This guide provides instructions on how to:
- Set up Beyond Identity [BI} Authenticator to sign and verify with Azure Devops
- Beyond Identity authenticator with GPG key entitlements can be used to sign and verify code based on typical Devops events like push, pull, etc. This is a powerful tool to ensure security of SDLC process. The event triggers the signature validation process as part of CI/CD pipeline.
- A GPG key generated on BI Authenticator can be used to sign many repositories, but a repository can be signed with only one key.
- The email used to sign must be enrolled in the Beyond Identity tenant.
- You can also require any commits to be verified with biometrics to prevent local malware from committing code or developers from bypassing hygiene and security controls.
Secure DevOps is an add-on for Secure Workforce. Contact your Account Representative to add this feature to your environment.
Contents
Prerequisites
Azure Devops prerequisites
- A configured source code repository, project, and entitled users to pull, commit, and merge source code.
- (Optional) A configured CI/CD pipeline.
Beyond Identity prerequisites
- A Beyond Identity tenant configured for your organization and the ability to enroll users.
- An integration with your SSO provider. The instructions are different based on your SSO provider. Please refer to the integration guides available in the link below:
https://support.beyondidentity.com/hc/en-us/sections/6746815209111-Integration-Guides - Any users who will sign the code must
- Have a copy of the Beyond Identity authenticator installed.
- Have enrolled a passkey with the tenant using the same email that will be used to sign the code.
Note the following:
- A Beyond Identity authenticator with GPG key entitlements can sign and verify code based on typical DevOps events like push, pull, etc. This is a powerful tool to ensure the security of the SDLC process. The event triggers the signature validation process as part of the CI/CD pipeline.
- A GPG key generated on the Beyond Identity Authenticator can be used to sign many repositories, but a repository can be signed with only one key.
Configure Beyond Identity for Azure DevOps
This section describes the tasks required to configure the Beyond Identity authenticator for users with SDO enabled.
- Generate a Key management token
- Get an authenticator entitlement to generate GPG keys
- Add groups and users (BI Admin console)
- Generate a GPG Key and set a repository path (Authenticator)
Generate a Key management token
Your Beyond Identity Representative will provide you with a key management token. This token will be used in the CI/CD pipeline as the value of BYNDID_KEY_MGMT_API_TOKEN in later steps.
Get an authenticator entitlement to generate GPG keys
A Beyond Identity SME will enable the following entitlements for your tenant in the Support console so users can begin using their authenticator for commit signing.
- Commit Signing - Enables users to generate GPG keys and configure repository paths. Signs and verifies the author of every commit using the authenticator to prevent unauthorized threats.
- Commit Signing with Biometrics (optional) - Requires users to provide biometrics as part of signing and verifying commit signing to prevent local malware from committing code or developers from bypassing hygiene and security controls.
Add groups and users (BI Admin console)
Once the entitlements are enabled, add groups using the names in this section to generate GPG keys, configure repository paths, and optionally require biometrics for commit signing.
Important: You must use the exact group name provided below for SDO to work.
- Open the Groups page in the Admin console and click Add Group.
- Enter BI_SDO_GPG_Key_Creation for the group name.
Important: You must use BI_SDO_GPG_Key_Creation as the exact name for Commit Signing to work. - Enter an optional description and click Save Changes.
- Open the newly created group and then click Add Users to add any developers to this group.
- Enter BI_SDO_GPG_Key_Creation for the group name.
- Users added in the steps above will see a GPG Keys link in their authenticator as shown below.
- Continue to the Generate a GPG Key and set a repository (Authenticator) section below for steps the development users will need to follow.
Generate a GPG Key and set a repository path (Authenticator)
- On the Beyond Identity platform authenticator, click the GPG Keys link.
- Click Create GPG key to create and configure GPG keys.
- Ensure the email address matches the email configured to perform Git operations. You can ignore the expiration date.
- Click Create. You should see the key in the Authenticator.
- Set the repository path on the authenticator.
- In the authenticator, click the ellipses to the right of the GPG key and choose Set repository.
- Browse to the local path of the repository root and click Configure.
- Continue to Configure Azure DevOps below.
- In the authenticator, click the ellipses to the right of the GPG key and choose Set repository.
Configure Azure DevOps
- Sign up for a new account.
- Create and upload ssh keys for cloning a repository using SSH URL.
- Sign into your Azure Devops organization with the account that has same email that will be used to code sign/verify.
- Create a Project / Repository or request the repository owner add you to the Azure Devops organization that hosts project/repository and grant “Basic” access.
- Configure the Azure Devops pipeline variable BYNDID_KEY_MGMT_API_TOKEN with the value generated in Generate a Key management token.
- Navigate to Your Azure Devops organization > project >Pipelines.
- Click the three vertical dots that will open More options, and select Edit.
-
Click Variables and then click the “+” sign to create a new variable named BYNDID_KEY_MGMT_API_TOKEN.
- Check Keep this value secret. This variable is used in azure-pipelines.yml.
- Create an “azure-pipelines.yml” file in the repository root
trigger:
- master
jobs:
- job: VerifyCommitSignatureWithBeyondIdentity
container:
image: byndid/auth-commit-sig:0.4.1-debian
env: { API_TOKEN: $(BYNDID_KEY_MGMT_API_TOKEN)} # BYNDID_KEY_MGMT_API_TOKEN set as a pipeline secret variable
options: --entrypoint=""
steps:
- script: /bin/action
- Clone the code to your local repository.
- Change the code as required.
- Commit with signing, similar to the following:
git commit -v -S -m "Modified README commit with -S" - (Optional) If biometrics were enabled for signing, you will be prompted to provide biometric verification to complete the signing.
- Push the code to Origin.
- Verify a successful pipeline run:
- Navigate to Your Azure Devops organization > project > Pipelines > Recent. You should see a green mark.
- Navigate to Your Azure Devops organization > project > Pipelines > Recent. You should see a green mark.
Appendix
Azure Devops prerequisites
- Create an account.
- Use the same email account that you will use to code sign/verify.
- Create a repository.
- Sign in with the same email account that you will use to code sign/verify.
- You should have privileges to clone, modify, and commit changes.
Create an account
- Azure Devops: https://docs.Azure Devops.com/en/get-started/signing-up-for-Azure Devops/signing-up-for-a-new-Azure Devops-account
Create a repository
- Azure Devops: https://Azure Devops.com/new
Comments
0 comments
Please sign in to leave a comment.