Skip to main content

CryptoTokenKit (CTK)

DigiCert​​®​​ Software Trust Manager CryptoTokenKit (CTK) is an implementation of the Apple CryptoTokenKit extension. CTK is used to sign Apple binaries while the keys are stored remotely in Software Trust.

CTK is a macOS GUI app named DigiCert SSM Signing Clients.app. This app can also be used as a Command Line Interface (CLI). (To learn more, see CryptoTokenKit CLI command manual.)

Prerequisites

What signing tools can the CTK integrate with?

The Software Trust CTK integrates with macOS signing tools while maintaining key protection, permission-based access, and reporting of all signing activities.

Review the following supported sign tools:

  • Codesign

  • Productsign

What can the CTK sign?

Software Trust CryptoTokenKit enables secure hash-based signing of Apple binaries, such as:

  • .app

  • .pkg

  • .dmg

Download and install CTK

  1. In the Software Trust menu, go to Resources > Client tool repository.

  2. Search for Software Trust Manager CryptoTokenKit (Portable zip), and then select the corresponding download (download_icon.png) icon.

  3. Extract the DigiCert SSM Signing Clients.zip file.

  4. Copy DigiCert SSM Signing Clients.app into your /Applications directory to make the application available to your MacOS.

  5. Run DigiCert SSM Signing Clients.app to open the GUI.

  6. Select Set environment.

  7. Provide your host environment.

    Table 1. Host options

    Country

    Host type

    SM_HOST value

    United States of America (USA)

    Demo

    https://clientauth.demo.one.digicert.com

    Production

    https://clientauth.one.digicert.com

    Switzerland (CH)

    Demo

    https://clientauth.demo.one.ch.digicert.com

    Production

    https://clientauth.one.ch.digicert.com

    Japan (JP)

    Demo

    https://clientauth.demo.one.digicert.co.jp

    Production

    https://clientauth.one.digicert.co.jp

    Netherlands (NL)

    Demo

    https://clientauth.demo.one.nl.digicert.com

    Production

    https://clientauth.one.nl.digicert.com


  8. Provide your API key.

  9. Provide your client authentication certificate path and password.

    Important

    Compatibility issue

    OpenSSL 3.x changed their default algorithm. This new algorithm isn't compatible with macOS SSL libraries, beginning with Ventura OS. This issue affects Apple Keychain's ability to read DigiCert ONE client authentication certificates (cert.12) because it relies on LibreSSL. See solution.

  10. Select Save.

Add keys to token

You can create a new token and add keys to your token using the CryptotokenKit GUI or the CLI:

Sign with codesign and productsign

In this section: