Skip to main content

Build engineer guide

The DigiCert​​®​​ Software Trust Manager Build engineer:

  • Is responsible for scanning software using threat detection

  • Has permission to sign

ReversingLabs scanning tool (rl-deploy) is included in Software Trust client tools package.

To download client tools:

  1. Sign in to DigiCert ONE.

  2. In the Managers (grid-blue.svg) menu, select Software Trust.

  3. In the Software Trust menu, go to Resources > Client tool repository.

  4. Download the following based on your operating system:

When you sign your software, your API key and client authentication certificate verifies you to Software Trust, not your DigiCert ONE username and password. The API key and client authentication certificate provide two-factor authentication (2FA).

Tip

Service users are user-like entities designed specifically for API access and do not have credentials to access DigiCert ONE. However, service users can sign and access resources like keypairs and certificates that are stored in Software Trust when authenticated by an API token and client authentication certificate.

Create an API key

An API key is a unique identifier that verifies your identity as a DigiCert ONE user when you make requests via the DigiCert ONE API or client tools. It enables secure communication between applications.

Follow the procedure below based on your user type and role:

Create a client authentication certificate

A client authentication certificate is an X.509 digital certificate that verifies your identity as a DigiCert ONE user when you make requests via the DigiCert ONE API or client tools. It enables secure communication between applications.

Follow the procedure below based on your user type and role:

Note

Your API key and client authentication certificate inherit your user permissions orrole.

Your DigiCert ONE host environment, API key, client authentication certificate and password make up your environment variables and are required to access Software Trust client tools. You may want to use one of the methods below to securely store your credentials based on your operating system.

As a build engineer, you are responsible for scanning software for malware, vulnerabilities, secrets, and more before releasing your software for consumption.

Tip

If you do not see Threat detection in the left navigation menu, contact your account manager to add Threat detection to your service agreement.

Software Trust offers the following types of threat detection:

Create a project to store all your related software scans, such as different versions of the same software. The software project will be referred to by a descriptive name and a project alias to allow for easy reference.

Tip

Project aliases are limited to 150 alphanumeric characters. Underscores and hyphens are also allowed.

To create a project, use the command:

smctl scan project create <project name> <project alias>

Command sample:

smctl scan project create project1 p1

Static Binary Analysis scan command

To scan software with Static Binary Analysis, use the command:

smctl scan rl-scan --input <file to scan> --project <project alias> --scan-alias <scan alias> --version <version>

Command sample:

smctl scan rl-scan --input C:\Users\John.Doe\Documents\Software\MVP.so --project p1 --scan-alias MVPscan1 --version 1.0.0

Tip

Refer to errors and solutions if you encounter an error.

To view threat detection scan details:

  1. Sign in to DigiCert ONE.

  2. In the Managers (grid-blue.svg) menu, select Software Trust.

  3. In the Software Trust menu, go to Threat detection.

  4. Select the Scan alias to view the report.

As a build engineer, if you also want to sign, follow the instructions in the Signer's guide to get ready to sign with your private key stored in Software Trust.