CryptoTokenKit CLI command manual
Use the commands below as “DigiCert SSM Signing Clients.app” as Command Line Interface (CLI).
Note
The “smctl” command tells the “DigiCert SSM Signing Clients.app” use the app as Command Line Interface (CLI).
Basic command
SMCTL commands begin with:
% "./DigiCert SSM Signing Clients.app/Contents/MacOS/DigiCert SSM Signing Clients" smctl
Tip
To avoid providing this long file path in every command, create a symlink as shown below.
Symlink
A symlink acts as a shortcut and points to another file or folder on your computer, or a connected file system. Use the following command to identify "<Path_to_the_app>/DigiCert SSM Signing Clients.app/Contents/MacOS/DigiCert SSM Signing Clients"
as DigicertSmctl to shorten your commands.
To create a symlink:
sudo ln -s "<Path_to_the_app>/DigiCert SSM Signing Clients.app/Contents/MacOS/DigiCert SSM Signing Clients" DigicertSmctl
Basic symlink SMCTL command
The basic SMCTL command once the symlink is created is shown below.
To see all available commands:
% ./DigicertSmctl smctl
Command output:
Digicert Secure Signing Manager Command line Client for MacOS Usage: "DigiCert SSM Signing Clients" smctl "DigiCert SSM Signing Clients" smctl [command] Available Commands: keypair Manage Keypairs token Manage Token environment Manage Environment Variables Flags: -h, --help Help for smctl Use '"DigiCert SSM Signing Clients" smctl [command] --help' for more information about a command
Environment variable commands
You can add different DigiCert® Software Trust Manager credentials to your macOS keychain by using the environment command.
By adding these environment variables to access DigiCert® Software Trust Manager you can also access the “Digicert SSM Signing Clients.app” UI and perform other codesign and productsign commands.
The variables saved in keychain via UI application also can be directly used in the CLI without adding a new value as the values saved in keychain are in constant state.
To view environment variable commands:
% "./DigiCert SSM Signing Clients.app/Contents/MacOS/DigiCert SSM Signing Clients" smctl environment
Command output:
Digicert Secure Signing Manager Command line Client for MacOS Manage Environment Usage: "DigiCert SSM Signing Clients" smctl environment "DigiCert SSM Signing Clients" smctl environment [command] Available Commands: add Add Environment Variables Flags: -h, --help Help for smctl Use '"DigiCert SSM Signing Clients" smctl environment [command] --help' for more information about a command
To add environment variables:
% "./DigiCert SSM Signing Clients.app/Contents/MacOS/DigiCert SSM Signing Clients" smctl environment add
Command output:
Digicert Secure Signing Manager Command line Client for MacOS Add Environment Variables Usage: "DigiCert SSM Signing Clients" smctl environment add [environement variable flags] Flags: -h, --help Help for Add Environment Variables --host host --api-key API key --client-certificate-file Client Certificate file path --client-certificate-password Client Certificate File Password --http-proxy-host HTTP Proxy Host --http-proxy-port HTTP Proxy Port --http-proxy-username HTTP Proxy Username --http-proxy-password HTTP Proxy Password
Note
Use '"DigiCert SSM Signing Clients" smctl environment add --help' for more information about a command.
To add a proxy environment variable:
Note
Place the P12 client auth certificates in /User/user.name/Downloads/ folder or its subfolder to make the certificate available to your MacOS.
% "./DigiCert SSM Signing Clients.app/Contents/MacOS/DigiCert SSM Signing Clients" smctl environment add --host <digicert_cloud_host_url> --api-key <api_key> --client-certificate-file <Client Certificate P12 path> --client-certificate-password <client p12 certificate password> --http-proxy-host <http proxy_host> --http-proxy-port <http proxy_host_port> --http-proxy-username <http proxy username> --http-proxy-password <http proxy password>
Command output:
Configuration saved into Keychain Successfully
To view environment variables:
Command output:
Digicert Secure Signing Manager Command line Client for MacOS Add Environment Variables +-----------------------------+--------------------------------+ | key | value | +-----------------------------+--------------------------------+ | host | https://one.digicert.com | | api-key | ******** | | client-certificate-file | ******** | | client-certificate-password | ******** | | http-proxy-host | | | http-proxy-port | | | http-proxy-username | | | http-proxy-password | | +-----------------------------+--------------------------------+
Token commands
You can add keys used for codesign and productsign to a token using the token management command. The token can be added from the UI or from the CLI.
List token command
Run below list command to check if the token has been added. Note: This command will only show the token once keys are added to it.
Command:
% security list-smartcard
Output:
DigiCert.TokenExtension:SSM0123456789
To see all commands available for managing tokens:
% "./DigiCert SSM Signing Clients.app/Contents/MacOS/DigiCert SSM Signing Clients" smctl token
Command output:
Digicert Secure Signing Manager Command line Client for MacOS Manage Tokens Usage: "DigiCert SSM Signing Clients" smctl token [command] Available Commands: add-token Add new token remove-token Clean token Flags: -h, --help Help for smctl Use '"DigiCert SSM Signing Clients" smctl token [command] --help' for more information about a command
To add a new token:
% "./DigiCert SSM Signing Clients.app/Contents/MacOS/DigiCert SSM Signing Clients" smctl token add-token
Command output:
Token Id - SSM0123456789 added successfullySSM0123456789 added successfully
To remove a token:
% "./DigiCert SSM Signing Clients.app/Contents/MacOS/DigiCert SSM Signing Clients" smctl token remove-token
Command output:
Removing contents (keys, certs, configuration data) from token configuration Token removed Successfully
Keypair commands
Use the commands below to fetch keypairs from DigiCert® Software Trust Manager and add them to the token present on the MacOS. These keypairs can be used to sign apps using codesign and productsign.
Basic manage keys command
Command:
% "./DigiCert SSM Signing Clients.app/Contents/MacOS/DigiCert SSM Signing Clients" smctl keypair
Output:
Digicert Secure Signing Manager Command line Client for MacOS Manage Keys Usage: "DigiCert SSM Signing Clients" smctl keypair "DigiCert SSM Signing Clients" smctl keypair [command] Available Commands: ls List Keypairs add-keys Add keys to token remove-keys Remove keys from token Flags: -h, --help Help for smctl keypair Use '"DigiCert SSM Signing Clients" smctl keypair [command] --help' for more information about a command
To list keypairs:
% "./DigiCert SSM Signing Clients.app/Contents/MacOS/DigiCert SSM Signing Clients" smctl keypair ls
Command output:
Fetching keypair data from Digicert Secure Signing Manager Cloud +--------------------------------------+------------------------------------------------------------------------------------+-------------------+------------+-------------+----------------+ | Keypair ID | Alias | Keypair Algorithm | Key Type | Key Storage | Key Size/Curve | +--------------------------------------+------------------------------------------------------------------------------------+-------------------+------------+-------------+----------------+
To add keys to the token:
% "./DigiCert SSM Signing Clients.app/Contents/MacOS/DigiCert SSM Signing Clients" smctl keypair add-keys [space separated keypair Ids and/or Keypair Aliases of the keypairs on DigiCert SSM Cloud]
Sample command:
% "./DigiCert SSM Signing Clients.app/Contents/MacOS/DigiCert SSM Signing Clients" smctl keypair add-keys AppleCSMay2022 140aa250-55e9-4561-b85e-907ed2390e7a
Output:
Fetching keypair data from Digicert Secure Signing Manager Cloud Setting key and certificates to token for key id - 4e7ff99e-69ba-4804-bfe0-c4bad0316e99, alias - AppleCSMay2022 Setting key and certificates to token for key id - 140aa250-55e9-4561-b85e-907ed2390e7a, alias - RsaKp1
Remove keys
This command also removes the token. Select Add new Token Command to add new token before adding keys back to token.
To remove keys from the token:
% "./DigiCert SSM Signing Clients.app/Contents/MacOS/DigiCert SSM Signing Clients" smctl keypair remove-keys
Output command:
Removing contents (keys, certs, configuration data) from token configuration Keys, certs, configuration data from token configuration removed Successfully
View keys on token
Use this command to check the keys added to the token.
To view keys on the token:
security export-smartcard
Sample command:
% security export-smartcard
Command output:
==== private key #1 crtr : 0 esiz : 0 decr : 0 persistref : <> atag : "" kcls : 1 agrp : "com.apple.token" pdmn : "dk" bsiz : 2,048 type : 42 klbl : <a8 66 8a 71 55 eb 1f 4a 89 22 3b 12 f1 53 a7 b5 a7 98 4c 8a> edat : 2001-01-01 00:00:00 +0000 sign : 1 mdat : 2022-01-20 05:43:35 +0000 drve : 0 labl : "Developer ID Installer: DigiCert Inc (DHPK4B64QS)" sync : 0 musr : <> sha1 : <3b 46 36 61 77 72 20 82 64 93 ca 27 3d d8 3d 28 bd f8 ef 84> cdat : 2022-01-20 05:43:35 +0000 tkid : "DigiCert.TokenExtension:SSM0123456789" sdat : 2001-01-01 00:00:00 +0000 tomb : 0 priv : 1 accc : constraints: { ock : "NONE", osgn : "NONE", ord : "NONE", od : "NONE" } protection: { tkid : "DigiCert.TokenExtension:SSM0123456789" } unwp : 0 ==== ==== identity #1 class : "idnt" slnr : <54 79 df 37 c1 24 fb 57> certdata : <CFData 0x7f8202808c00 [0x7fff803712d0]>{length = 1453, capacity = 1453, bytes = 0x308205a930820491a003020102020854 ... 3f14cddd089f2e42} certtkid : "DigiCert.TokenExtension:SSM0123456789" priv : 1 ctyp : 3 mdat : 2022-01-20 05:43:35 +0000 sdat : 2001-01-01 00:00:00 +0000 bsiz : 2,048 type : 42 sha1 : <1e 50 02 96 93 92 2d 2f 7e fc f7 54 88 18 9c 49 ed 3b f0 bb> pkhh : <a8 66 8a 71 55 eb 1f 4a 89 22 3b 12 f1 53 a7 b5 a7 98 4c 8a> cdat : 2022-01-20 05:43:35 +0000 skid : <a8 66 8a 71 55 eb 1f 4a 89 22 3b 12 f1 53 a7 b5 a7 98 4c 8a> tomb : 0 UUID : "0DB21CE5-D9A4-4BD9-9D62-98AA90D98709" persistref : <> accc : constraints: { ock : "NONE", osgn : "NONE", ord : "NONE", od : "NONE" } protection: { tkid : "DigiCert.TokenExtension:SSM0123456789" } sync : 0 tkid : "DigiCert.TokenExtension:SSM0123456789" pdmn : "dk" musr : <> subj : <31 1a 30 18 06 0a 09 92 26 89 93 f2 2c 64 01 01 0c 0a 44 48 50 4b 34 42 36 34 51 53 31 3d 30 3b 06 03 55 04 03 0c 34 44 65 76 65 6c 6f 70 65 72 20 49 44 20 49 6e 73 74 61 6c 6c 65 72 3a 20 52 6f 73 65 6d 61 72 79 20 54 68 6f 6d 61 73 20 28 44 48 50 4b 34 42 36 34 51 53 29 31 13 30 11 06 03 55 04 0b 0c 0a 44 48 50 4b 34 42 36 34 51 53 31 18 30 16 06 03 55 04 0a 0c 0f 52 6f 73 65 6d 61 72 79 20 54 68 6f 6d 61 73 31 0b 30 09 06 03 55 04 06 13 02 55 53> sign : 1 esiz : 0 decr : 0 atag : "" edat : 2001-01-01 00:00:00 +0000 klbl : <a8 66 8a 71 55 eb 1f 4a 89 22 3b 12 f1 53 a7 b5 a7 98 4c 8a> crtr : 0 unwp : 0 issr : <31 2d 30 2b 06 03 55 04 03 0c 24 44 65 76 65 6c 6f 70 65 72 20 49 44 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 74 79 31 26 30 24 06 03 55 04 0b 0c 1d 41 70 70 6c 65 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 74 79 31 13 30 11 06 03 55 04 0a 0c 0a 41 70 70 6c 65 20 49 6e 63 2e 31 0b 30 09 06 03 55 04 06 13 02 55 53> cenc : 3 kcls : 1 agrp : "com.apple.token" labl : "MacAppDistribution_Automation_AppleProductSigner_Approval_Requested_WIN_THE_CUSTOMER_LLC" drve : 0 ==== ==== certificate #1 class : "cert" subj : <31 1a 30 18 06 0a 09 92 26 89 93 f2 2c 64 01 01 0c 0a 39 38 5a 32 50 46 4c 55 36 47 31 45 30 43 06 03 55 04 03 0c 3c 41 70 70 6c 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 3a 20 73 61 67 61 72 2e 63 68 6f 75 64 68 61 72 69 40 64 69 67 69 63 65 72 74 2e 63 6f 6d 20 28 4e 48 36 58 39 37 4a 35 43 55 29 31 13 30 11 06 03 55 04 0b 0c 0a 46 34 41 4c 59 44 4a 39 59 4e 31 18 30 16 06 03 55 04 0a 0c 0f 53 61 67 61 72 20 43 68 6f 75 64 68 61 72 69 31 0b 30 09 06 03 55 04 06 13 02 55 53> cenc : 3 ctyp : 3 pkhh : <11 66 33 2b 72 40 bd b9 19 cc 83 70 d4 e5 29 65 9f d5 f8 dd> persistref : <> agrp : "com.apple.token" pdmn : "dk" labl : "apple_key" UUID : "C46C1945-7642-4186-B6D3-427CB2DD06DD" mdat : 2022-01-20 05:43:35 +0000 slnr : <64 53 07 40 be 0b 9b f8 19 d4 88 7a 51 0a 5a 05> sync : 0 sha1 : <dd 9a af 0f aa ab d3 69 4f 6a 2a 3b 59 54 d3 83 e3 3b 19 ab> tkid : "DigiCert.TokenExtension:SSM0123456789" musr : <> cdat : 2022-01-20 05:43:35 +0000 tomb : 0 skid : <11 66 33 2b 72 40 bd b9 19 cc 83 70 d4 e5 29 65 9f d5 f8 dd> issr : <31 44 30 42 06 03 55 04 03 0c 3b 41 70 70 6c 65 20 57 6f 72 6c 64 77 69 64 65 20 44 65 76 65 6c 6f 70 65 72 20 52 65 6c 61 74 69 6f 6e 73 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 74 79 31 0b 30 09 06 03 55 04 0b 0c 02 47 33 31 13 30 11 06 03 55 04 0a 0c 0a 41 70 70 6c 65 20 49 6e 63 2e 31 0b 30 09 06 03 55 04 06 13 02 55 53> accc : constraints: { ord : true } protection: { tkid : "DigiCert.TokenExtension:SSM0123456789" } ====
Sign with SMCTL
To sign with SMCTL and the Cryptokenkit:
smctl-mac-x64 sign -tool <codesign or productsign> --keypair alias <Apple codesign keypair alias> --input <path to unsigned file> --verbose
Command sample
smctl-mac-x64 sign -tool codesign --keypair alias AppleCodeSign --input /Users/john.doe/downloads/example.app --verbose
Troubleshooting
Failed to access token
Error: Failed to add token. configurationError(message: "No driver configuration found for token DigiCert.TokenExtension")
Failed to get environment variables or environment variables were not added to the keychain.
Error: Failed to add token. configurationError(message: "No application configration found, please set environment first!")
Failed to access token
Error: Failed to remove token. configurationError(message: "No driver configuration found for token DigiCert.TokenExtension")
Failed to get environment variables or environment variables were not added to the keychain.
Error: Failed to remove token. configurationError(message: "No application configration found, please set environment first!")
Failed to fetch Keypairs from DigiCert SSM Cloud
Error: Failed to get keys. configurationError(message: "Failed to fetch keypairs from cloud.")
Failed to get environment variables or environment variables were not added to keychain.
Error: Failed to get keys. configurationError(message: "No application configuration found, please set environment first!")
The keypair was not found for given keypair ID or Key alias.
Error: Failed to add keys to token. configurationError(message: "KeyPair not found for id or alias id/alias")
Failed to fetch keypairs from DigiCert DigiCert® Software Trust Manager cloud.
Error: Failed to add keys to token. configurationError(message: "Failed to fetch keypairs from cloud. error")
Failed to get environment variables or environment variables are not added to the keychain.
Error: Failed to add keys to token. configurationError(message: "No application configration found, please set environment first!")
Token has not been added or cannot access token.
Error: Failed to add keys to token. configurationError(message: "No driver configuration found for token DigiCert.TokenExtension")
Failed to set token due to other reasons.
Error: Failed to add keys to token. configurationError(message: "Failed to set token configurtion data: error_info")