Skip to main content

Signer guide

Follow this guide to get ready to sign while your private key remains securely stored in DigiCert​​®​​ Software Trust Manager.

Tip

This guide assumes that your account Lead has already created a keypair and certificate as shown in the Lead guide.

Prerequisites

Before downloading your tools, review the Software Trust Manager tools available for your operating system and identify the tools you require for signing.

Tip

We recommend downloading the tool packages for your operating system, this ensures that you have everything you need in one download.

What tools do I need for signing?

The following Software Trust Manager tools available based on your operating system:

Client tool

Description

Windows

Linux

macOS

AIX

Signing Manager CTL (SMCTL)

Signing Manager Controller (SMCTL) provides a Command Line Interface (CLI) that facilitates manual and automated private key management, certificate management, and signing with or without the need for human intervention.

Yes

Yes

Yes

Yes

PKCS11 library

Public-Key Cryptography Standards 11 (PKCS11) library integrates with any operating system that supports Java and any any Java architecture, including: 64-bit, 32-bit, and ARM processors.

Yes

Yes

Yes

JCE library

Java Cryptography Extension (JCE) integrates with non-Microsoft signing tools while maintaining key protection, permission-based access and reporting all signing

Yes

CSP library

Cryptographic Service Provider (CSP) is a library-based client-side tool that implements the Crypto API (CAPI) supported in Windows 2008 and later.

Yes

KSP library

Key Service Provider (KSP) library is a Microsoft CNG (Cryptographic: Next Generation) library-based client-side tool.

Yes

GPG smart card daemon (SCD)

GPG Smart Card Daemon (SCD) is a GPG compliant SCD client-side tool that integrates with the GPG-agent (part of the GPG tool suite) for all GPG based hash signing use cases.

Yes

Yes

Yes

Yes

DigiCert Click-to-sign

DigiCert Click-to-sign provides Windows customers with a simple UI-based signing workflow that does not require use of the command line.

Yes

CryptoTokenKit

CryptoTokenKit (CTK) is an implementation of the Apple CryptoTokenKit extension and is used to sign Apple binaries while the keys are stored remotely in DigiCert® Software Trust Manager.

Yes

Windows Clients Installer (recommended)

This Windows clients package provides a wizard supported installation experience and downloads multiple clients you may need for signing in one download. These clients include:

  • Signing Manager Controller (SMCTL)

  • PKCS11 library

  • Cryptographic Service Provider (CSP) library

  • Key Service Provider (KSP) library

  • Java Cryptography Extension (JCE) library

  • ReversingLabs scanning tool (rl-deploy)

Yes

Linux Clients (recommended)

This Linux clients package allows you to download multiple clients you may need for signing in one download. These clients include:

  • Signing Manager Controller (SMCTL)

  • PKCS11 library

  • Java Cryptography Extension (JCE) library

  • ReversingLabs scanning tool (rl-deploy)

Yes

AIX Clients (recommended)

This AIX clients package allows you to download multiple clients you may need for signing in one download. These clients include:

  • Signing Manager Controller (SMCTL)

  • JCE library

Yes

Download tools

To download Software Trust Manager tools:

  1. Sign in to DigiCert ONE.

  2. Navigate to: Manager menu (top right) > Software Trust > Resources > Client tool repository.

  3. Select your operating system.

  4. Select the download icon next to the tool you want to download.

Software Trust Manager offers simplified signing with third-party signing tools. Refer to Files supported for signing for list of compatible tools and what they can be used to sign.

Which signing tools do I need?

Follow these instructions to identify the signing tools you require:

  1. Identify the tools available for your operating system.

  2. Identify the file types you need to sign.

  3. Select the signing tool name associated with the file types you want to sign.

  4. Follow the instructions to install the signing tool and integrate it with SMCTL.

When you sign your software, your API key and client authentication certificate authenticate you to DigiCert​​®​​ Software Trust Manager, not your DigiCert ONE username and password. The API key and client authentication certificate provide two-factor authentication (2FA).

Tip

Service users are generally used for automated signing and therefore do not have credentials to access DigiCert ONE. However, service users can still sign and access resources like keys and certificates in DigiCert​​®​​ Software Trust Manager when authenticated by an API token and client authentication certificate.

Create an API key

An API key is a unique identifier generated by the server to authenticate a user or calling program to an API.

Follow the procedure below based on your user classification:

Create a client authentication certificate

A client authentication certificate is a X.509 digital certificate with a unique password that is generated by the server to authenticate a user or calling program to an API.

Note

Your API key and client authentication certificate inherit your user permissions orrole.

Your DigiCert ONE host environment, API key, client authentication certificate and password make up your environment variables and are required to access Software Trust Manager client tools. You may want to use one of the methods below to securely store your credentials based on your operating system.

Note

You can set a proxy to verify the connection, by following the instructions below for your operating system:

To confirm that your credentials and signing tools were configured correctly:

  1. Open SMCTL.

  2. Run the command:

    smctl healthcheck

    Output sample:

    --------- User credentials ------
    Status: Connected
    
    Username: john.doe
    Accounts: Example, Inc.
    Authentication: 2FA
    Environment: Unknown
    Credentials:
            Host: https://clientauth.one.digicert.com
            API key: 01a007567da265b5909d11b8ea_b70xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxb9 (Pulled from environment variable)
            Client certificate file path: C:\Users\John.Doe\Documents\STM\JohnD_Auth_Cert_2023.p12
            Client certificate password: JM7QxxxxxxqO (Pulled from environment variable)
    API keys:
            Name: John API Token 2023 (expires on Fri, 31 Jan 2025 23:59:59 UTC)
    Client certificates:
            Name: John Auth Cert (expires on Tue, 31 Jan 2023 23:59:59 UTC)
            Name: John Auth Cert 2023 (expires on Fri, 31 Jan 2025 23:59:59 UTC)
    Privileges:
            Can sign: Yes
            Can approve release window: Yes
            Can revoke certificate: Yes
    
    Permissions:
    Account Manager:
            VIEW_AM_USER
            VIEW_AM_ORGANIZATION
            MANAGE_AM_PERMISSION
            VIEW_AM_ROLE
            VIEW_AM_ACCOUNT
            VIEW_AM_AUDIT_LOG
    
    Keypairs:
            MANAGE_SM_KEYPAIR
            VIEW_SM_KEYPAIR
    
    Certificates:
            VIEW_SM_CERTIFICATE
            REVOKE_SM_CERTIFICATE
    
    Other permissions:
            MANAGE_SM_CC_API_KEY
    
    --------- Signing tools ---------
    Nuget:
            Mapped: No
    Jarsigner:
            Mapped: No
    Apksigner:
            Mapped: No
    Signtool 32 bit:
            Mapped: No
    Signtool:
            Mapped: Yes
            Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.33621.0\x64\signtool.exe
    Mage:
            Mapped: No
    

Note

If the healthcheck fails, troubleshoot the following.

Ensure that:

  • You provided the correct host in the environment variable.

  • You provided the correct API token in the environment variable.

  • You provided the correct client authentication certificate in the environment variable.

  • You provided the correct password for your client authentication certificate.

  • You have a stable internet connection.

  • If the organization's proxy is enabled, you need to add these settings to the environment variables.

Integrate DigiCert​​®​​ Software Trust Manager into continuous integration and continuous deployment (CI/CD) pipelines. CI/CD integrations automate and streamline the software development and deployment process. Software Trust Manager offers CI/CD plugins and script integrations which are both methods used to incorporate CI/CD functionality into your software development workflow. While plugins are easier to use, script integrations offer more flexibility.

To automate signing as part of your CI/CD workflows, refer to CI/CD integrations.

Follow the instructions in the following articles to sign while your private key remains in Software Trust Manager: