CryptoTokenKit (CTK)
DigiCert® Software Trust Manager CryptoTokenKit (CTK) is an implementation of the Apple CryptoTokenKit extension. CTK is used to sign Apple binaries while the keys are stored remotely in Software Trust.
CTK is a macOS GUI app named DigiCert SSM Signing Clients.app. This app can also be used as a Command Line Interface (CLI). (To learn more, see CryptoTokenKit CLI command manual.)
Prerequisites
CryptoTokenKit (CTK)
What signing tools can the CTK integrate with?
The Software Trust CTK integrates with macOS signing tools while maintaining key protection, permission-based access, and reporting of all signing activities.
Review the following supported sign tools:
Codesign
Productsign
What can the CTK sign?
Software Trust CryptoTokenKit enables secure hash-based signing of Apple binaries, such as:
.app
.pkg
.dmg
Download and install CTK
In the Software Trust menu, go to Resources > Client tool repository.
Search for Software Trust Manager CryptoTokenKit (Portable zip), and then select the corresponding download (
) icon.
Extract the DigiCert SSM Signing Clients.zip file.
Copy DigiCert SSM Signing Clients.app into your
/Applications
directory to make the application available to your MacOS.Run DigiCert SSM Signing Clients.app to open the GUI.
Select Set environment.
Provide your host environment.
Table 1. Host optionsCountry
Host type
SM_HOST value
United States of America (USA)
Demo
https://clientauth.demo.one.digicert.com
Production
https://clientauth.one.digicert.com
Switzerland (CH)
Demo
https://clientauth.demo.one.ch.digicert.com
Production
https://clientauth.one.ch.digicert.com
Japan (JP)
Demo
https://clientauth.demo.one.digicert.co.jp
Production
https://clientauth.one.digicert.co.jp
Netherlands (NL)
Demo
https://clientauth.demo.one.nl.digicert.com
Production
https://clientauth.one.nl.digicert.com
Provide your API key.
Provide your client authentication certificate path and password.
Important
Compatibility issue
OpenSSL 3.x changed their default algorithm. This new algorithm isn't compatible with macOS SSL libraries, beginning with Ventura OS. This issue affects Apple Keychain's ability to read DigiCert ONE client authentication certificates (cert.12) because it relies on LibreSSL. See solution.
Select Save.
Add keys to token
You can create a new token and add keys to your token using the CryptotokenKit GUI or the CLI: