Skip to main content

CryptoTokenKit (CTK)

DigiCert​​®​​ Software Trust Manager CryptoTokenKit (CTK) is an implementation of the Apple CryptoTokenKit extension and is used to sign Apple binaries while the keys are stored remotely in DigiCert​​®​​ Software Trust Manager.

 

DigiCert​​®​​ Software Trust Manager CTK is an MacOS GUI app named DigiCert SSM Signing Clients.app. This app can also be used as a Command Line Interface (CLI), see CryptoTokenKit CLI command manual.

Prerequisites

What signing tools can the CTK integrate with?

The DigiCert​​®​​ Software Trust Manager CTK integrates with the following signing tools provided as part of the MacOS while maintaining key protection, permission-based access and reporting all signing activities:

  • Codesign

  • Productsign

What can the CTK sign?

DigiCert​​®​​ Software Trust Manager CryptoTokenKit enables secure hash-based signing of Apple binaries, such as:

  • .app

  • .pkg

  • .dmg

Download CTK

  1. Sign in to DigiCert ONE.

  2. Navigate to Manager menu > Software Trust.

  3. Select Resources > Client tool repository.

  4. Select Apple as your operating system.

  5. Click the download icon next to DigiCert​​®​​ Software Trust Manager CryptoTokenKit.

Install CTK

After downloading the DigiCert​​®​​ Software Trust Manager CryptoTokenKit, follow these steps:

  1. Extract the DigiCert SSM Signing Clients.zip file.

  2. Copy DigiCert SSM Signing Clients.app into your /Applications directory to make the application available to your MacOS.

  3. Run DigiCert SSM Signing Clients.app to start the GUI.

  4. Click Set environment.

  5. Provide your host environment.

    tabla 1. Host options

    Country

    Host type

    SM_HOST value

    United States of America (USA)

    Demo

    https://clientauth.demo.one.digicert.com

    Production

    https://clientauth.one.digicert.com

    Switzerland (CH)

    Demo

    https://clientauth.demo.one.ch.digicert.com

    Production

    https://clientauth.one.ch.digicert.com

    Japan (JP)

    Demo

    https://clientauth.demo.one.digicert.co.jp

    Production

    https://clientauth.one.digicert.co.jp

    Netherlands (NL)

    Demo

    https://clientauth.demo.one.nl.digicert.com

    Production

    https://clientauth.one.nl.digicert.com


  6. Provide your API key.

  7. Provide your client authentication certificate path and password.

    Importante

    Compatibility issue

    OpenSSL 3.x changed their default algorithm. This new algorithm is not compatible with macOS SSL libraries starting from Ventura OS. This issue affects Apple Keychain's ability to read DigiCert ONE client authentication certificates (cert.12) because it relies on LibreSSL. See solution.

  8. Click Save.

Add keys to token

You can create a new token and add keys to your token using the CryptotokenKit GUI or the CLI:

Sign with codesign and productsign