scripts, and SBOMS. Integrated into the CI/CD pipeline provides the ability to enhance software attestation and ensures non-repudiation of SBOMs. This integration allows for the submission of evidence to JFrog. Read Less >
The integration ensures that every artifact is signed with Codelocker’s File Signer prior to being uploaded to JFrog Artifactory, producing verifiable, cryptographically signed evidence for each artifact along the way.
For software providers competing in regulated industries who must meet new software security mandates to secure business, CodeLocker is a code signing platform that proves crucial software provenance from commit to deployment while eliminating friction for developers.
For software providers competing in regulated industries who need to prove compliance to win business, CodeLocker turns mandatory compliance into a competitive advantage.
For software providers competing in regulated industries who must meet strict mandates, CodeLocker proves provenance from commit to deployment—binding every change to a verified identity without disrupting developer workflows.
For development teams in regulated industries that need to integrate code signing without slowing agile workflows, CodeLocker is a seamless, centralized code signing tool that delivers end-to-end security and compliance without disrupting productivity.
Software vendors and Critical Infrastructure environments seeking software to meet attestation and provenance to integrate within the Software Development Lifecycle and meet government mandates. Designed for modern DevSecOps environments, CodeLocker features customizable plug-ins to extend into third-party applications. This ensures flawless integration with repositories solutions, build servers, and CI/CD pipelines. It also streamlines commit-level signing without forcing teams to change how they work.
CodeLocker consolidates code signing keys under one secure system, compatible with FIPS 140-3 Level 3 HSMs. This reduces administrative complexity while meeting the highest assurance standards.
The integration addresses software attestation and SBOM requirements to ensure code is secure and cryptographically signed and authenticated to a developer.
The user pipeline signs artifacts with Codelocker’s File Signer, then uploads those signed artifacts to Artifactory using the JFrog CLI. After that, they generate and upload signed evidence for each artifact using Codelocker’s File Signer. This process relies on two settings files: one that defines the settings required by the File Signer to sign artifacts and produce signed evidence, and another that lists the artifacts for which evidence should be created.
None.
Run the following command immediately after building your artifact:
CodeSigning.FileSigner sign jfrog -ArtifactsList “<path-to-your-artifacts.json>” -EvidenceSigningKeyId <codelocker’s-evidence-signing-key-id> -TenantId <codelocker’s-tenant-id> -AccessToken <codelocker’s-access-token>
CodeLocker’s evidence is designed to wrap and sign existing and custom predicates. The evidence includes the customer defined predicate with its type, it wraps it with the CodeLocker predicate, adds extra metadata such as the build ID, then it signs the evidence.
All evidence is structured as a signed JSON predicate (resolvedsecurity-fixed-packages).
Codelocker’s File Signer accepts a list of artifacts, generates the corresponding evidence for each artifact, then it signs the evidence using Codelocker’s signing service. The user selects which key to apply through the Codelocker portal. The evidence is signed/verified using JFrog signature format.
No
No, it only generates the signed evidence and uploads it to JFrog Artifactory.
