DigiCert recommends storing your API key and client authentication certificate password in Windows Credential Manager, an encrypted vault, protected from unauthorized access.
Build engineer guide
The DigiCert® Software Trust Manager Build engineer is responsible for scanning software using threat detection and also has permission to sign.
Tip
For more information about how to run a scan and interpret a scan report, refer to Threat detection.
ReversingLabs scanning tool (rl-deploy) is included in Software Trust Manager client tools package.
To download client tools:
Sign in to DigiCert ONE.
Navigate to: Manager menu (top right) > Software Trust.
Select Resources > Client tool repository.
Download the following based on your operating system:
Linux Clients
During code signing, an API key and client authentication certificate is used to authenticate the user to DigiCert® Software Trust Manager, not the DigiCert ONE username and password. The API key and client authentication certificate provides two-factor authentication (2FA).
Service users are generally used for automated signing and therefore do not have credentials to access to DigiCert ONE. However service users can still sign and access keys and certificates in DigiCert® Software Trust Manager when authenticated by an API token and client authentication certificate.
Note
The permissions for the API key and client authentication certificate are based upon your user permissions orrole assigned for DigiCert® Software Trust Manager.
API key
An API key is a unique identifier generated by the server to authenticate a user or calling program to an API.
Follow the procedure below based on your user classification:
Client authentication certificate
A client authentication certificate is a X.509 digital certificate with a unique password that is generated by the server to authenticate a user or calling program to an API.
Follow the procedure below based on your user classification:
Your DigiCert ONE host environment, API key, client authentication certificate and password make up your environment variables and are required to access Software Trust Manager client tools. You may want to use one of the methods below to securely store your credentials based on your operating system.
Manage threat detection
As a build engineer, you are responsible for scanning software for malware, vulnerabilities, secrets, and more before releasing your software for consumption using our Dynamic Application Security Testing (DAST) service powered by ReversingLabs.
Tip
If you do not see Threat detection in the left navigation menu, contact your account manager to add ReversingLabs integration to your service agreement.
To install rl-deploy, run the following command in SMCTL:
smctl scan rl-install <new folder path to install>
Command samples
If you have administrator privileges, run this command in Administrator Command Prompt:
smctl scan rl-install "C:\Program Files\DigiCert\DigiCert One Signing Manager Tools\rl"
If you do not want to give rl-deploy administrator privileges, specify an installation location that does not require administrative privileges, such as:
smctl scan rl-install "C:\rl"
Command output
Downloading [==================================================] 100% [00m:07s] 187090012/187090012 bytes Unpacking package ... finished!
Tip
Refer to errors and solutions if you encounter an error.
Create a project to store all your related software scans, such as different versions of the same software. The software project will be referred to by a descriptive name and a project alias to allow for easy reference.
Tip
Project aliases are limited to 150 alphanumeric characters. Underscores and hyphens are also allowed.
To create a project, use the command:
smctl scan project create <project name> <project alias>
Command sample:
smctl scan project create project1 p1
To scan software with Static Binary Analysis, use the command:
smctl scan rl-scan --input <file to scan> --project <project alias> --scan-alias <scan alias> --version <version>
Command sample:
smctl scan rl-scan --input C:\Users\John.Doe\Documents\Software\MVP.so --project p1 --scan-alias MVPscan1 --version 1.0.0
Tip
Refer to errors and solutions if you encounter an error.
View scan
To view threat detection scan details:
Sign in to DigiCert ONE.
Navigate to: Manager menu icon (top right) > Software Trust.
Select Threat detection.
Select the scan alias to view more details.
Review the following sections:
Next steps
If you as the build engineer also want to sign, follow the instructions in the Signer's guide to get ready to sign with your private key stored in Software Trust Manager.