CryptoTokenKit (CTK)
DigiCert® Software Trust Manager CryptoTokenKit (CTK) is an implementation of the Apple CryptoTokenKit extension and is used to sign Apple binaries while the keys are stored remotely in DigiCert® Software Trust Manager.
DigiCert® Software Trust Manager CTK is an MacOS GUI app named DigiCert SSM Signing Clients.app. This app can also be used as a Command Line Interface (CLI), see CryptoTokenKit CLI command manual.
Prerequisites
CryptoTokenKit (CTK)
What signing tools can the CTK integrate with?
The DigiCert® Software Trust Manager CTK integrates with the following signing tools provided as part of the MacOS while maintaining key protection, permission-based access and reporting all signing activities:
Codesign
Productsign
What can the CTK sign?
DigiCert® Software Trust Manager CryptoTokenKit enables secure hash-based signing of Apple binaries, such as:
.app
.pkg
.dmg
Download CTK
Sign in to DigiCert ONE.
Navigate to Manager menu > Software Trust.
Select Resources > Client tool repository.
Select Apple as your operating system.
Click the download icon next to DigiCert® Software Trust Manager CryptoTokenKit.
Install CTK
After downloading the DigiCert® Software Trust Manager CryptoTokenKit, follow these steps:
Extract the DigiCert SSM Signing Clients.zip file.
Copy DigiCert SSM Signing Clients.app into your
/Applications
directory to make the application available to your MacOS.Run DigiCert SSM Signing Clients.app to start the GUI.
Click Set environment.
Provide your host environment.
Table 1. Host optionsCountry
Host type
SM_HOST value
United States of America (USA)
Demo
https://clientauth.demo.one.digicert.com
Production
https://clientauth.one.digicert.com
Switzerland (CH)
Demo
https://clientauth.demo.one.ch.digicert.com
Production
https://clientauth.one.ch.digicert.com
Japan (JP)
Demo
https://clientauth.demo.one.digicert.co.jp
Production
https://clientauth.one.digicert.co.jp
Netherlands (NL)
Demo
https://clientauth.demo.one.nl.digicert.com
Production
https://clientauth.one.nl.digicert.com
Provide your API key.
Provide your client authentication certificate path and password.
Important
Compatibility issue
OpenSSL 3.x changed their default algorithm. This new algorithm is not compatible with macOS SSL libraries starting from Ventura OS. This issue affects Apple Keychain's ability to read DigiCert ONE client authentication certificates (cert.12) because it relies on LibreSSL. See solution.
Click Save.
Add keys to token
You can create a new token and add keys to your token using the CryptotokenKit GUI or the CLI: