Skip to main content

Build engineer guide

The DigiCert​​®​​ Software Trust Manager Build engineer is responsible for scanning software using threat detection and also has permission to sign.

Astuce

For more information about how to run a scan and interpret a scan report, refer to Threat detection.

ReversingLabs scanning tool (rl-deploy) is included in Software Trust Manager client tools package.

To download client tools:

  1. Sign in to DigiCert ONE.

  2. Navigate to: Manager menu (top right) > Software Trust.

  3. Select Resources > Client tool repository.

  4. Download the following based on your operating system:

    Windows Clients Installer

    Linux Clients

When you sign your software, your API key and client authentication certificate authenticate you to DigiCert​​®​​ Software Trust Manager, not your DigiCert ONE username and password. The API key and client authentication certificate provide two-factor authentication (2FA).

Astuce

Service users are generally used for automated signing and therefore do not have credentials to access DigiCert ONE. However, service users can still sign and access resources like keys and certificates in DigiCert​​®​​ Software Trust Manager when authenticated by an API token and client authentication certificate.

Create an API key

An API key is a unique identifier generated by the server to authenticate a user or calling program to an API.

Follow the procedure below based on your user classification:

Create a client authentication certificate

A client authentication certificate is a X.509 digital certificate with a unique password that is generated by the server to authenticate a user or calling program to an API.

Note

Your API key and client authentication certificate inherit your user permissions orrole.

Your DigiCert ONE host environment, API key, client authentication certificate and password make up your environment variables and are required to access Software Trust Manager client tools. You may want to use one of the methods below to securely store your credentials based on your operating system.

Note

You can set a proxy to verify the connection, by following the instructions below for your operating system:

Manage threat detection

As a build engineer, you are responsible for scanning software for malware, vulnerabilities, secrets, and more before releasing your software for consumption using our Dynamic Application Security Testing (DAST) service powered by ReversingLabs.

Astuce

If you do not see Threat detection in the left navigation menu, contact your account manager to add ReversingLabs integration to your service agreement.

To install rl-deploy, run the following command in SMCTL:

smctl scan rl-install <new folder path to install>

Command samples

If you have administrator privileges, run this command in Administrator Command Prompt:

smctl scan rl-install "C:\Program Files\DigiCert\DigiCert One Signing Manager Tools\rl"

If you do not want to give rl-deploy administrator privileges, specify an installation location that does not require administrative privileges, such as:

smctl scan rl-install "C:\rl"

Command output

Downloading
[==================================================] 100% [00m:07s]
187090012/187090012 bytes

Unpacking package ...
finished!

Astuce

Refer to errors and solutions if you encounter an error.

Create a project to store all your related software scans, such as different versions of the same software. The software project will be referred to by a descriptive name and a project alias to allow for easy reference.

Astuce

Project aliases are limited to 150 alphanumeric characters. Underscores and hyphens are also allowed.

To create a project, use the command:

smctl scan project create <project name> <project alias>

Command sample:

smctl scan project create project1 p1

To scan software with Static Binary Analysis, use the command:

smctl scan rl-scan --input <file to scan> --project <project alias> --scan-alias <scan alias> --version <version>

Command sample:

smctl scan rl-scan --input C:\Users\John.Doe\Documents\Software\MVP.so --project p1 --scan-alias MVPscan1 --version 1.0.0

Astuce

Refer to errors and solutions if you encounter an error.

View scan

To view threat detection scan details:

  1. Sign in to DigiCert ONE.

  2. Navigate to: Manager menu icon (top right) > Software Trust.

  3. Select Threat detection.

  4. Select the scan alias to view more details.

  5. Review the following sections:

    1. Scan summaryThreat detection

    2. General informationThreat detection

    3. Deployment risksThreat detection

    4. Common vulnerabilities and exposuresThreat detection

Next steps

If you as the build engineer also want to sign, follow the instructions in the Signer's guide to get ready to sign with your private key stored in Software Trust Manager.