Scripts for signing using KSP library on Azure pipeline

Prerequisites

Azure DevOps setup
Windows Custom Agent for Azure DevOps
DigiCert® KeyLocker credentials
DigiCert® KeyLocker client tools

Client tools

DigiCert® KeyLocker clients can be downloaded in a package.

Download Client tools

Sign in to DigiCert ONE.
Navigate to DigiCert® KeyLocker > Resources > Client tool repository.
Select your operating system.
Click the download icon next to DigiCert® KeyLocker clients.

Register the KSP

To register the KSP, open a command prompt and run:

smksp_registrar.exe register

Verify the KSP

To verify that your KSP is configured properly, and that your client can properly authenticate to the DigiCert® KeyLocker service, run:

certutil.exe -csp "DigiCert Software Trust Manager KSP" -key -user

Synchronize certificates

For the client tools to access the private keys in the service through the Key Storage Provider (KSP), your certificates must be synchronized to the local certificate store. Only if the certificate is synchronized, the private key remains stored securely in DigiCert® KeyLocker.

To synchronize your certificates to the local certificate store, open a command prompt and run:

smksp_cert_sync.exe

To view the certificates, open Certificate Manager for the user account used to run the certificate sync utility:

certmgr.msc

If you do not see your certificates in the Certificate Manager, verify that you have opened the correct certificate store. There is a different certificate store for each Windows user account.

Note

All certificates are synched to the user store only. The certificates are not synchronized to the machine store (yet).

Set PATH environment variables

Operating systems use the environment variable called PATH to determine where executable files are stored on your system. Use the PATH environment variable to store the file path to your signing tools to ensure that the CLI can reference these signing tools.

Example 1. Windows

You can set the PATH environment variable using command line or via the environment variables.

To set the path to your signing tools via command line:

set PATH=%path%;<path to DigiCert Keylocker Tools>

Command sample:

set PATH=%path%;C:\Program Files\DigiCert\DigiCert Keylocker Tools

To set the path to your signing tools for your system or account:

Search for environment variables in the Windows start menu.
Select Edit environment variables for your account or Edit system environment variables.
Double click on the Path variable.
Click New.
Select Browse.
Select the path to the signing tool.
Click OK to save the path.
Click on OK to close the dialog.

Example 2. Linux

To set the path to your signing tools via command line:

Launch the Terminal application.
Open the file in an editor:
```
nano ~/.profile
```

Add any exports definitions you need:

export PATH=<Path to DigiCert Keylocker Tools>

Click CTRL+X to exit.
Click Y to save.
Click Enter to keep the same file name.
Execute the new .profile by restarting Terminal or using:
```
 source ~/.profile
```

Example 3. macOS

To set the path to your signing tools via command line:

Launch the Terminal application.
Create a profile file:
```
touch ~/.zprofile
```
Open the file in an editor:
```
open ~/.zprofile
```

Add any exports definitions you need, such as:

export PATH=<Path to DigiCert Keylocker Tools>

To save the new .zprofile, click File > Save (CMD + S).
Close the terminal window and reopen to use new saved variables.

User authentication

DigiCert® KeyLocker enforces multifactor authentication for security. To access keypairs, certificates, and sign code, you need to set up two types of credentials: an API token and an authentication certificate.

Create an API token

The API token is an authentication method used to verify you as a user and your permissions assigned in DigiCert ONE. The API token provides the first factor authentication.

Follow these steps to generate an API token:

Sign in to DigiCert ONE.
Select the profile icon (top-right).
Select Admin Profile.
Scroll down to API Tokens.
Select  Create API token.
Note
The API token is only shown once, securely store the API key to use it later.

Create an authentication certificate

The client authentication certificate is an authentication method used to verify you as a user and your permissions assigned in DigiCert ONE. The client authentication certificate provides the second factor authentication.

Follow these steps to create a client authentication certificate:

Sign in to DigiCert ONE.
Select the profile icon (top-right).
Select Admin Profile.
Scroll down to Authentication certificates.
Select Create authentication certificate.
Note
The client authentication certificate password shown after creating an client authentication certificate cannot be accessed again, download the certificate and securely store the password to use it later.

Download required signing tools

Follow the instructions in the articles below to integrate with signing tools.

Note

For more information regarding which file types can be signed with these signing tools, refer to: Integrate third-party signing tools.

Integration with Azure DevOps pipeline

Environment variables setup for pipeline

The client tools need these environment variables to connect with DigiCert® KeyLocker to provide its service. They can be integrated as variables in the pipeline which Azure will automatically inject as environment variables in the agent or they can be configured at an OS environment level.

variables:
  - name: SM_CLIENT_CERT_PASSWORD
    value: *********
  - name: SM_CLIENT_CERT_FILE
    value: <Path to Client Auth Cert File>
  - name: SM_HOST
    value: https://clientauth.one.digicert.com
  - name: SM_API_KEY
    value: <API Token>

The values for these environment variables are explained below:

Variable	Description
SM_API_KEY	Provide your API token.
SM_CLIENT_CERT_FILE	Provide your client authentication certificate.
SM_CLIENT_CERT_PASSWORD	Provide your client certificate password.
SM_HOST	Provide your host environment.

Sign

You can sign using SignTool, Mage, or Nuget.

Note

To use the thumbprint method of signing a file you will need to run the smksp_cert_sync.exe tool (provided with KSP) to sync the local certificate store with DigiCert® KeyLocker.

Sign with SignTool

Certificate fingerprint method

An example for an Azure DevOps pipeline step for signing an .exe or .dll with a certificate thumbprint is shown below:

- script: signtool sign /sha1 <Certificate Thumbprint> /tr http://timestamp.digicert.com <Path to the exe/DLL to be signed>
  displayName: "Sign Artifact"

Downloaded certificate method

An example for an Azure DevOps pipeline step for signing an .exe or .dll with a downloaded code signing certificate is shown below:

- script: signtool sign /csp "Digicert Signing Manager KSP" /kc <Keypair Alias> /f <Path to certificate file> /tr http://timestamp.digicert.com <Path to the exe/DLL to be signed>
  displayName: "Sign Artifact"

The input parameters for this are the alias for the Keypair on DigiCert® KeyLocker, the path to the certificate file, and the path to the exe/DLL to be signed.

Sign with Mage

Certificate fingerprint method

An example step of an Azure DevOps pipeline that signs a package using certificate thumbprint:

- script: mage -Sign <Path to .application file> -CertHash <Certificate thumbprint>
  displayName: 'Sign App'

Downloaded certificate method

An example step of an Azure DevOps pipeline that signs a package using a downloaded code signing certificate:

- script: mage -Sign <Path to .application file> -CertFile <Path to Certificate file> -KeyContainer <Alias/Name of the Keypair on STM> -CryptoProvider "DigiCert Signing Manager KSP"
  displayName: 'Sign App'

Sign with NuGet

Certificate fingerprint method

An example step of an Azure DevOps pipeline that signs a package using NuGet using the certificate thumbprint:

- task: NuGetCommand@2
  displayName: 'NuGet Sign Custom Package'
  inputs:
    command: 'custom'
    arguments: 'sign <Path to Package> -Timestamper http://timestamp.digicert.com -CertificateFingerprint <certificate thumbprint> -Verbosity detailed -Overwrite'

Verify signature

You can verify a signature using SignTool, Mage, or Nuget.

Verify signature with SignTool

An example of an Azure DevOps step that verifies a signed artifact:

- script: signtool verify /v /pa <Path to the signed exe or dll>
  displayName: "Verify Artifact"

The only input for this step is the path to the signed exe/DLL that needs to be verified.

Verify signature with Mage

An example step of an Azure DevOps pipeline that verifies a signed app:

- script: mage -Verify <Path to signed .application file>
  displayName: 'Verify Click Once App'

The only input required here is the path to the signed .application file.

Verify signature with NuGet

An example step of an Azure DevOps pipeline that verifies a package using NuGet:

- task: NuGetCommand@2
  displayName: 'NuGet Verify'
  inputs:
    command: 'custom'
    arguments: 'verify -All <Path to Signed Package>'

The only input it takes is the path to the directory of the signed package.

Sample pipelines

Example 4. Signtool

trigger:
- main

pool:
  name: 'default'
  demands: agent.os -equals Windows_NT

variables:
  solution: '**/*.csproj'
  buildPlatform: 'Any CPU'
  buildConfiguration: 'Release'
  SM_CLIENT_CERT_PASSWORD: 'gxmiK9Oe72Pn'
  SM_CLIENT_CERT_FILE: "C:\\Workspace\\smtools-windows\\local_pkcs12.p12"
  SM_HOST: 'https://clientauth.one.digicert.com'
  SM_API_KEY: '01ff018928e385329550b6e7a7_9b38fc5fbb4ef99ceeb7d61e6984107efa4283583cb7a64f5e292582cd3ed848'
  CERT_THUMBPRINT: 'a0678b55a2b0e55e78c75bbb4b62725aafce072c'

steps:

- task: NuGetToolInstaller@1
  displayName: "NuGet Tool Installation"
- task: NuGetCommand@2
  displayName: "NuGet Solution Restore"
  inputs:
    restoreSolution: '$(solution)'
- task: VSBuild@1
  displayName: "Build"
  inputs:
    solution: '$(solution)'
    platform: '$(buildPlatform)'
    configuration: '$(buildConfiguration)'

- task: VSTest@2
  displayName: "Test"
  inputs:
    platform: '$(buildPlatform)'
    configuration: '$(buildConfiguration)'

- task: CopyFiles@2
  displayName: "Stage Exe"
  inputs:
    SourceFolder: '$(Build.SourcesDirectory)'
    Contents: '**\Release\**\Hello-World-Dot-Net.exe'
    TargetFolder: '$(Build.ArtifactStagingDirectory)'
    flattenFolders: true

- task: CopyFiles@2
  displayName: "Stage DLL"
  inputs:
    SourceFolder: '$(Build.SourcesDirectory)'
    Contents: '**\Release\**\Hello-World-Dot-Net.dll'
    TargetFolder: '$(Build.ArtifactStagingDirectory)'
    flattenFolders: true

- task: PublishBuildArtifacts@1
  displayName: "Publish Unsigned Exe"
  inputs:
    PathtoPublish: '$(Build.ArtifactStagingDirectory)\Hello-World-Dot-Net.exe'
    ArtifactName: 'Unsigned Exe'
    publishLocation: 'Container'

- task: PublishBuildArtifacts@1
  displayName: "Publish Unsigned DLL"
  inputs:
    PathtoPublish: '$(Build.ArtifactStagingDirectory)\Hello-World-Dot-Net.dll'
    ArtifactName: 'Unsigned DLL'
    publishLocation: 'Container'

- script: signtool sign /sha1 $(CERT_THUMBPRINT) /tr http://timestamp.digicert.com $(Build.ArtifactStagingDirectory)\Hello-World-Dot-Net.exe
  displayName: "Sign Exe"

- script: signtool sign /sha1 $(CERT_THUMBPRINT) /tr http://timestamp.digicert.com $(Build.ArtifactStagingDirectory)\Hello-World-Dot-Net.dll
  displayName: "Sign DLL"

- task: PublishBuildArtifacts@1
  displayName: "Publish Signed Exe"
  inputs:
    PathtoPublish: '$(Build.ArtifactStagingDirectory)\Hello-World-Dot-Net.exe'
    ArtifactName: 'Signed Exe'
    publishLocation: 'Container'

- task: PublishBuildArtifacts@1
  displayName: "Publish Signed DLL"
  inputs:
    PathtoPublish: '$(Build.ArtifactStagingDirectory)\Hello-World-Dot-Net.dll'
    ArtifactName: 'Signed DLL'
    publishLocation: 'Container'

- script: signtool verify /v /pa $(Build.ArtifactStagingDirectory)\Hello-World-Dot-Net.exe
  displayName: "Verify Exe"

- script: signtool verify /v /pa $(Build.ArtifactStagingDirectory)\Hello-World-Dot-Net.dll
  displayName: "Verify DLL"

Example 5. Mage

trigger:
- main

pool:
  name: 'default'
  demands: agent.os -equals Windows_NT

variables:
  solution: '**/*.csproj'
  buildConfiguration: 'Release'
  SM_CLIENT_CERT_PASSWORD: 'gxniK9Oe72Pn'
  SM_CLIENT_CERT_FILE: "C:\\Workspace\\smtools-windows\\local_pkcs12.p12"
  SM_HOST: 'https://clientauth.one.digicert.com'
  SM_API_KEY: '01ff018927e385329550b6e7a7_9b38fc5fbb4ef99ceeb7d61e6984107efa4283583cb7a64f5e292582cd3ed848'
  CERT_THUMBPRINT: 'a0678b55a2b1e55e78c75bbb4b62725aafce072c'

steps:
- task: NuGetToolInstaller@1
  displayName: 'NuGet Tool Install'

- task: NuGetCommand@2
  displayName: 'NuGet Restore'
  inputs:
    restoreSolution: '$(solution)'

- task: VSBuild@1
  displayName: 'Build Solution'
  inputs:
    solution: '$(solution)'
    configuration: '$(buildConfiguration)'
    msbuildArgs: '/target:publish /p:PublishProfile=Properties\PublishProfiles\ClickOnceProfile.pubxml'

- task: VSTest@2
  displayName: 'Test Solution'
  inputs:
    configuration: '$(buildConfiguration)'

- task: CopyFiles@2
  displayName: 'Stage Click Once App'
  inputs:
    SourceFolder: '$(Build.SourcesDirectory)\bin\Release\net5.0\app.publish'
    Contents: '**'
    TargetFolder: '$(Build.ArtifactStagingDirectory)'

- task: ArchiveFiles@2
  displayName: 'Archive unsigned Click Once App'
  inputs:
    rootFolderOrFile: '$(Build.ArtifactStagingDirectory)'
    includeRootFolder: false
    archiveType: 'zip'
    archiveFile: '$(Build.ArtifactStagingDirectory)/Unsigned-Click-Once-App-$(Build.BuildId).zip'
    replaceExistingArchive: true

- task: PublishBuildArtifacts@1
  displayName: 'Publish unsigned archived Click Once App'
  inputs:
    ArtifactName: 'Unsigned Click Once App'
    PathtoPublish: '$(Build.ArtifactStagingDirectory)/Unsigned-Click-Once-App-$(Build.BuildId).zip'

- task: DeleteFiles@1
  displayName: 'Clear up unsigned archive to build signed archive'
  inputs:
    SourceFolder: '$(Build.ArtifactStagingDirectory)'
    Contents: 'Unsigned-Click-Once-App-$(Build.BuildId).zip'

- script: mage -Sign $(Build.ArtifactStagingDirectory)\Hello-World-Dot-Net.application -CertHash $(CERT_THUMBPRINT)
  displayName: 'Sign Click Once App'

- script: mage -Verify $(Build.ArtifactStagingDirectory)\Hello-World-Dot-Net.application
  displayName: 'Verify Click Once App'

- task: ArchiveFiles@2
  displayName: 'Archive signed Click Once App'
  inputs:
    rootFolderOrFile: '$(Build.ArtifactStagingDirectory)'
    includeRootFolder: false
    archiveType: 'zip'
    archiveFile: '$(Build.ArtifactStagingDirectory)/Signed-Click-Once-App-$(Build.BuildId).zip'
    replaceExistingArchive: true

- task: PublishBuildArtifacts@1
  displayName: 'Publish signed Click Once App'
  inputs:
    ArtifactName: 'Signed Click Once App'
    PathtoPublish: '$(Build.ArtifactStagingDirectory)/Signed-Click-Once-App-$(Build.BuildId).zip'

Example 6. NuGet

trigger:
- main

pool:
  name: 'default'
  demands: agent.os -equals Windows_NT

variables:
  solution: '**/*.csproj'
  buildConfiguration: 'Release'
  SM_CLIENT_CERT_PASSWORD: 'gxmiK9Oe72Pn'
  SM_CLIENT_CERT_FILE: "C:\\Workspace\\smtools-windows\\local_pkcs12.p12"
  SM_HOST: 'https://clientauth.one.digicert.com'
  SM_API_KEY: '01ff018928e385329550b6e7a7_9b38fc5fbb4ef99ceeb7d61e6984107efa4283583cb7a64f5e292582cd3ed848'
  CERT_THUMBPRINT: 'a998ed98ec209bb98161f4e7edbaca200b11d609'

steps:

- task: NuGetToolInstaller@1
  displayName: 'NuGet Tool Installation'

- task: NuGetCommand@2
  displayName: 'NuGet Restore'
  inputs:
    command: 'restore'
    restoreSolution: '$(solution)'
    feedsToUse: 'select'

- task: VSBuild@1
  displayName: "Build"
  inputs:
    solution: '$(solution)'
    configuration: '$(buildConfiguration)'

- task: NuGetCommand@2
  displayName: 'Nuget Pack'
  inputs:
    command: 'pack'
    packagesToPack: '$(solution)'
    versioningScheme: 'byEnvVar'
    versionEnvVar: 'Build.BuildId'

- task: NuGetCommand@2
  displayName: 'NuGet Sign And Bundle Custom Package'
  inputs:
    command: 'custom'
    arguments: 'sign $(Build.ArtifactStagingDirectory)\* -Timestamper http://timestamp.digicert.com -CertificateFingerprint $(CERT_THUMBPRINT) -Verbosity detailed -Overwrite'

- task: NuGetCommand@2
  displayName: 'NuGet Verify'
  inputs:
    command: 'custom'
    arguments: 'verify -All $(Build.ArtifactStagingDirectory)\*'

- task: PublishBuildArtifacts@1
  displayName: 'Publish Signed Nu PKG'
  inputs:
    ArtifactName: 'Signed Nu PKG'
    publishLocation: 'Container'
    PathtoPublish: '$(Build.ArtifactStagingDirectory)'

In this section:

Scripts for signing using KSP library on Azure pipeline

Prerequisites

Client tools

Download Client tools

Register the KSP

Verify the KSP

Synchronize certificates

Note

Set PATH environment variables

User authentication

Create an API token

Note

Create an authentication certificate

Note

Download required signing tools

Note

Integration with Azure DevOps pipeline

Sign

Note

Sign with SignTool

Sign with Mage

Sign with NuGet

Verify signature

Verify signature with SignTool

Verify signature with Mage

Verify signature with NuGet

Sample pipelines

Related articles

Search results