CI/CD Integration
CI/CD Integration
Section titled “CI/CD Integration”QCecuring integrates with CI/CD pipelines through:
- Signing Agent (recommended)
- PKCS#11 / KSP integrations
- Container Image Signing SDK
Private keys never leave the QCecuring platform.
Signing operations are securely proxied through the Signing Agent.
Recommended Architecture
Section titled “Recommended Architecture”CI/CD Runner → Signing Agent → QCecuring Platform → HSM / KMSFor container signing:
CI/CD Runner → Container Signer → Signing Agent → QCecuring Platform → RegistryGitHub Actions
Section titled “GitHub Actions”Recommended: Agent-Based Signing
Section titled “Recommended: Agent-Based Signing”Use a self-hosted runner with the QCecuring Agent installed.
name: Sign Release
on: release: types: [created]
jobs: sign: runs-on: self-hosted steps: - uses: actions/checkout@v3
- name: Build run: ./build.sh
- name: Sign Artifact run: | qcecuring-sign \ --file dist/myapp.exe \ --key production-keyContainer Image Signing
Section titled “Container Image Signing”jobs: sign-image: runs-on: self-hosted steps: - uses: actions/checkout@v3
- name: Build Image run: docker build -t myrepo/app:${{ github.sha }} .
- name: Sign Image run: | java -jar qcecuring-container-signer.jar sign \ --image myrepo/app:${{ github.sha }} \ --key-id ${{ secrets.QCECURING_KEY_ID }}GitLab CI
Section titled “GitLab CI”Agent-Based Signing
Section titled “Agent-Based Signing”sign: stage: deploy tags: - signing-runner script: - ./build.sh - qcecuring-sign --file dist/myapp.exe --key production-key only: - tagsContainer Image Signing
Section titled “Container Image Signing”sign-image: stage: deploy script: - docker build -t registry/app:$CI_COMMIT_SHA . - java -jar qcecuring-container-signer.jar sign \ --image registry/app:$CI_COMMIT_SHA \ --key-id $QCECURING_KEY_IDJenkins
Section titled “Jenkins”Pipeline Example
Section titled “Pipeline Example”pipeline { agent { label 'signing-node' }
stages { stage('Build') { steps { sh './build.sh' } }
stage('Sign') { steps { sh 'qcecuring-sign --file dist/myapp.exe --key production-key' } } }}Container Image Signing
Section titled “Container Image Signing”stage('Sign Image') { steps { sh ''' java -jar qcecuring-container-signer.jar sign \ --image myrepo/app:${BUILD_NUMBER} \ --key-id ${QCECURING_KEY_ID} ''' }}Secret Management
Section titled “Secret Management”Store credentials securely in your CI/CD platform:
- GitHub → Repository Secrets
- GitLab → CI/CD Variables
- Jenkins → Credentials Store
Never:
- Hardcode API keys
- Commit credentials to repository
- Expose private key material
Deployment Patterns
Section titled “Deployment Patterns”High Security (Recommended)
Section titled “High Security (Recommended)”- Self-hosted runners
- Agent installed locally
- mTLS enabled between agent and backend
- Network-restricted signing node
SaaS Runners
Section titled “SaaS Runners”If using cloud runners:
- Use container signing only
- Avoid local file signing unless agent is installed
- Restrict key permissions via policies
Verification
Section titled “Verification”Always verify artifacts after signing.
Windows
Section titled “Windows”signtool verify /pa myapp.exejarsigner -verify -verbose myapp.jarContainer
Section titled “Container”java -jar qcecuring-container-signer.jar verify \ --image myrepo/app:tagBest Practices
Section titled “Best Practices”- Separate keys per environment
- Use approval workflows for production keys
- Enforce signing policies
- Enable audit logging
- Monitor failed signing attempts
- Rotate signing keys periodically
What Not To Do
Section titled “What Not To Do”- Do not expose signing APIs directly to public runners
- Do not export private keys
- Do not bypass approval workflows
- Do not reuse production keys in development