Build engineer guide

The DigiCert® Software Trust Manager Build engineer:

Is responsible for scanning software using threat detection
Has permission to sign

Download client tools

ReversingLabs scanning tool (rl-deploy) is included in Software Trust client tools package.

To download client tools:

Sign in to DigiCert ONE.
In the Managers () menu, select Software Trust.
In the Software Trust menu, go to Resources > Client tool repository.
Download the following based on your operating system:
- Windows Clients Installer
- Linux Clients

Create your credentials

When you sign your software, your API key and client authentication certificate verifies you to Software Trust, not your DigiCert ONE username and password. The API key and client authentication certificate provide two-factor authentication (2FA).

Tip

Service users are user-like entities designed specifically for API access and do not have credentials to access DigiCert ONE. However, service users can sign and access resources like keypairs and certificates that are stored in Software Trust when authenticated by an API token and client authentication certificate.

Create an API key

An API key is a unique identifier that verifies your identity as a DigiCert ONE user when you make requests via the DigiCert ONE API or client tools. It enables secure communication between applications.

Follow the procedure below based on your user type and role:

Example 1. Standard user

Standard users can create their own API token because they have access to DigiCert ONE.

To create an API key:

Sign in to DigiCert ONE.
In the Managers (grid icon) menu, select Account.
On the Admin page, in the API key section, select Create API token.
On the Create API key page, add the details as needed:
1. Name
  Enter a name for the API token. This name is the display name on the API token cards. The name must be unique and only include letters, numbers, spaces, dashes, and underscores.
2. End date (optional)
  Adding an end date is not required. The end date is in UTC. For example, if you select 12 August 2023 as your end date, your API token expires on 12 August 2023 at 23:59:59 UTC.
  Note
  If you add an end date, make sure to note when the API token expires. You must update all API integrations using the API token before it expires. If you don't, the API token integrations will stop working.
  You can always edit the API token details and extend the expiration date before it expires.
Select Create.
On the Congratulations page, copy the API token and save it in a secure location so you can use it later.
Important
The API token is only displayed only once. You cannot access it after you select Finish. If you ever lose the API token, you'll need to delete the lost token and create a new one.
After you save the token, select Finish.

Example 2. Service user

An API key is only generated when you create a new service user. You cannot regenerate an API key for an existing service user.

Tip

The DigiCert® Account Manager permission: Manage users is required to create a service user.

To create a service user:

Sign in to DigiCert ONE.
In the Managers (grid icon) menu, select Account.
In the Account menu, go to Access > Service User.
Select Create service user.
Enter service user details:
1. Friendly name
  Enter a unique display name. The name must include only letters, numbers, spaces, dashes, and underscores. Actions are logged under this name.
2. Optional: Description
  Add additional information about the service user. This description only appears in the Service user details.
3. Optional: End date
  Specify an expiration date (UTC). For example, selecting January 12, 2026 means the service user expires at 23:59:59 UTC.
  Tip
  Update API integrations using this token ID before expiration to prevent disruptions. If needed, you can extend the expiration date later.
4. Email
  Provide the email address of the person managing this service user's credentials. DigiCert ONE does not send emails to this address, so communicate any necessary details directly.
5. Accounts that this service user can access
  In the dropdown, select the accounts that this service user can access for their API integrations.
6. DigiCert ONE Manager access
  Assign one or more DigiCert ONE Managers. The service user can access the API for each Manager assigned here.
Assign accounts and access:
1. In the Accounts that can use this service user field, select the accounts this service user needs to interact with.
2. In the DigiCert ONE Manager access field, assign one or more managers the service user will access via the API.
Select Next.
On the Roles and permissions page, select the user roles for each manager assigned to the service user.
Tip
Only assign roles necessary for the task or integration. If required, you can update these roles later.
Select Create service user.
In the Service user token ID window, copy the ID and save it securely.
Important
The token ID is displayed only once and cannot be recovered if lost.
After saving the token ID, select Close.

Create a client authentication certificate

A client authentication certificate is an X.509 digital certificate that verifies your identity as a DigiCert ONE user when you make requests via the DigiCert ONE API or client tools. It enables secure communication between applications.

Follow the procedure below based on your user type and role:

Example 3. Standard user

Standard users can create their own client authentication certificate because they have access to DigiCert ONE.

To generate a client authentication certificate:

Sign in to DigiCert ONE.
In the Managers (grid icon) menu, select Account.
In the Account menu, go to Access > Users > Client authentication certificates.
Select Create client authentication certificate.
Provide the following information:
1. Nickname
  This name is the display name on the Admin details page in the Authentication certificates section. The name must be unique and only include letters, numbers, spaces, dashes, and underscores.
2. End date
  Enter the certificate expiration date. Make sure that the certificate expiration date does not expire after the API token expiration date.
  If the API token end date does not fit your use case, update or remove the API token end date first. Then come back and generate the authentication certificate.
  Note
  Note when the authentication certificate expires. You must generate a new certificate and update all API integrations using the certificate before it expires. If you don't, the API token integrations will stop working.
3. Encryption
  Select an encryption algorithm to use for securing communications. DigiCert recommends AES (Advanced Encryption Standard), which is the default selection.
4. Signature hash algorithm
  Select a hash function to use for verifying data integrity. DigiCert recommends SHA-256, which is the default selection.
Select Generate certificate.
Copy the certificate's password and store it in a secure location. You will need to use it later when installing the certificate or using it in your certificate request.
Note
The certificate's password is only displayed only once. You cannot access it after you select Download certificate. If you lose the password, you will need to generate a new authentication certificate.
Select Download certificate.
Remember the file path to your client authentication certificate, you will need to reference it later.
Note
You cannot download the certificate again. If you lose your certificate, you will need to generate a new authentication certificate.
Select Close.

Example 4. Service user

Service users do not have access to DigiCert ONE, therefore a standard user will need to generate a client authentication certificate for the service user.

Tip

The DigiCert® Account Manager permission: Manage users is required to create a client authentication certificate for a service user.

To create a client authentication certificate for a service user:

Sign in to DigiCert ONE.
In the Managers (grid icon) menu, select Account.
In the Account menu, go to Access > Service User.
In the Friendly name column, select the service user's friendly name.
Navigate to the Client authentication certificates section.
Select Create client authentication certificate.
Provide the following information:
1. Nickname
  This is the friendly name shown on the Service user details page. The name must be unique and may only include letters, numbers, spaces, dashes, and underscores.
2. End date
  Enter an expiry date for the certificate.
  Tip
  Note when the authentication certificate expires. You must generate a new certificate and update all API integrations using the certificate before it expires. If you don't, the API token integrations will stop working.
3. Encryption
  Select an encryption algorithm to use for securing communications. DigiCert recommends AES (Advanced Encryption Standard), which is the default selection.
4. Signature hash algorithm
  Select a hash function to use for verifying data integrity. DigiCert recommends SHA-256, which is the default selection.
Select Generate certificate.
Copy the certificate's password and store it in a secure location. You will need to use it later when installing the certificate or using it in your certificate request.
Tip
This password is required for installation and API requests. You will not be able to retrieve it later.
Download Download certificate.
Tip
You cannot download it again. If lost, you must generate a new certificate.
Remember the file path to your client authentication certificate, you will need to reference it later.
Select Close.

Note

Your API key and client authentication certificate inherit your user permissions orrole.

Secure your credentials

Your DigiCert ONE host environment, API key, client authentication certificate and password make up your environment variables and are required to access Software Trust client tools. You may want to use one of the methods below to securely store your credentials based on your operating system.

Example 5. Windows

DigiCert recommends storing your API key and client authentication certificate password in Windows Credential Manager, an encrypted vault, protected from unauthorized access.

Example 6. Linux

DigiCert recommends storing your API key and client authentication certificate password in Linux Pass, a password manager that uses GnuPG for encryption and decryption of stored information.

Example 7. macOS

DigiCert recommends storing your API key and client authentication certificate password in Keychain Access, an application that stores your passwords and account information.

Manage threat detection

As a build engineer, you are responsible for scanning software for malware, vulnerabilities, secrets, and more before releasing your software for consumption.

Tip

If you do not see Threat detection in the left navigation menu, contact your account manager to add Threat detection to your service agreement.

Software Trust offers the following types of threat detection:

Example 8. Static binary analysis

Scan all components found in your software prior to release, to identify malware, vulnerabilities, secrets, and more in your developers' code and any third-party components integrated into your software.

If you have subscribed to use this service, the following documentation may be useful to you:

Example 9. Software composition analysis

Scan open-source components in your development workflow to help your team automatically track, manage, and remediate licensing issues and vulnerabilities before releasing your software.

If you have subscribed to use this service, the following documentation may be useful to you:

Create a project

Create a project to store all your related software scans, such as different versions of the same software. The software project will be referred to by a descriptive name and a project alias to allow for easy reference.

Tip

Project aliases are limited to 150 alphanumeric characters. Underscores and hyphens are also allowed.

To create a project, use the command:

smctl scan project create <project name> <project alias>

Command sample:

smctl scan project create project1 p1

Static Binary Analysis scan command

To scan software with Static Binary Analysis, use the command:

smctl scan rl-scan --input <file to scan> --project <project alias> --scan-alias <scan alias> --version <version>

Command sample:

smctl scan rl-scan --input C:\Users\John.Doe\Documents\Software\MVP.so --project p1 --scan-alias MVPscan1 --version 1.0.0

Tip

Refer to errors and solutions if you encounter an error.

View scan

To view threat detection scan details:

Sign in to DigiCert ONE.
In the Managers () menu, select Software Trust.
In the Software Trust menu, go to Threat detection.
Select the Scan alias to view the report.

Sign your software (optional)

As a build engineer, if you also want to sign, follow the instructions in the Signer's guide to get ready to sign with your private key stored in Software Trust.

In this section:

Build engineer guide

Download client tools

Create your credentials

Tip

Create an API key

Note

Important

Tip

Tip

Tip

Important

Create a client authentication certificate

Note

Note

Note

Tip

Tip

Tip

Tip

Note

Secure your credentials

Manage threat detection

Tip

Create a project

Tip

Static Binary Analysis scan command

Tip

View scan

Sign your software (optional)

Search results