Skip to main content

CryptoTokenKit CLI command manual

Use the commands below as “DigiCert SSM Signing Clients.app” as Command Line Interface (CLI).

Nota

The “smctl” command tells the “DigiCert SSM Signing Clients.app” use the app as Command Line Interface (CLI).

Basic command

SMCTL commands begin with:

% "./DigiCert SSM Signing Clients.app/Contents/MacOS/DigiCert SSM Signing Clients" smctl 

Sugerencia

To avoid providing this long file path in every command, create a symlink as shown below.

Environment variable commands

You can add different DigiCert​​®​​ Software Trust Manager credentials to your macOS keychain by using the environment command.

By adding these environment variables to access DigiCert​​®​​ Software Trust Manager you can also access the “Digicert SSM Signing Clients.app” UI and perform other codesign and productsign commands.

The variables saved in keychain via UI application also can be directly used in the CLI without adding a new value as the values saved in keychain are in constant state.

To view environment variable commands:

% "./DigiCert SSM Signing Clients.app/Contents/MacOS/DigiCert SSM Signing Clients" smctl environment

Command output:

Digicert Secure Signing Manager Command line Client for MacOS
Manage Environment

Usage:
  "DigiCert SSM Signing Clients" smctl environment
  "DigiCert SSM Signing Clients" smctl environment [command]

Available Commands:
  add        Add Environment Variables

Flags:
  -h,    --help    Help for smctl

Use '"DigiCert SSM Signing Clients" smctl environment [command] --help' for more information about a command

 

To add environment variables:

% "./DigiCert SSM Signing Clients.app/Contents/MacOS/DigiCert SSM Signing Clients" smctl environment add 

Command output:

Digicert Secure Signing Manager Command line Client for MacOS
Add Environment Variables

Usage:
  "DigiCert SSM Signing Clients" smctl environment add [environement variable flags]

Flags:
  -h,    --help            Help for Add Environment Variables
  --host            host
  --api-key            API key
  --client-certificate-file    Client Certificate file path
  --client-certificate-password    Client Certificate File Password
  --http-proxy-host        HTTP Proxy Host
  --http-proxy-port        HTTP Proxy Port
  --http-proxy-username        HTTP Proxy Username
  --http-proxy-password        HTTP Proxy Password

Nota

Use '"DigiCert SSM Signing Clients" smctl environment add --help' for more information about a command.

To add a proxy environment variable:

Nota

Place the P12 client auth certificates in /User/user.name/Downloads/ folder or its subfolder to make the certificate available to your MacOS.

% "./DigiCert SSM Signing Clients.app/Contents/MacOS/DigiCert SSM Signing Clients" smctl environment add --host <digicert_cloud_host_url> --api-key <api_key> --client-certificate-file <Client Certificate P12 path> --client-certificate-password <client p12 certificate password> --http-proxy-host <http proxy_host> --http-proxy-port <http proxy_host_port>   --http-proxy-username <http proxy username>  --http-proxy-password <http proxy password>

Command output:

Configuration saved into Keychain Successfully

To view environment variables:

Command output:

Digicert Secure Signing Manager Command line Client for MacOS 
Add Environment Variables 

+-----------------------------+--------------------------------+ 
| key                         | value                          | 
+-----------------------------+--------------------------------+ 
| host                        | https://one.digicert.com | 
| api-key                     | ********                       | 
| client-certificate-file     | ********                       | 
| client-certificate-password | ********                       | 
| http-proxy-host             |                                | 
| http-proxy-port             |                                | 
| http-proxy-username         |                                | 
| http-proxy-password         |                                | 
+-----------------------------+--------------------------------+ 

Token commands

You can add keys used for codesign and productsign to a token using the token management command. The token can be added from the UI or from the CLI.

List token command

Run below list command to check if the token has been added. Note: This command will only show the token once keys are added to it.

Command:

% security list-smartcard

Output:

DigiCert.TokenExtension:SSM0123456789

 

To see all commands available for managing tokens:

% "./DigiCert SSM Signing Clients.app/Contents/MacOS/DigiCert SSM Signing Clients" smctl token

Command output:

Digicert Secure Signing Manager Command line Client for MacOS
Manage Tokens

Usage:
  "DigiCert SSM Signing Clients" smctl token [command]

Available Commands:
  add-token    Add new token
  remove-token    Clean token

Flags:
  -h,    --help    Help for smctl

Use '"DigiCert SSM Signing Clients" smctl token [command] --help' for more information about a command

To add a new token:

 % "./DigiCert SSM Signing Clients.app/Contents/MacOS/DigiCert SSM Signing Clients" smctl token add-token

Command output:

Token Id - SSM0123456789 added successfullySSM0123456789 added successfully

To remove a token:

% "./DigiCert SSM Signing Clients.app/Contents/MacOS/DigiCert SSM Signing Clients" smctl token remove-token

Command output:

Removing contents (keys, certs, configuration data) from token configuration 
Token removed Successfully

Keypair commands

Use the commands below to fetch keypairs from DigiCert​​®​​ Software Trust Manager and add them to the token present on the MacOS. These keypairs can be used to sign apps using codesign and productsign.

Basic manage keys command

Command:

% "./DigiCert SSM Signing Clients.app/Contents/MacOS/DigiCert SSM Signing Clients" smctl keypair

Output:

Digicert Secure Signing Manager Command line Client for MacOS
Manage Keys

Usage:
  "DigiCert SSM Signing Clients" smctl keypair
  "DigiCert SSM Signing Clients" smctl keypair [command]

Available Commands:
  ls        List Keypairs
  add-keys    Add keys to token
  remove-keys    Remove keys from token

Flags:
  -h,    --help    Help for smctl keypair

Use '"DigiCert SSM Signing Clients" smctl keypair [command] --help' for more information about a command

To list keypairs:

% "./DigiCert SSM Signing Clients.app/Contents/MacOS/DigiCert SSM Signing Clients" smctl keypair ls 

Command output:

Fetching keypair data from Digicert Secure Signing Manager Cloud +--------------------------------------+------------------------------------------------------------------------------------+-------------------+------------+-------------+----------------+ | Keypair ID                           | Alias                                                                              | Keypair Algorithm | Key Type   | Key Storage | Key Size/Curve | +--------------------------------------+------------------------------------------------------------------------------------+-------------------+------------+-------------+----------------+ 

To add keys to the token:

% "./DigiCert SSM Signing Clients.app/Contents/MacOS/DigiCert SSM Signing Clients" smctl keypair add-keys [space separated keypair Ids and/or Keypair Aliases of the keypairs on DigiCert SSM Cloud]

Sample command:

% "./DigiCert SSM Signing Clients.app/Contents/MacOS/DigiCert SSM Signing Clients" smctl keypair add-keys AppleCSMay2022  140aa250-55e9-4561-b85e-907ed2390e7a

Output:

Fetching keypair data from Digicert Secure Signing Manager Cloud
Setting key and certificates to token for key id - 4e7ff99e-69ba-4804-bfe0-c4bad0316e99, alias - AppleCSMay2022
Setting key and certificates to token for key id - 140aa250-55e9-4561-b85e-907ed2390e7a, alias - RsaKp1

Remove keys

This command also removes the token. Select Add new Token Command to add new token before adding keys back to token.

To remove keys from the token:

% "./DigiCert SSM Signing Clients.app/Contents/MacOS/DigiCert SSM Signing Clients" smctl keypair remove-keys

Output command:

Removing contents (keys, certs, configuration data) from token configuration
Keys, certs, configuration data from token configuration removed Successfully

View keys on token

Use this command to check the keys added to the token.

To view keys on the token:

security export-smartcard

Sample command:

% security export-smartcard

Command output:

==== private key #1
     crtr : 0
     esiz : 0
     decr : 0
     persistref : <>
     atag : ""
     kcls : 1
     agrp : "com.apple.token"
     pdmn : "dk"
     bsiz : 2,048
     type : 42
     klbl : <a8 66 8a 71 55 eb 1f 4a 89 22 3b 12 f1 53 a7 b5 a7 98 4c 8a>
     edat : 2001-01-01 00:00:00 +0000
     sign : 1
     mdat : 2022-01-20 05:43:35 +0000
     drve : 0
     labl : "Developer ID Installer: DigiCert Inc (DHPK4B64QS)"
     sync : 0
     musr : <>
     sha1 : <3b 46 36 61 77 72 20 82 64 93 ca 27 3d d8 3d 28 bd f8 ef 84>
     cdat : 2022-01-20 05:43:35 +0000
     tkid : "DigiCert.TokenExtension:SSM0123456789"
     sdat : 2001-01-01 00:00:00 +0000
     tomb : 0
     priv : 1
     accc : constraints: {
              ock : "NONE",
              osgn : "NONE",
              ord : "NONE",
              od : "NONE"
          }
          protection: {
              tkid : "DigiCert.TokenExtension:SSM0123456789"
          }
     unwp : 0
====

==== identity #1
     class : "idnt"
     slnr : <54 79 df 37 c1 24 fb 57>
     certdata : <CFData 0x7f8202808c00 [0x7fff803712d0]>{length = 1453, capacity = 1453, bytes = 0x308205a930820491a003020102020854 ... 3f14cddd089f2e42}
     certtkid : "DigiCert.TokenExtension:SSM0123456789"
     priv : 1
     ctyp : 3
     mdat : 2022-01-20 05:43:35 +0000
     sdat : 2001-01-01 00:00:00 +0000
     bsiz : 2,048
     type : 42
     sha1 : <1e 50 02 96 93 92 2d 2f 7e fc f7 54 88 18 9c 49 ed 3b f0 bb>
     pkhh : <a8 66 8a 71 55 eb 1f 4a 89 22 3b 12 f1 53 a7 b5 a7 98 4c 8a>
     cdat : 2022-01-20 05:43:35 +0000
     skid : <a8 66 8a 71 55 eb 1f 4a 89 22 3b 12 f1 53 a7 b5 a7 98 4c 8a>
     tomb : 0
     UUID : "0DB21CE5-D9A4-4BD9-9D62-98AA90D98709"
     persistref : <>
     accc : constraints: {
              ock : "NONE",
              osgn : "NONE",
              ord : "NONE",
              od : "NONE"
          }
          protection: {
              tkid : "DigiCert.TokenExtension:SSM0123456789"
          }
     sync : 0
     tkid : "DigiCert.TokenExtension:SSM0123456789"
     pdmn : "dk"
     musr : <>
     subj : <31 1a 30 18 06 0a 09 92 26 89 93 f2 2c 64 01 01 0c 0a 44 48 50 4b 34 42 36 34 51 53 31 3d 30 3b 06 03 55 04 03 0c 34 44 65 76 65 6c 6f 70 65 72 20 49 44 20 49 6e 73 74 61 6c 6c 65 72 3a 20 52 6f 73 65 6d 61 72 79 20 54 68 6f 6d 61 73 20 28 44 48 50 4b 34 42 36 34 51 53 29 31 13 30 11 06 03 55 04 0b 0c 0a 44 48 50 4b 34 42 36 34 51 53 31 18 30 16 06 03 55 04 0a 0c 0f 52 6f 73 65 6d 61 72 79 20 54 68 6f 6d 61 73 31 0b 30 09 06 03 55 04 06 13 02 55 53>
     sign : 1
     esiz : 0
     decr : 0
     atag : ""
     edat : 2001-01-01 00:00:00 +0000
     klbl : <a8 66 8a 71 55 eb 1f 4a 89 22 3b 12 f1 53 a7 b5 a7 98 4c 8a>
     crtr : 0
     unwp : 0
     issr : <31 2d 30 2b 06 03 55 04 03 0c 24 44 65 76 65 6c 6f 70 65 72 20 49 44 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 74 79 31 26 30 24 06 03 55 04 0b 0c 1d 41 70 70 6c 65 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 74 79 31 13 30 11 06 03 55 04 0a 0c 0a 41 70 70 6c 65 20 49 6e 63 2e 31 0b 30 09 06 03 55 04 06 13 02 55 53>
     cenc : 3
     kcls : 1
     agrp : "com.apple.token"
     labl : "MacAppDistribution_Automation_AppleProductSigner_Approval_Requested_WIN_THE_CUSTOMER_LLC"
     drve : 0
====

==== certificate #1
     class : "cert"
     subj : <31 1a 30 18 06 0a 09 92 26 89 93 f2 2c 64 01 01 0c 0a 39 38 5a 32 50 46 4c 55 36 47 31 45 30 43 06 03 55 04 03 0c 3c 41 70 70 6c 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 3a 20 73 61 67 61 72 2e 63 68 6f 75 64 68 61 72 69 40 64 69 67 69 63 65 72 74 2e 63 6f 6d 20 28 4e 48 36 58 39 37 4a 35 43 55 29 31 13 30 11 06 03 55 04 0b 0c 0a 46 34 41 4c 59 44 4a 39 59 4e 31 18 30 16 06 03 55 04 0a 0c 0f 53 61 67 61 72 20 43 68 6f 75 64 68 61 72 69 31 0b 30 09 06 03 55 04 06 13 02 55 53>
     cenc : 3
     ctyp : 3
     pkhh : <11 66 33 2b 72 40 bd b9 19 cc 83 70 d4 e5 29 65 9f d5 f8 dd>
     persistref : <>
     agrp : "com.apple.token"
     pdmn : "dk"
     labl : "apple_key"
     UUID : "C46C1945-7642-4186-B6D3-427CB2DD06DD"
     mdat : 2022-01-20 05:43:35 +0000
     slnr : <64 53 07 40 be 0b 9b f8 19 d4 88 7a 51 0a 5a 05>
     sync : 0
     sha1 : <dd 9a af 0f aa ab d3 69 4f 6a 2a 3b 59 54 d3 83 e3 3b 19 ab>
     tkid : "DigiCert.TokenExtension:SSM0123456789"
     musr : <>
     cdat : 2022-01-20 05:43:35 +0000
     tomb : 0
     skid : <11 66 33 2b 72 40 bd b9 19 cc 83 70 d4 e5 29 65 9f d5 f8 dd>
     issr : <31 44 30 42 06 03 55 04 03 0c 3b 41 70 70 6c 65 20 57 6f 72 6c 64 77 69 64 65 20 44 65 76 65 6c 6f 70 65 72 20 52 65 6c 61 74 69 6f 6e 73 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 74 79 31 0b 30 09 06 03 55 04 0b 0c 02 47 33 31 13 30 11 06 03 55 04 0a 0c 0a 41 70 70 6c 65 20 49 6e 63 2e 31 0b 30 09 06 03 55 04 06 13 02 55 53>
     accc : constraints: {
              ord : true
          }
          protection: {
              tkid : "DigiCert.TokenExtension:SSM0123456789"
          }
====

Sign with SMCTL

To sign with SMCTL and the Cryptokenkit:

smctl-mac-x64 sign -tool <codesign or productsign> --keypair alias <Apple codesign keypair alias> --input <path to unsigned file> --verbose

Command sample

smctl-mac-x64 sign -tool codesign --keypair alias AppleCodeSign --input /Users/john.doe/downloads/example.app --verbose

Troubleshooting

Failed to access token

Error: Failed to add token. configurationError(message: "No driver configuration found for token DigiCert.TokenExtension")

Failed to get environment variables or environment variables were not added to the keychain.

Error: Failed to add token. configurationError(message: "No application configration found, please set environment first!")

Failed to access token

Error: Failed to remove token. configurationError(message: "No driver configuration found for token DigiCert.TokenExtension")

Failed to get environment variables or environment variables were not added to the keychain.

Error: Failed to remove token. configurationError(message: "No application configration found, please set environment first!")

Failed to fetch Keypairs from DigiCert SSM Cloud

Error: Failed to get keys. configurationError(message: "Failed to fetch keypairs from cloud.")

Failed to get environment variables or environment variables were not added to keychain.

Error: Failed to get keys. configurationError(message: "No application configuration found, please set environment first!")

The keypair was not found for given keypair ID or Key alias.

Error: Failed to add keys to token. configurationError(message: "KeyPair not found for id or alias id/alias")

Failed to fetch keypairs from DigiCert DigiCert​​®​​ Software Trust Manager cloud.

Error: Failed to add keys to token. configurationError(message: "Failed to fetch keypairs from cloud. error")

Failed to get environment variables or environment variables are not added to the keychain.

Error: Failed to add keys to token. configurationError(message: "No application configration found, please set environment first!")

Token has not been added or cannot access token.

Error: Failed to add keys to token. configurationError(message: "No driver configuration found for token DigiCert.TokenExtension")

Failed to set token due to other reasons.

Error: Failed to add keys to token. configurationError(message: "Failed to set token configurtion data: error_info")