digital assets. Firstly, it’s crucial to assign a descriptive name and possibly a description for the policy, facilitating easy identification and understanding of its purpose. Next, you specify the signing type, which could encompass various code categories such as PS1, JAR, APK, etc.
Furthermore, it’s imperative to support a diverse range of code types to accommodate various use cases and industry standards. The flexibility to sign different types of code ensures the versatility and applicability of the signing policy across a multitude of scenarios, thereby enhancing its effectiveness and utility within the organization. Within this context, selecting the appropriate cryptographic algorithm is paramount.
AVX ONE Code Signing has the feature to choose an algorithm for signing a file like RSA, which offers robust security and efficiency, or ECDSA (Elliptic Curve Digital Signature Algorithm), known for its smaller key sizes and faster processing. Additionally, the choice of hash function plays a pivotal role in ensuring data integrity during the signing process. Hash functions like SHA-256 or SHA-512 are commonly employed due to their cryptographic strength and widespread adoption.
Simplify code signing for DevOps and secure your software supply chain with AVX ONE Code Signing
As part of the policy configuration, defining rules governing when the policy should be applied is essential. These rules might encompass various factors such as the type and source of content being signed, the identity of the signer, or specific contextual criteria. Subsequently, you outline the actions to be executed upon meeting the specified conditions.
This could involve selecting the signing certificate to be utilized from a certificate store, specifying additional metadata to be included in the signed content, or configuring post-signing actions like timestamping or archival.
Considering the policy’s expiration ensures ongoing relevance and adherence to security best practices. By setting an expiration date, you maintain control over the code signing certificate’s lifecycle. Additionally, defining the policy’s scope clarifies where rules and actions apply, whether across specific applications or systems.
Meticulously defining algorithm selection, hash functions, rules, and supported code types ensures robustness and security in the AVX ONE Code Signing solution, empowering organizations to uphold stringent signing standards while seamlessly integrating with other AppViewX solutions.
AppViewX AVX ONE Code Signing Integration with GitHub:
The Integration Hub feature within the AVX ONE Code Signing solution offers a versatile solution for securely storing URLs and its credentials accommodating various authentication methods to ensure seamless integration with external applications. It provides a convenient means to validate URLs, ensuring the integrity of connections established with external systems when integrating them with AppViewX.
To facilitate the integration with GitHub, users can navigate to the GitHub Account Settings section and access “Personal Access Tokens” under Developer Settings. Here, a new token can be generated by furnishing a description, selecting appropriate scopes to delineate the required access level, and setting an expiration date for added security.
Once credentials are securely stored in the Integration Hub, users can leverage the AppViewX AVX ONE platform to automate processes comprehensively. This automation can involve fetching files from GitHub repositories and signing them within the AVX ONE Code Signing solution using predefined algorithms and hash functions established during the creation of signing policies, ensuring the validity and security of the process.
Subsequently, the signed PowerShell script files can be uploaded back to GitHub, creating a new branch to maintain the integrity of the source code while enhancing security and efficiency throughout the software development and deployment lifecycle.
By integrating AppViewX AVX ONE Code Signing with GitHub and leveraging its capabilities, DevOps teams can establish a streamlined process for code signing PowerShell script files within their repositories. This ensures enhanced security and compliance measures, while also facilitating efficient management of code within the software development lifecycle. With the automation provided by this combined solution, teams can confidently manage code signing policies and seamlessly upload signed scripts to GitHub, contributing to a more robust and secure software development environment.
To learn more about AVX ONE Code Signing, request a demo today.
*** This is a Security Bloggers Network syndicated blog from AppViewX authored by Tivya Venkatachalam. Read the original post at: https://www.appviewx.com/blogs/appviewx-avx-one-code-signing-integration-with-github/
