DigiCert recommends storing your API key and client authentication certificate password in Windows Credential Manager, an encrypted vault, protected from unauthorized access.
Build engineer guide
The DigiCert® Software Trust Manager Build engineer is responsible for scanning software using threat detection and also has permission to sign.
Tip
For more information about how to run a scan and interpret a scan report, refer to Threat detection.
ReversingLabs scanning tool (rl-deploy) is included in Software Trust Manager client tools package.
To download client tools:
Sign in to DigiCert ONE.
Navigate to: Manager menu (top right) > Software Trust.
Select Resources > Client tool repository.
Download the following based on your operating system:
When you sign your software, your API key and client authentication certificate authenticate you to DigiCert® Software Trust Manager, not your DigiCert ONE username and password. The API key and client authentication certificate provide two-factor authentication (2FA).
Tip
Service users are generally used for automated signing and therefore do not have credentials to access DigiCert ONE. However, service users can still sign and access resources like keys and certificates in DigiCert® Software Trust Manager when authenticated by an API token and client authentication certificate.
Create an API key
An API key is a unique identifier generated by the server to authenticate a user or calling program to an API.
Follow the procedure below based on your user classification:
Create a client authentication certificate
A client authentication certificate is a X.509 digital certificate with a unique password that is generated by the server to authenticate a user or calling program to an API.
Opmerking
Your API key and client authentication certificate inherit your user permissions orrole.
Your DigiCert ONE host environment, API key, client authentication certificate and password make up your environment variables and are required to access Software Trust Manager client tools. You may want to use one of the methods below to securely store your credentials based on your operating system.
Manage threat detection
As a build engineer, you are responsible for scanning software for malware, vulnerabilities, secrets, and more before releasing your software for consumption.
Tip
If you do not see Threat detection in the left navigation menu, contact your account manager to add Threat detection to your service agreement.
Software Trust Manager offers the following types of threat detection:
Create a project to store all your related software scans, such as different versions of the same software. The software project will be referred to by a descriptive name and a project alias to allow for easy reference.
Tip
Project aliases are limited to 150 alphanumeric characters. Underscores and hyphens are also allowed.
To create a project, use the command:
smctl scan project create <project name> <project alias>
Command sample:
smctl scan project create project1 p1
To scan software with Static Binary Analysis, use the command:
smctl scan rl-scan --input <file to scan> --project <project alias> --scan-alias <scan alias> --version <version>
Command sample:
smctl scan rl-scan --input C:\Users\John.Doe\Documents\Software\MVP.so --project p1 --scan-alias MVPscan1 --version 1.0.0
Tip
Refer to errors and solutions if you encounter an error.
View scan
To view threat detection scan details:
Sign in to DigiCert ONE.
Navigate to: Manager menu icon (top right) > Software Trust.
Select Threat detection.
Select the scan alias to view the report.
Next steps
If you as the build engineer also want to sign, follow the instructions in the Signer's guide to get ready to sign with your private key stored in Software Trust Manager.