DigiCert-ONE-Clients-x.x.x-win-x64.exe
Signer guide
The Signer role is for engineers or authenticated systems that sign software using keys stored in DigiCert® Software Trust Manager.
Signing can be performed using Software Trust Manager client tools, third-party integrations, or APIs. As a Signer, you use keypairs and certificates stored securely in Software Trust Manager to sign files locally or in automated workflows, such as build pipelines or release processes.
Signers are not typically responsible for creating or managing keypairs, certificates, user roles, or permissions. Those tasks are usually handled by account Leads.
This guide helps you get ready to sign quickly and confidently.
Note
For account Leads
Users with the Lead role also have permission to sign software. If you are a Lead preparing to sign software yourself, this guide applies to you as well. For broader setup tasks such as creating keypairs, certificates, and assigning roles, see the Lead get started guide.
Before you begin
This guide assumes
You have been assigned the Signer role
Your Lead has already created a Keypair and default certificate
You will need
A file or folder to sign
Optional
Access to a CI/CD environment for automated signing
SMCTL is Software Trust Manager's command line interface (CLI) and supports multiple ways to sign software using keys stored in Software Trust Manager. Choose the approach that best fits your workflow and level of control.
Most users should start with simple signing. It requires fewer dependencies, is easier to configure, and is the recommended approach for most signing workflows.
Your choice affects which tools you need to install and how you perform signing.
Simple signing uses SMCTL to sign files directly without requiring third-party signing tools.
Pros
Use the
--simpleflag in your sign commandNo third-party tools or external signing infrastructure required
Supports bulk signing
Use the
--unsignedflag to ensure only unsigned files are signed
Considerations
Supports fewer file types, see Files supported for signing
Does not capture signing metadata such as timestamps, tools, or checksums
Traditional signing integrates SMCTL with third-party signing tools that are specific to your platform and file types.
Pros
Supports a wider range of file types, see Files supported for signing
Captures full signing metadata
Considerations
Requires installing and configuring third-party tools (for example, signtool, jarsigner, or osslsigncode)
Require additional Software Trust client tools such as KSP, CSP, or PKCS#11 cryptographic libraries.
Does not support bulk signing
Click-to-sign is a desktop application that integrates with SMCTL and provides a graphical interface for signing files.
It uses:
The default keypair and certificate configured in Click-to-sign
The default keypair and certificate configured in Click-to-sign
Use Click-to-sign if you:
Prefer a UI over the command line
Want a simpler signing experience
Are signing files manually or occasionally
Considerations
Only compatible with Windows 10
Want a simpler signing experience
Does not support bulk signing
Instead of using SMCTL, you can continue signing directly with supported third-party signing tools while your private key remains securely stored in Software Trust Manager.
You authenticate the third-party tool to Software Trust Manager using the appropriate cryptographic library.
Pros
Continue using signing tools you are already familiar with
Minimal change to existing signing workflows
Considerations
Different signing tools are required for different file types
Each tool uses its own command syntax and options, which you must manage
Bulk signing and workflow consistency depend on the capabilities of each tool
Use the DigiCert ONE Clients app to download and manage Software Trust client tools.
The app:
Automatically handles static or dynamic authentication.
Supports optional auto-updates to keep tools current
Provides the client tools available for your operating system
Sign in to DigiCert ONE.
In the Managers () menu, select Software Trust.
On the DigiCert ONE Clients tab, select Resources > Client tool repository.
Select the download icon next to DigiCert ONE Clients.
In the pop-up, select your operating system.
Tip
DigiCert ONE Clients displays tools compatible with your selected operating system.
Select Download.
Run the DigiCert ONE Clients installer for your operating system and follow the setup wizard:
In the setup wizard:
Read DigiCert's Master Services Agreement, then select I agree.
Select the installation scope:
Anyone who uses this computer
Only for myself
Select the installation location or use the default path.
Select Install.
Optional: Select the checkbox Run DigiCert ONE Clients if you want to open the application immediately.
Select Finish.
The client tools you need depend on the signing approach you choose:
Simple signing uses SMCTL to sign files directly and does not require third-party signing tools or additional signing infrastructure.
Tip
You will download these SMCTL in the next step.
For traditional signing, install the following:
SMCTL
Third-party signing tools based on the file types you want to sign
Cryptographic libraries required to integrate with those tools (such as CSP, KSP, or PKCS#11)
Which cryptographic library you need?
The file type you want to sign determine which signing tool you use. The cryptographic library you need depends on that signing tool.
To identify the cryptographic library you'll need:
Identify the file types you want to sign in the list of supported file types .
Identify the signing tool associated with those file types.
Select the signing tool name in the table to view installation and integration instructions.
Follow the instructions to install the signing tool.
Identify which Software Trust client tool it requires for signing.
Note: You will download these client tool in the next step.
For Click-to-sign, install the following:
DigiCert Click-to-sign
SMCTL
Third-party signing tools based on the file types you want to sign
Cryptographic libraries required to integrate with those tools (such as CSP, KSP, or PKCS#11)
Which cryptographic library you need?
The file type you want to sign determine which signing tool you use. The cryptographic library you need depends on that signing tool.
To identify the cryptographic library you'll need:
Identify the file types you want to sign in the list of supported file types .
Identify the signing tool associated with those file types.
Select the signing tool name in the table to view installation and integration instructions.
Follow the instructions to install the signing tool.
Identify which Software Trust client tool it requires for signing.
Note: You will download these client tool in the next step.
For signing directly with third-party signing tools, install the following:
Third-party signing tools based on the file types you want to sign
Cryptographic libraries required to integrate with those tools (such as CSP, KSP, or PKCS#11)
Which cryptographic library you need?
The file type you want to sign determine which signing tool you use. The cryptographic library you need depends on that signing tool.
To identify the cryptographic library you'll need:
Identify the file types you want to sign in the list of supported file types .
Identify the signing tool associated with those file types.
Select the signing tool name in the table to view installation and integration instructions.
Follow the instructions to install the signing tool.
Identify which Software Trust client tool it requires for signing.
Note: You will download these client tool in the next step.
Open DigiCert ONE Clients.
On the My client tools page, find the tool you want to install.
Select Install.
In the installation dialog:
SMCTL will now show in the Installed section of DigiCert ONE Clients.
Find SMCTL in DigiCert ONE Clients.
Select Open.
Run the command:
smctl healthcheck
Review the following sample output:
--------- User credentials ------ Status: Connected Username: john.doe Accounts: Win The Customer, LLC Authentication: 2FA Environment: Prod Credentials: Host: https://clientauth.one.digicert.com API key: 012345fe67a1234f56a7d8c911_055xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxd6 (Pulled from OS credential store) Client certificate file path: C:\Users\John.Doe\.digicert-ucpc\certs\1ec2dcd3-c4d5-481a-67a1-b891cc0c1234\20260122133923-480f4000-f123-4567-bd89-1cde2d834567.p12 Client certificate password: 1+cJxxxxxxmt (Pulled from OS credential store) Privileges: Can sign: Yes Can approve release window: Yes Can revoke certificate: Yes Permissions: Account Manager: VIEW_AM_USER VIEW_AM_ORGANIZATION MANAGE_AM_PERMISSION VIEW_AM_ROLE VIEW_AM_ACCOUNT VIEW_AM_AUDIT_LOG Keypairs: MANAGE_SM_KEYPAIR VIEW_SM_KEYPAIR Certificates: VIEW_SM_CERTIFICATE REVOKE_SM_CERTIFICATE Other permissions: MANAGE_SM_CC_API_KEY --------- Signing tools --------- Nuget: Mapped: No Jarsigner: Mapped: No Apksigner: Mapped: No Signtool 32 bit: Mapped: No Signtool: Mapped: Yes Path: C:\Program Files (x86)\Windows Kits\10\bin\10.0.33621.0\x64\signtool.exe Mage: Mapped: NoTip
If the check is successful, the output shows Status: Connected.
Integrate Software Trust into continuous integration and continuous deployment (CI/CD) pipelines. CI/CD integrations automate and streamline the software development and deployment process. Software Trust offers CI/CD plugins and script integrations which are both methods used to incorporate CI/CD functionality into your software development workflow. While plugins are easier to use, script integrations offer more flexibility.
To automate signing as part of your CI/CD workflows, refer to CI/CD integrations.
Review the following documents to learn how to sign while your private key remains in Software Trust.