Use the commands below as “DigiCert SSM Signing Clients.app” as Command Line Interface (CLI).
Nota
The “smctl” command tells the “DigiCert SSM Signing Clients.app” use the app as Command Line Interface (CLI).
SMCTL commands begin with:
% "./DigiCert SSM Signing Clients.app/Contents/MacOS/DigiCert SSM Signing Clients" smctl Dica
To avoid providing this long file path in every command, create a symlink as shown below.
A symlink acts as a shortcut and points to another file or folder on your computer, or a connected file system. Use the following command to identify "<Path_to_the_app>/DigiCert SSM Signing Clients.app/Contents/MacOS/DigiCert SSM Signing Clients" as DigicertSmctl to shorten your commands.
To create a symlink:
sudo ln -s "<Path_to_the_app>/DigiCert SSM Signing Clients.app/Contents/MacOS/DigiCert SSM Signing Clients" DigicertSmctl
The basic SMCTL command once the symlink is created is shown below.
To see all available commands:
% ./DigicertSmctl smctlCommand output:
Digicert Secure Signing Manager Command line Client for MacOS
Usage:
"DigiCert SSM Signing Clients" smctl
"DigiCert SSM Signing Clients" smctl [command]
Available Commands:
keypair Manage Keypairs
token Manage Token
environment Manage Environment Variables
Flags:
-h, --help Help for smctl
Use '"DigiCert SSM Signing Clients" smctl [command] --help' for more information about a commandYou can add different DigiCert® Software Trust Manager credentials to your macOS keychain by using the environment command.
By adding these environment variables to access DigiCert® Software Trust Manager you can also access the “Digicert SSM Signing Clients.app” UI and perform other codesign and productsign commands.
The variables saved in keychain via UI application also can be directly used in the CLI without adding a new value as the values saved in keychain are in constant state.
To view environment variable commands:
% "./DigiCert SSM Signing Clients.app/Contents/MacOS/DigiCert SSM Signing Clients" smctl environmentCommand output:
Digicert Secure Signing Manager Command line Client for MacOS
Manage Environment
Usage:
"DigiCert SSM Signing Clients" smctl environment
"DigiCert SSM Signing Clients" smctl environment [command]
Available Commands:
add Add Environment Variables
Flags:
-h, --help Help for smctl
Use '"DigiCert SSM Signing Clients" smctl environment [command] --help' for more information about a command
To add environment variables:
% "./DigiCert SSM Signing Clients.app/Contents/MacOS/DigiCert SSM Signing Clients" smctl environment add Command output:
Digicert Secure Signing Manager Command line Client for MacOS
Add Environment Variables
Usage:
"DigiCert SSM Signing Clients" smctl environment add [environement variable flags]
Flags:
-h, --help Help for Add Environment Variables
--host host
--api-key API key
--client-certificate-file Client Certificate file path
--client-certificate-password Client Certificate File Password
--http-proxy-host HTTP Proxy Host
--http-proxy-port HTTP Proxy Port
--http-proxy-username HTTP Proxy Username
--http-proxy-password HTTP Proxy PasswordNota
Use '"DigiCert SSM Signing Clients" smctl environment add --help' for more information about a command.
To add a proxy environment variable:
Nota
Place the P12 client auth certificates in /User/user.name/Downloads/ folder or its subfolder to make the certificate available to your MacOS.
% "./DigiCert SSM Signing Clients.app/Contents/MacOS/DigiCert SSM Signing Clients" smctl environment add --host <digicert_cloud_host_url> --api-key <api_key> --client-certificate-file <Client Certificate P12 path> --client-certificate-password <client p12 certificate password> --http-proxy-host <http proxy_host> --http-proxy-port <http proxy_host_port> --http-proxy-username <http proxy username> --http-proxy-password <http proxy password>Command output:
Configuration saved into Keychain SuccessfullyTo view environment variables:
Command output:
Digicert Secure Signing Manager Command line Client for MacOS
Add Environment Variables
+-----------------------------+--------------------------------+
| key | value |
+-----------------------------+--------------------------------+
| host | https://one.digicert.com |
| api-key | ******** |
| client-certificate-file | ******** |
| client-certificate-password | ******** |
| http-proxy-host | |
| http-proxy-port | |
| http-proxy-username | |
| http-proxy-password | |
+-----------------------------+--------------------------------+ You can add keys used for codesign and productsign to a token using the token management command. The token can be added from the UI or from the CLI.
List token command
Run below list command to check if the token has been added. Note: This command will only show the token once keys are added to it.
Command:
% security list-smartcardOutput:
DigiCert.TokenExtension:SSM0123456789
To see all commands available for managing tokens:
% "./DigiCert SSM Signing Clients.app/Contents/MacOS/DigiCert SSM Signing Clients" smctl tokenCommand output:
Digicert Secure Signing Manager Command line Client for MacOS
Manage Tokens
Usage:
"DigiCert SSM Signing Clients" smctl token [command]
Available Commands:
add-token Add new token
remove-token Clean token
Flags:
-h, --help Help for smctl
Use '"DigiCert SSM Signing Clients" smctl token [command] --help' for more information about a commandTo add a new token:
% "./DigiCert SSM Signing Clients.app/Contents/MacOS/DigiCert SSM Signing Clients" smctl token add-tokenCommand output:
Token Id - SSM0123456789 added successfullySSM0123456789 added successfully
To remove a token:
% "./DigiCert SSM Signing Clients.app/Contents/MacOS/DigiCert SSM Signing Clients" smctl token remove-tokenCommand output:
Removing contents (keys, certs, configuration data) from token configuration
Token removed SuccessfullyUse the commands below to fetch keypairs from DigiCert® Software Trust Manager and add them to the token present on the MacOS. These keypairs can be used to sign apps using codesign and productsign.
Basic manage keys command
Command:
% "./DigiCert SSM Signing Clients.app/Contents/MacOS/DigiCert SSM Signing Clients" smctl keypairOutput:
Digicert Secure Signing Manager Command line Client for MacOS
Manage Keys
Usage:
"DigiCert SSM Signing Clients" smctl keypair
"DigiCert SSM Signing Clients" smctl keypair [command]
Available Commands:
ls List Keypairs
add-keys Add keys to token
remove-keys Remove keys from token
Flags:
-h, --help Help for smctl keypair
Use '"DigiCert SSM Signing Clients" smctl keypair [command] --help' for more information about a commandTo list keypairs:
% "./DigiCert SSM Signing Clients.app/Contents/MacOS/DigiCert SSM Signing Clients" smctl keypair ls Command output:
Fetching keypair data from Digicert Secure Signing Manager Cloud +--------------------------------------+------------------------------------------------------------------------------------+-------------------+------------+-------------+----------------+ | Keypair ID | Alias | Keypair Algorithm | Key Type | Key Storage | Key Size/Curve | +--------------------------------------+------------------------------------------------------------------------------------+-------------------+------------+-------------+----------------+ To add keys to the token:
% "./DigiCert SSM Signing Clients.app/Contents/MacOS/DigiCert SSM Signing Clients" smctl keypair add-keys [space separated keypair Ids and/or Keypair Aliases of the keypairs on DigiCert SSM Cloud]Sample command:
% "./DigiCert SSM Signing Clients.app/Contents/MacOS/DigiCert SSM Signing Clients" smctl keypair add-keys AppleCSMay2022 140aa250-55e9-4561-b85e-907ed2390e7aOutput:
Fetching keypair data from Digicert Secure Signing Manager Cloud
Setting key and certificates to token for key id - 4e7ff99e-69ba-4804-bfe0-c4bad0316e99, alias - AppleCSMay2022
Setting key and certificates to token for key id - 140aa250-55e9-4561-b85e-907ed2390e7a, alias - RsaKp1Remove keys
This command also removes the token. Select Add new Token Command to add new token before adding keys back to token.
To remove keys from the token:
% "./DigiCert SSM Signing Clients.app/Contents/MacOS/DigiCert SSM Signing Clients" smctl keypair remove-keysOutput command:
Removing contents (keys, certs, configuration data) from token configuration
Keys, certs, configuration data from token configuration removed SuccessfullyView keys on token
Use this command to check the keys added to the token.
To view keys on the token:
security export-smartcardSample command:
% security export-smartcardCommand output:
==== private key #1
crtr : 0
esiz : 0
decr : 0
persistref : <>
atag : ""
kcls : 1
agrp : "com.apple.token"
pdmn : "dk"
bsiz : 2,048
type : 42
klbl : <a8 66 8a 71 55 eb 1f 4a 89 22 3b 12 f1 53 a7 b5 a7 98 4c 8a>
edat : 2001-01-01 00:00:00 +0000
sign : 1
mdat : 2022-01-20 05:43:35 +0000
drve : 0
labl : "Developer ID Installer: DigiCert Inc (DHPK4B64QS)"
sync : 0
musr : <>
sha1 : <3b 46 36 61 77 72 20 82 64 93 ca 27 3d d8 3d 28 bd f8 ef 84>
cdat : 2022-01-20 05:43:35 +0000
tkid : "DigiCert.TokenExtension:SSM0123456789"
sdat : 2001-01-01 00:00:00 +0000
tomb : 0
priv : 1
accc : constraints: {
ock : "NONE",
osgn : "NONE",
ord : "NONE",
od : "NONE"
}
protection: {
tkid : "DigiCert.TokenExtension:SSM0123456789"
}
unwp : 0
====
==== identity #1
class : "idnt"
slnr : <54 79 df 37 c1 24 fb 57>
certdata : <CFData 0x7f8202808c00 [0x7fff803712d0]>{length = 1453, capacity = 1453, bytes = 0x308205a930820491a003020102020854 ... 3f14cddd089f2e42}
certtkid : "DigiCert.TokenExtension:SSM0123456789"
priv : 1
ctyp : 3
mdat : 2022-01-20 05:43:35 +0000
sdat : 2001-01-01 00:00:00 +0000
bsiz : 2,048
type : 42
sha1 : <1e 50 02 96 93 92 2d 2f 7e fc f7 54 88 18 9c 49 ed 3b f0 bb>
pkhh : <a8 66 8a 71 55 eb 1f 4a 89 22 3b 12 f1 53 a7 b5 a7 98 4c 8a>
cdat : 2022-01-20 05:43:35 +0000
skid : <a8 66 8a 71 55 eb 1f 4a 89 22 3b 12 f1 53 a7 b5 a7 98 4c 8a>
tomb : 0
UUID : "0DB21CE5-D9A4-4BD9-9D62-98AA90D98709"
persistref : <>
accc : constraints: {
ock : "NONE",
osgn : "NONE",
ord : "NONE",
od : "NONE"
}
protection: {
tkid : "DigiCert.TokenExtension:SSM0123456789"
}
sync : 0
tkid : "DigiCert.TokenExtension:SSM0123456789"
pdmn : "dk"
musr : <>
subj : <31 1a 30 18 06 0a 09 92 26 89 93 f2 2c 64 01 01 0c 0a 44 48 50 4b 34 42 36 34 51 53 31 3d 30 3b 06 03 55 04 03 0c 34 44 65 76 65 6c 6f 70 65 72 20 49 44 20 49 6e 73 74 61 6c 6c 65 72 3a 20 52 6f 73 65 6d 61 72 79 20 54 68 6f 6d 61 73 20 28 44 48 50 4b 34 42 36 34 51 53 29 31 13 30 11 06 03 55 04 0b 0c 0a 44 48 50 4b 34 42 36 34 51 53 31 18 30 16 06 03 55 04 0a 0c 0f 52 6f 73 65 6d 61 72 79 20 54 68 6f 6d 61 73 31 0b 30 09 06 03 55 04 06 13 02 55 53>
sign : 1
esiz : 0
decr : 0
atag : ""
edat : 2001-01-01 00:00:00 +0000
klbl : <a8 66 8a 71 55 eb 1f 4a 89 22 3b 12 f1 53 a7 b5 a7 98 4c 8a>
crtr : 0
unwp : 0
issr : <31 2d 30 2b 06 03 55 04 03 0c 24 44 65 76 65 6c 6f 70 65 72 20 49 44 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 74 79 31 26 30 24 06 03 55 04 0b 0c 1d 41 70 70 6c 65 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 74 79 31 13 30 11 06 03 55 04 0a 0c 0a 41 70 70 6c 65 20 49 6e 63 2e 31 0b 30 09 06 03 55 04 06 13 02 55 53>
cenc : 3
kcls : 1
agrp : "com.apple.token"
labl : "MacAppDistribution_Automation_AppleProductSigner_Approval_Requested_WIN_THE_CUSTOMER_LLC"
drve : 0
====
==== certificate #1
class : "cert"
subj : <31 1a 30 18 06 0a 09 92 26 89 93 f2 2c 64 01 01 0c 0a 39 38 5a 32 50 46 4c 55 36 47 31 45 30 43 06 03 55 04 03 0c 3c 41 70 70 6c 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 3a 20 73 61 67 61 72 2e 63 68 6f 75 64 68 61 72 69 40 64 69 67 69 63 65 72 74 2e 63 6f 6d 20 28 4e 48 36 58 39 37 4a 35 43 55 29 31 13 30 11 06 03 55 04 0b 0c 0a 46 34 41 4c 59 44 4a 39 59 4e 31 18 30 16 06 03 55 04 0a 0c 0f 53 61 67 61 72 20 43 68 6f 75 64 68 61 72 69 31 0b 30 09 06 03 55 04 06 13 02 55 53>
cenc : 3
ctyp : 3
pkhh : <11 66 33 2b 72 40 bd b9 19 cc 83 70 d4 e5 29 65 9f d5 f8 dd>
persistref : <>
agrp : "com.apple.token"
pdmn : "dk"
labl : "apple_key"
UUID : "C46C1945-7642-4186-B6D3-427CB2DD06DD"
mdat : 2022-01-20 05:43:35 +0000
slnr : <64 53 07 40 be 0b 9b f8 19 d4 88 7a 51 0a 5a 05>
sync : 0
sha1 : <dd 9a af 0f aa ab d3 69 4f 6a 2a 3b 59 54 d3 83 e3 3b 19 ab>
tkid : "DigiCert.TokenExtension:SSM0123456789"
musr : <>
cdat : 2022-01-20 05:43:35 +0000
tomb : 0
skid : <11 66 33 2b 72 40 bd b9 19 cc 83 70 d4 e5 29 65 9f d5 f8 dd>
issr : <31 44 30 42 06 03 55 04 03 0c 3b 41 70 70 6c 65 20 57 6f 72 6c 64 77 69 64 65 20 44 65 76 65 6c 6f 70 65 72 20 52 65 6c 61 74 69 6f 6e 73 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 74 79 31 0b 30 09 06 03 55 04 0b 0c 02 47 33 31 13 30 11 06 03 55 04 0a 0c 0a 41 70 70 6c 65 20 49 6e 63 2e 31 0b 30 09 06 03 55 04 06 13 02 55 53>
accc : constraints: {
ord : true
}
protection: {
tkid : "DigiCert.TokenExtension:SSM0123456789"
}
====To sign with SMCTL and the Cryptokenkit:
smctl-mac-x64 sign -tool <codesign or productsign> --keypair alias <Apple codesign keypair alias> --input <path to unsigned file> --verboseCommand sample
smctl-mac-x64 sign -tool codesign --keypair alias AppleCodeSign --input /Users/john.doe/downloads/example.app --verboseFailed to access token
Error: Failed to add token. configurationError(message: "No driver configuration found for token DigiCert.TokenExtension")
Failed to get environment variables or environment variables were not added to the keychain.
Error: Failed to add token. configurationError(message: "No application configration found, please set environment first!")
Failed to access token
Error: Failed to remove token. configurationError(message: "No driver configuration found for token DigiCert.TokenExtension")
Failed to get environment variables or environment variables were not added to the keychain.
Error: Failed to remove token. configurationError(message: "No application configration found, please set environment first!")
Failed to fetch Keypairs from DigiCert SSM Cloud
Error: Failed to get keys. configurationError(message: "Failed to fetch keypairs from cloud.")
Failed to get environment variables or environment variables were not added to keychain.
Error: Failed to get keys. configurationError(message: "No application configuration found, please set environment first!")
The keypair was not found for given keypair ID or Key alias.
Error: Failed to add keys to token. configurationError(message: "KeyPair not found for id or alias id/alias")
Failed to fetch keypairs from DigiCert DigiCert® Software Trust Manager cloud.
Error: Failed to add keys to token. configurationError(message: "Failed to fetch keypairs from cloud. error")
Failed to get environment variables or environment variables are not added to the keychain.
Error: Failed to add keys to token. configurationError(message: "No application configration found, please set environment first!")
Token has not been added or cannot access token.
Error: Failed to add keys to token. configurationError(message: "No driver configuration found for token DigiCert.TokenExtension")
Failed to set token due to other reasons.
Error: Failed to add keys to token. configurationError(message: "Failed to set token configurtion data: error_info")