Skip to main content

Scripts for signing using KSP library on GitHub

Prerequisites

  • A GitHub repository

  • credentials

  • client tools

Client tools

DigiCert​​®​​ KeyLocker clients can be downloaded in a package.

Download Client tools

  1. Sign in to DigiCert ONE.

  2. Navigate to DigiCert​​®​​ KeyLocker > Resources > Client tool repository.

  3. Select your operating system.

  4. Click the download icon next to DigiCert​​®​​ KeyLocker clients.

Register the KSP

To register the KSP, open a command prompt and run:

smctl windows ksp register

Verify the KSP

To verify that your KSP is configured properly, and that your client can properly authenticate to the DigiCert​​®​​ KeyLocker service, run:

certutil.exe -csp "DigiCert Software Trust Manager KSP" -key -user

Synchronize certificates

For the client tools to access the private keys in the service through the Key Storage Provider (KSP), your certificates must be synchronized to the local certificate store. Only if the certificate is synchronized, the private key remains stored securely in DigiCert​​®​​ KeyLocker.

To synchronize your certificates to the local certificate store, open a command prompt and run:

smctl windows certsync

To view the certificates, open Certificate Manager for the user account used to run the certificate sync utility:

certmgr.msc

If you do not see your certificates in the Certificate Manager, verify that you have opened the correct certificate store. There is a different certificate store for each Windows user account.

Note

All certificates are synched to the user store only. The certificates are not synchronized to the machine store (yet).

Set PATH environment variables

Operating systems use the environment variable called PATH to determine where executable files are stored on your system. Use the PATH environment variable to store the file path to your signing tools to ensure that the CLI can reference these signing tools.

User authentication

KeyLocker enforces multi-factor authentication for security purposes. To access keypairs, certificates, and sign code, you need to set up two types of credentials: An API key and an authentication certificate.

Create an API key

The API key is an authentication method used to verify you as a user and your permissions assigned in DigiCert ONE. The API key provides the first factor authentication.

  1. In DigiCert ONE, select the profile (profile_icon.png) icon, and then select Admin Profile.

  2. Under API keys, select Create API key.

  3. For Name, enter a descriptive name for the key.

  4. For End date (optional), enter the date when the key should expire.

  5. Select Create. The API key appears this one time and can't be accessed again. Securely store the API key for future use.

Create an authentication certificate

The client authentication certificate is an authentication method used to verify you as a user and your permissions assigned in DigiCert ONE. The client authentication certificate provides the second factor authentication.

  1. In DigiCert ONE, select the profile (profile_icon.png) icon, and then select Admin Profile.

  2. Under Client authentication certificates, select Create client authentication certificate.

  3. For Nickname, enter a descriptive name for the key.

  4. For End date, enter the date when the certificate should expire.

  5. Select the desired Encryption and Signature hash algorithm.

  6. Select Generate certificate. The password appears this one time and can't be accessed again. Download the certificate and securely store the password for future use.

Setup

To use the client tools and connect to DigiCert​​®​​ KeyLocker for operations, you must have access to DigiCert​​®​​ KeyLocker on DigiCert ONE®. If you do not have access to DigiCert​​®​​ KeyLocker, contact an administrator for DigiCert ONE and request access.

Set certificate file in environment variables

  1. Identify your client authentication certificate.

  2. Encode the file to base64. For encoding run command:

    base64 file_name

  3. In GitHub Secrets add a new repository secret with:

    Name = SM_CLIENT_CERT_FILE_B64
Value = encoded value from base64 file_name

  4. Set dup certificate file for signing:

    - name: Setup Certificate
  run: |
    echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > /d/Certificate_pkcs12.p12
  shell: bash

Environment variables setup for GitHub Actions

The client tools need these environment variables to connect with DigiCert​​®​​ KeyLocker,.

To integrate environment variables as GitHub secrets:

  1. Access GitHub repository

  2. Select Settings

  3. Select Secrets > Actions

  4. Select New repository secret

The values for these environment variables:

Variable

Description

SM_API_KEY

Provide your API token.

SM_CLIENT_CERT_FILE_B64

The base64 encoded text of certificate downloaded from client authentication certificate setup.

SM_CLIENT_CERT_PASSWORD

Provide your client certificate password.

SM_HOST

Provide your host environment.

SM_CODE_SIGNING_CERT_SHA1_HASH

The certificate fingerprint.

Command to set environment variables:

- name: Set variables
  id: variables
  run: |
    echo "version=${GITHUB_REF#refs/tags/v}" >> $GITHUB_OUTPUT
    echo "KEYPAIR_NAME=gt-standard-keypair" >> $GITHUB_OUTPUT
    echo "CERTIFICATE_NAME=gt-certificate" >> $GITHUB_OUTPUT
    echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV"
    echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV"
    echo "SM_CLIENT_CERT_FILE=D:\\Certificate_pkcs12.p12" >> "$GITHUB_ENV"
    echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV"
    echo "C:\Program Files (x86)\Windows Kits\10\App Certification Kit" >> $GITHUB_PATH
    echo "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools" >> $GITHUB_PATH
    echo "C:\Program Files\DigiCert\DigiCert Keylocker Tools" >> $GITHUB_PATH
  shell: bash

Tip

The following tool paths are provided above:

  • DigiCert​​®​​ KeyLocker client tools

    C:\Program Files\DigiCert\DigiCert Keylocker Tools

  • Signtool.exe

    C:\Program Files (x86)\Windows Kits\10\App Certification Kit

  • Mage.exe

    C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools

Client tool setup

Connect the KSP to GitHub actions and verify that it works.

Client control setup

To invoke the client control from GitHub actions

Download and install the Keylockertools-windows-x64.msi using curl command given below:

- name: Setup SSM KSP on windows latest
  run: |
    curl -X GET  https://one.digicert.com/signingmanager/api-ui/v1/releases/Keylockertools-windows-x64.msi/download -H "x-api-key:%SM_API_KEY%" -o Keylockertools-windows-x64.msi
    msiexec /i Keylockertools-windows-x64.msi /quiet /qn
  shell: cmd

Note

“curl” command is used to install the Keylockertools-windows-x64.msi installer and “msiexec” is used to silently install the Keylockertools-windows-x64.msi.

Verify the KSP

To verify the KSP is registered, run:

- name: Register KSP
  run: |
    smctl windows ksp list
  shell: cmd

Integration with GitHub actions

Find Signtool and Mage

Command to find signtool:

- name: Find Signtool
  run: |
    dir "C:\Program Files (x86)\Microsoft SDKs\Windows\ " /s /b | findstr /i signtool.exe
  shell: cmd

Command to find Mage:

- name: Find Signtool
  run: |
      dir "C:\Program Files (x86)\Microsoft SDKs\Windows\ " /s /b | findstr /i mage.exe
  shell: cmd

Sign

You can sign with Mage, NuGet, or SignTool.

Sign with Mage

To sign with Mage:

- name: Signing using mage
  run: |
    mage.exe -sign <file_name> -CertHash <hash_or_cert_fingerprint> -a sha256RSA
 shell: cmd

Sign with NuGet

To sign with NuGet:

- name: Signing using nuget
  run: |
    nuget sign <package folder> -Timestamper http://timestamp.digicert.com -outputdirectory <output folder> -Certificate Fingerprint <SHA1 Thumbprint> -HashAlgorithm SHA256 -Verbosity detailed -Overwrite
  shell: cmd

Sign with SignTool

To sign with SignTool:

- name: Signing using signtool
  run: |
    signtool.exe sign /sha1 <certificate thumbprint> /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 <file to be signed>
 shell: cmd

Verify signature

You can verify a signature using Mage, NuGet, or SignTool.

Verify signature with Mage

To verify a signature with Mage:

- name: Mage verify
  run: |
    mage -Verify <Path to signed .application file>
  shell: cmd- name: Mage verify
run: |
mage -Verify <path to signed .application file>
shell: cmd

The only input required here is the path to the signed .application file.

Verify signature with NuGet

To verify a signature with NuGet:

- name: Nuget verify
  run: |
    nuget verify -All <output folder>\*
  shell: cmd- name: Nuget verify
run: |
nuget verify -All <output folder>\*
shell: cmd

The only input required here is the path to the signed folder.

Verify signature with SignTool

To verify a signature with SignTool:

- name: Signtool verify
  run: |
    signtool verify /v /pa <Path to the signed exe/DLL>
  shell: cmd- name: Signtool verify
run: |
signtool verify /v /pa <path to the signed .exe or .dll>
shell: cmd

The only input for this step is the path to the signed .exe or .dll file that needs to be verified.

Sample GitHub actions

KSP Signing using GitHub action

name: 'build and release electron installer'
on:
  push:
    tags:
      - 'v*'
      
jobs:
  release:
    runs-on: ${{ matrix.os }}
    
    strategy:
      matrix:
        os: [windows-latest]
        
    steps:
      - name: Check out Git repository
        uses: actions/checkout@v2

      - name: Install Node.js, NPM and Yarn
        uses: actions/setup-node@v2
        with: 
          node-version: 14
        
      - name: Build/release Electron app
        uses: samuelmeuli/action-electron-builder@v1
        with: 
          github_token: ${{ secrets.github_token }}
          release: ${{ startsWith(github.ref, 'refs/tags/v') }}
          build_script_name: dist

      - name: NuGet Install
        uses: NuGet/setup-nuget@v1.0.5
        with:
          nuget-version: latest

      - name: Setup Certificate
        run: |
          echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > /d/Certificate_pkcs12.p12
          cat /d/Certificate_pkcs12.p12
        shell: bash

          
      - name: Set variables
        id: variables
        run: |
          echo "version=${GITHUB_REF#refs/tags/v}" >> $GITHUB_OUTPUT
          echo "KEYPAIR_NAME=gt-standard-keypair" >> $GITHUB_OUTPUT
          echo "CERTIFICATE_NAME=gt-certificate" >> $GITHUB_OUTPUT
          echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV"
          echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV"
          echo "SM_CLIENT_CERT_FILE=D:\\Certificate_pkcs12.p12" >> "$GITHUB_ENV"
          echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV"
          echo "C:\Program Files (x86)\Windows Kits\10\App Certification Kit" >> $GITHUB_PATH
          echo "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools" >> $GITHUB_PATH
          echo "C:\Program Files\DigiCert\ DigiCert Keylocker Tools" >> $GITHUB_PATH
        shell: bash

      - name: Setup SSM KSP on windows latest
        run: |
          curl -X GET  https://one.digicert.com/signingmanager/api-ui/v1/releases/Keylockertools-windows-x64.msi/download -H "x-api-key:%SM_API_KEY%" -o Keylockertools-windows-x64.msi
          msiexec /i Keylockertools-windows-x64.msi /quiet /qn
          smctl windows ksp list
          smctl.exe keypair ls
          C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user
          smctl windows certsync
        shell: cmd

      - name: Signing using Signtool
        run: |
          signtool.exe sign /sha1 ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 "D:\a\github-action-electron\github-action-electron\dist\my-electron-app Setup ${{ steps.variables.outputs.version }}.exe"
          signtool.exe verify /v /pa "D:\a\github-action-electron\github-action-electron\dist\my-electron-app Setup ${{ steps.variables.outputs.version }}.exe"

      - name: Signing using Nuget
        run: |
          copy D:\a\github-action-electron\github-action-electron\UNSIGNED.nupkg D:\a\github-action-electron\github-action-electron\dist\UNSIGNED.nupkg
          nuget sign "D:\a\github-action-electron\github-action-electron\dist\UNSIGNED.nupkg" -Timestamper http://timestamp.digicert.com -outputdirectory "D:\a\github-action-electron\github-action-electron\dist\Signed" -CertificateFingerprint ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} -HashAlgorithm SHA256 -Verbosity detailed -Overwrite
          nuget verify -All "D:\a\github-action-electron\github-action-electron\dist\Signed\*"

      - name: Signing using Mage
        run: |
          copy D:\a\github-action-electron\github-action-electron\UNSIGNED2.manifest D:\a\github-action-electron\github-action-electron\dist\UNSIGNED2.manifest
          mage.exe -sign "D:\a\github-action-electron\github-action-electron\dist\UNSIGNED2.manifest" -CertHash ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} -a sha256RSA
          mage -Verify "D:\a\github-action-electron\github-action-electron\dist\UNSIGNED2.manifest"

      - name: Upload artifacts
        uses: actions/upload-artifact@v2
        with:
          name: ${{ matrix.os }}
          path: |
            dist

How to run and build the code

  1. Update the version in your project's package.json file ( e.g. 1.2.3)

  2. Commit that change (git commit -am v1.2.3)

  3. Tag your commit (git tag v1.2.3). Make sure your tag name's format is v*.*.*.

    Note

    Your workflow will use this tag to detect when to create a release.

  4. Push your changes to GitHub (git push &amp;&amp; git push --tags)

Related articles

Troubleshooting

: