[{"data":1,"prerenderedAt":81},["ShallowReactive",2],{"$kqlz4qrC16v4W":3},{"code":4,"status":5,"result":6},200,"OK",{"blocks":7,"objectives":66,"title":75,"subheading":76,"intro":77,"related":78,"browser":79,"description":80},[8,15,20,25,29,33,37,41,45,49,54,58,62],{"content":9,"id":12,"isHidden":13,"type":14},{"level":10,"text":11},"h2","What is CI/CD?","f5504f49-e08c-4d62-9314-32c44ac15e9b",false,"heading",{"content":16,"id":18,"isHidden":13,"type":19},{"text":17},"\u003Cp>CI/CD stands for Continuous Integration and Continuous Delivery (or Continuous Deployment). It is an automated software development practice that focuses on regular code merges, building, and testing with virtually no manual involvement.\u003C/p>\u003Cp>A CI/CD pipeline is the full sequence of automated steps that carry code from a developer’s commit to a finished, distributable product. Typically, the stages of this pipeline are:\u003C/p>","a1501f44-31e5-438f-bcc1-9acd7b2209d2","text",{"content":21,"id":23,"isHidden":13,"type":24},{"text":22},"\u003Cul>\u003Cli>\u003Cp>Build: source code compilation.\u003C/p>\u003C/li>\u003Cli>\u003Cp>Test: automated quality assurance checkups that verify the build is functional and secure.\u003C/p>\u003C/li>\u003Cli>\u003Cp>Sign: the application of a digital signature.\u003C/p>\u003C/li>\u003Cli>\u003Cp>Release: the publication of the signed item to a distribution channel.\u003C/p>\u003C/li>\u003C/ul>","8d47dfbd-c3cf-4bbb-b0c1-051eb5d8e40a","list",{"content":26,"id":28,"isHidden":13,"type":19},{"text":27},"\u003Cp>Some of the most popular CI/CD platforms are GitHub Actions, GitLab CI, Jenkins, Azure DevOps, and CircleCI.\u003C/p>","15ad4c41-6666-4794-bce4-02744480cfa1",{"content":30,"id":32,"isHidden":13,"type":14},{"level":10,"text":31},"How Does Code Signing Fit Into CI/CD?","89b40b69-67c5-4049-9572-6896328f69d2",{"content":34,"id":36,"isHidden":13,"type":19},{"text":35},"\u003Cp>In a regular, manual workflow, a developer signs their build by hand using their local certificate and a utility such as \u003Ca href=\"/help/setup-guides/program-signing-and-timestamping-with-signtool\">signtool.exe\u003C/a>. In a CI/CD pipeline, this step runs automatically, perhaps even on a remote server that no individual directly interacts with.\u003C/p>\u003Cp>This is a practical solution at face value, but it comes with its own set of challenges. Notably, this pipeline requires access to the private key, but it must remain protected.\u003C/p>","b67608d4-1a60-4260-ad46-4df0a41db0c0",{"content":38,"id":40,"isHidden":13,"type":14},{"level":10,"text":39},"Secure Key Storage Options for CI/CD Signing","848283eb-8265-4b0d-acb5-c17759e5e1b0",{"content":42,"id":44,"isHidden":13,"type":19},{"text":43},"\u003Cp>There are three different private key storage options for CI/CD pipeline integration:\u003C/p>","98f9601e-6283-49f9-95ec-b2339f3051f7",{"content":46,"id":48,"isHidden":13,"type":24},{"text":47},"\u003Cul>\u003Cli>\u003Cp>Hardware Security Modules, which are rack-mounted appliances integrated into the build pipeline via standardised APIs.\u003C/p>\u003C/li>\u003Cli>\u003Cp>USB hardware tokens that can connect via a dedicated, network-accessible signing server.\u003C/p>\u003C/li>\u003Cli>\u003Cp>Cloud solutions like Azure Key Vault or AWS CloudHSM are most easily integrated into CI/CD pipelines because there is no need for a physical token on the developer’s side.\u003C/p>\u003C/li>\u003C/ul>","96ded84f-76c9-4d0f-9d92-ca86e2c34058",{"content":50,"id":53,"isHidden":13,"type":14},{"level":51,"text":52},"h3","Best Practices for CI/CD Signing","2f9b1121-299d-45fb-b294-e6c1611bf861",{"content":55,"id":57,"isHidden":13,"type":24},{"text":56},"\u003Cul>\u003Cli>\u003Cp>There needs to be a dedicated signing step in the pipeline, isolated from the bespoke build and test stages.\u003C/p>\u003C/li>\u003Cli>\u003Cp>Access to signing credentials needs to be restricted purely to the pipeline roles that actually require them.\u003C/p>\u003C/li>\u003Cli>\u003Cp>Signing activity must be audited to ensure there has been no unauthorised use.\u003C/p>\u003C/li>\u003Cli>\u003Cp>Timestamping is highly recommended during the signing step.\u003C/p>\u003C/li>\u003C/ul>","68914cbc-0982-49ca-b930-7f5649ce3a7d",{"content":59,"id":61,"isHidden":13,"type":14},{"level":10,"text":60},"To Summarize","250d4ea6-db41-4e7f-8e27-51eac3bb78a0",{"content":63,"id":65,"isHidden":13,"type":19},{"text":64},"\u003Cp>Fully integrated CI/CD pipelines enable software developers to ship signed, trusted code rapidly and with a streamlined process. Crucially, this is accomplished without sacrificing the security of their signing credentials. Choosing an appropriate storage mechanism for the private signing key is particularly important, and it should be treated like any other critical security asset.\u003C/p>","6b4dbe62-c395-436a-8959-449f4c0b4469",[67,69,71,73],{"text":68},"Define CI/CD and explain how automated pipelines work",{"text":70},"Understand how code signing fits into a CI/CD pipeline",{"text":72},"Explain how signing credentials are stored in automated environments",{"text":74},"Recognise the risks of improper private key handling","What is CI/CD automation?","The automation pipeline explained","CI/CD automation refers to the practice of using software pipelines to build, test, and release code automatically. It is also possible to integrate a code-signing process into this pipeline, enabling rapid code signing without manual intervention.",[],"","CI/CD automation refers to the practice of using software pipelines to build, test, and release code automatically",1776830412797]