Build engineer guide

The DigiCert® Software Trust Manager Build engineer is responsible for scanning software using threat detection and also has permission to sign.

작은 정보

For more information about how to run a scan and interpret a scan report, refer to Threat dectection.

Download client tools

ReversingLabs scanning tool (rl-deploy) is included in Software Trust Manager client tools package.

To download client tools:

Sign in to DigiCert ONE.
Navigate to: Manager menu (top right) > Software Trust.
Select Resources > Client tool repository.
Download the following based on your operating system:
Windows Clients Installer
Linux Clients

Create your credentials

During code signing, an API key and client authentication certificate is used to authenticate the user to DigiCert® Software Trust Manager, not the DigiCert ONE username and password. The API key and client authentication certificate provides two-factor authentication (2FA).

Service users are generally used for automated signing and therefore do not have credentials to access to DigiCert ONE. However service users can still sign and access keys and certificates in DigiCert® Software Trust Manager when authenticated by an API token and client authentication certificate.

참고

The permissions for the API key and client authentication certificate are based upon your user permissions orrole assigned for DigiCert® Software Trust Manager.

API key

An API key is a unique identifier generated by the server to authenticate a user or calling program to an API.

Follow the procedure below based on your user classification:

예 1. User

Users can create their own API token because they have access to DigiCert ONE.

To create an API key:

Sign in to DigiCert ONE.
Navigate to the Profile icon (top right).
Select Admin Profile > API Tokens.
Select Create API Token.
Securely store your API token.
참고
The API token cannot be viewed again.

예 2. Service user

작은 정보

The DigiCert® Account Manager permission: Manage users is required to create an API key for service users.

To create an API key for a service user:

Sign in to DigiCert ONE.
Navigate to Manager menu icon (top right).
Select DigiCert® Account Manager > Access > Service users.
Select the user's name.
Scroll down to API tokens.
Select Create API token.
Securely store your API token.
참고
The API token cannot be viewed again.

Client authentication certificate

A client authentication certificate is a X.509 digital certificate with a unique password that is generated by the server to authenticate a user or calling program to an API.

Follow the procedure below based on your user classification:

예 3. User

Users can create their own client authentication certificate because they have access to DigiCert ONE.

To generate a client authentication certificate:

Sign in to DigiCert ONE.
Navigate to the Profile icon (top right).
Select Admin Profile > Authentication Certificates.
Select Create authentication certificate.
Copy the certificate password.
참고
The password cannot be viewed again.
Select Download client authentication certificate.

예 4. Service user

작은 정보

The DigiCert® Account Manager permission: Manage users is required to create a client authentication certificate for someone else.

To create a client authentication certificate for a service user:

Sign in to DigiCert ONE.
Navigate to Manager menu icon (top right).
Select DigiCert® Account Manager > Access > Service users.
Select on the user's name.
Scroll down to Authentication Certificates.
Select Create authentication certificate.
Copy the certificate password.
참고
The password cannot be viewed again.
Select Download client authentication certificate.

Secure your credentials

Your DigiCert ONE host environment, API key, client authentication certificate and password makes up your environment variables and are required to access Software Trust Manager client tools. You may want to use one of the methods below to securely store your credentials based on your operating system.

예 5. Windows

DigiCert recommends storing your API key and client authentication certificate password in Windows Credential Manager, an encrypted vault, protected from unauthorized access.

예 6. Linux

DigiCert recommends storing your API key and client authentication certificate password in Linux Pass, a password manager that uses GnuPG for encryption and decryption of stored information.

예 7. macOS

DigiCert recommends storing your API key and client authentication certificate password in Keychain Access, an application that stores your passwords and account information.

참고

You can set a proxy to verify the connection, by following the instructions below for your operating system:

WindowsWindows configuration
LinuxLinux configuration
macOS.Apple configuration

Manage threat detection

As a build engineer, you are responsible for scanning software for malware, vulnerabilities, secrets, and more before releasing your software for consumption using our Dynamic Application Security Testing (DAST) service powered by ReversingLabs.

작은 정보

If you do not see Threat detection in the left navigation menu, contact your account manager to add ReversingLabs integration to your service agreement.

Install ReversingLabs scanning tool

To install rl-deploy, run the following command in SMCTL:

smctl scan rl-install <new folder path to install>

Command samples

If you have administrator privileges, run this command in Administrator Command Prompt:

smctl scan rl-install "C:\Program Files\DigiCert\DigiCert One Signing Manager Tools\rl"

If you do not want to give rl-deploy administrator privileges, specify an installation location that does not require administrative privileges, such as:

smctl scan rl-install "C:\rl"

Command output

Downloading
[==================================================] 100% [00m:07s]
187090012/187090012 bytes

Unpacking package ...
finished!

작은 정보

Refer to errors and solutions if you encounter an error.

Create a project

Create a project to store all your related software scans, such as different versions of the same software. The software project will be referred to by a descriptive name and a project alias to allow for easy reference.

작은 정보

Project aliases are limited to 150 alphanumeric characters. Underscores and hyphens are also allowed.

To create a project, use the command:

smctl scan project create <project name> <project alias>

Command sample:

smctl scan project create project1 p1

Scan with ReversingLabs

To scan software with ReversingLabs, use the command:

smctl scan rl-scan --input <file to scan> --project <project alias> --scan-alias <scan alias> --version <version>

Command sample:

smctl scan rl-scan --input C:\Users\John.Doe\Documents\Software\MVP.so --project p1 --scan-alias MVPscan1 --version 1.0.0

작은 정보

Refer to errors and solutions if you encounter an error.

View scan

To view threat detection scan details:

Sign in to DigiCert ONE.
Navigate to: Manager menu icon (top right) > Software Trust.
Select Threat detection.
Select the scan alias to view more details.
Review the following sections:
1. Scan summary
2. General information
3. Deployment risks
4. Common vulnerabilities and exposures

Next steps

If you as the build engineer also want to sign, follow the instructions in the Signer's guide to get ready to sign with your private key stored in Software Trust Manager.

이 섹션의 내용:

Build engineer guide

작은 정보

Download client tools

Create your credentials

참고

API key

참고

작은 정보

참고

Client authentication certificate

참고

작은 정보

참고

Secure your credentials

참고

Manage threat detection

작은 정보

Install ReversingLabs scanning tool

작은 정보

Create a project

작은 정보

Scan with ReversingLabs

작은 정보

View scan

Next steps

검색 결과