DigiCert® Click-to-sign

DigiCert Click-to-sign is a DigiCert® KeyLocker client tool that simplifies code signing, using a right-click context menu to sign filers or folders, removing the need for command-line interaction.

Before you begin

Review the following statements:

DigiCert® Click-to-sign relies on Signing Manager Controller (SMCTL) and PKCS#11 library to sign.
These client tools must be stored in the C:\Program Files\DigiCert\DigiCert KeyLocker Tools\ folder to be used by DigiCert Click-to-sign.
SignTool is not included in the DigiCert-provided Windows client tools package. To learn how to download SignTool, see Download SignTool.

Prerequisites

Windows 10 or Windows 11 operating system
.NET Framework (version 4.7 or higher)
Signing Manager Controller (SMCTL)
PKCS#11 library
DigiCert ONE API key
DigiCert ONE client authentication certificate
Integrated third-party signing tools
Keypair and associated certificate
Windows SDK (to use SignTool)
- SignTool is not included in the DigiCert-provided Windows client tools package.
- To learn how to download SignTool, see Download SignTool.
File or folder to be signed

Supported file types

DigiCert Click-to-sign supports the use of any signing tool supported by Signing Manager Controller (SMCTL) and PKCS#11 library, including:

表 1. File types supported for signing on Windows

Signing tool	File type
Jarsigner	.ear
	.jar
	.sar
	.war
Mage	.application
	.manifest
	.vsto
NuGet	.nupkg
Signtool (64-bit)	.appx
	.appxbundle
	.arx
	.cab
	.cat
	.cbx
	.cpl
	.crx (only MS-DOS EXE package format)
	.dbx
	.deploy
	.dll
	.drx
	.efi
	.exe
	.js
	.msi
	.msix
	.msixbundle
	.msm
	.msp
	.ocx
	.psi
	.psm1
	.stl
	.sys
	.vbs
	.vsix
	.vxd
	.wsf
	.xap
	.xsn
SignTool (32-bit)	.doc
	.docm
	.dot
	.dotm
	.mpp
	.mpt
	.pot
	.potm
	.ppa
	.ppam
	.pps
	.ppsm
	.ppt
	.pptm
	.pub
	.vdw*
	.vdx*
	.vsd*
	.vsdm
	.vss*
	.vssm
	.vst*
	.vstm
	.vsx*
	.vtx*
	.wiz*
	.xla
	.xlam
	.xls
	.xlsb
	.xlsm
	.xlt
	.xltm

Download DigiCert Click-to-sign

In the Managers () menu, select KeyLocker.
In the KeyLocker menu, go to Resources > Client tool repository.
Download DigiCert Click-to-sign Installer.

Install DigiCert Click-to-sign

Run the DigiCert_Click_to_sign.msi application.
- The file's default location is: C:\Program Files\DigiCert\DigiCert KeyLocker Tools\ DigiCert_Click_to_sign.msi.
In the DigiCert Click-to-sign installation wizard, complete the following:

例 1. Step: Enter credentials

DigiCert Click-to-sign client tool needs to integrate with DigiCert ONE REST APIs to validate you and stores your user credentials to expedite future signings.

Provide the DigiCert ONE host value: https://clientauth.one.digicert.com.
Enter your KeyLocker API key string.
Provide the path to your client authentication certificate.
Enter the password for your client authentication certificate.
If you are using JarSigner, enter the path to your PKCS#11 configuration file. The default path is: C:\Program Files\DigiCert\DigiCert KeyLocker Tools\pkcs11properties.cfg
Select Save API key and client certificate password to Windows credential store to avoid having your credentials stored in the environment variables as plain text.
Select Next.
When the wizard confirms that your credentials have been saved, select OK.

例 2. Step 2: Select certificate

DigiCert Click-to-sign requires you to choose a certificate to sign with. The default certificate associated with the chosen keypair is automatically selected.

To select the certificate to sign with:

Select a keypair from the list, and then select Next.
Verify that the default certificate information displayed is correct.
Select Next.
When the wizard confirms that the keypair and certificate have been saved, select OK.

例 3. Step: Configure preferences

DigiCert Click-to-sign needs to store your signing preferences so that you simply need to right-click on a file or folder to sign it.

For Digest algorithm, select a digest algorithm to sign with.
注意
As a best practice, consider SHA256 because it keeps your signatures secure.
For Include timestamp, select the checkbox to include a timestamp in your signature.
注意
Consider including timestamps because it is a code signing best practice to extend the trust of signed software beyond the validity of the signing certificate.
Select Next.
When the wizard confirms that the settings have been saved, select OK.
A final window appears to explain how to sign. Select Finish.

Set PATH environment variable

Operating systems use the environment variable called PATH to determine where executable files are stored on your system. Use the PATH environment variable to store the file path to your DigiCert ONE Signing Manager Tools to ensure that the DigiCert® Click-to-sign can reference these tools.

You can set the PATH environment variable to DigiCert ONE Signing Manager Tools using command line or environment variables.

To set the path to your signing tools via command line, review the following command:

set PATH=%path%;<Path to DigiCert ONE Signing Manager Tools folder>

Review the following command sample:

set PATH=%path%;C:\Program Files\DigiCert\DigiCert One Signing Manager Tools

To set the path to your signing tools for your system or account:

Search for environment variables in the Windows start menu.
Select Edit environment variables for your account or Edit system environment variables.
Double-click on the Path variable.
Select New.
Select Browse.
Provide the path to DigiCert ONE Signing Manager Tools: C:\Program Files\DigiCert\DigiCert One Signing Manager Tools
Select OK to save the path.
Select OK to close the dialog.

Review and sign files

To sign a file immediately using the default settings you selected during the configuration:

Open File Exporer, and then right-click on the file you want to sign.
Select DigiCert® Click-to-sign > Sign now.

To review a file and the default settings before signing:

Open File Explorer, and then right-click on the file you want to sign.
Select DigiCert® Click-to-sign > Review and sign.
Review the selected file and default settings.
Select Sign.

To review multiple files and the default settings before signing:

Open File Explorer, and then right-click on the folder you want to sign.
Select DigiCert® Click-to-sign > Review and sign.
Review the selected files and default settings.
Select Sign.
- Depending on the number of files, it may take a few minutes to complete the sign process.

Change default settings

To update your default user credentials, signing algorithm, timestamp settings, and certificate:

Right-click on the file.
Select DigiCert® Click-to-sign > Settings.
Change your preferences.
Select Save.

Troubleshooting

Healthcheck errors

(1) Review the following healthcheck error

Your client certificate path or password is incorrect. You will not be able to complete specific actions (such as sign, generate keypairs and approve releases) until these credentials are corrected.

This error indicates the following potential issues:

The path set in your environment variables is incorrect. To troubleshoot:
- Open your environment variables, and then ensure that the following variable is correct:
  - Variable name: SM_CLIENT_CERT_FILE
  - Variable value: C:\clientcertpath\Certificate_pkcs12.p12
The use of an incorrect client certificate password. To troubleshoot:
- Run the following command to delete your credentials:
```
smctl credentials delete
```
- Add your credentials again:
```
smctl credentials save <API token> <client certificate password>
```
The client certificate was generated and encrypted using AES and a SHA-256 signature hash, which is not supported by older versions of Windows. To troubleshoot:
- Generate a new client certificate, and then select AES with a SHA-1 signature hash or select 3DES encryption.

(2) Review the following healthcheck error:

Status: Connection failed

This error indicates an invalid API key. To troubleshoot:

Ensure that you have entered the correct API key string. This is displayed in the healthcheck results under Credentials.
- If the API key string is incorrect, delete the existing credentials by running the following command:
```
smctl credentials delete
```
- When the credentials have been deleted, add the correct credentials by running the following command:
```
smctl credentials save <API token> <client certificate password>
```

(3) Review the following healthcheck error:

SignTool: Mapped: No

This error indicates that KeyLocker tools is unable to locate the path to signtool.exe.

Check your environment variables to ensure that the correct path to SignTool has been added.
- The default path for SignTool is C:\Program Files (x86)\Windows Kits\10\bin\xxxx\x64 where xxxx is the version number.
  - For example, C:\Program Files (x86)\Windows Kits\10\bin\10.0.26100.0\x64.

(4) Review the following healthcheck error:

Jarsigner: Mapped: No

This error indicates that KeyLocker tools is unable to locate the path to jarsigner.exe. To troubleshoot:

Check your environment variables to ensure that the correct path to JarSigner has been added.
- The default path for JarSigner is C:\Program Files\Java\xxxx\bin where xxxx is the version number.
  - For example, C:\Program Files\Java\jdk-17\bin.

Signing errors

When signing is unsuccessful, the following error message appears:

Signing failed
Failed to sign “<file name>”

This error message can appear for several reasons. As a result, to understand the cause, review the signing manager log files to understand the specific issue.

Log files are located in:

C:\Users\<user name>\.signingmanager\logs

The primary log file for Click-to-Sign is digicert-click-to-sign.log. This log file tracks all activity within the Click-to-Sign tool.

When a signing failure occurs, the following lines in the log file appear:

INFO cts.SignStart - Sign failed for the file - C:\filestosignpath\myfile
INFO cts.SignStart - getting error message from cmd line

Once you have confirmed that a signing error has occurred, review the log files for your signing tool (Click-to-Sign / SMCTL, SignTool, or JarSigner).

Click-to-Sign / SMCTL

For Click-to-Sign / SMCTL, review the smctl.log file.

Review the following Click-to-Sign / digicert-click-to-sign.log errors:

INFO cts.SignStart - Sign failed for the file - C:\filestosignpath\myfile
INFO cts.SignStart - getting error message from cmd line

This error message confirms there was a problem with the signing process. However, it doesn't indicate any specific cause for a failed signing attempt. To troubleshoot:

Ensure that the path to your KeyLocker tools installation folder has been added to your environment variables.
- The default path is C:\Program Files\DigiCert\DigiCert Keylocker Tools.

If this path has been mapped correctly, then review the smctl.log for more information.

(1) Review the following Click-to-Sign / smctl.log error:

level="error" msg="Error :  - exec: \"signtool\": executable file not found in %PATH%: " executable="smctl" func="securesigning/cli/cli/command/sign.runCommand:78"

This error indicates that Click-to-Sign is unable to locate the path to signtool.exe. To troubleshoot:

Check your environment variables and ensure that the correct path to SignTool has been added.
- The default path for SignTool is C:\Program Files (x86)\Windows Kits\10\bin\xxxx\x64 where xxxx is the version number.
  - For example, C:\Program Files (x86)\Windows Kits\10\bin\10.0.26100.0\x64.

(2) Review the following Click-to-Sign / smctl.log error:

level="error" msg="Error :  - exec: \"jarsigner\": executable file not found in %PATH%: " executable="smctl" func="securesigning/cli/cli/command/sign.runCommand:78"

This error indicates that Click-to-Sign is unable to locate the path to jarsigner.exe. To troubleshoot:

Check your environment variables and ensure that the correct path to JarSigner has been added.
- The default path for SignTool is C:\Program Files\Java\xxxx\bin where xxxx is the version number.
  - For example, C:\Program Files\Java\jdk-17\bin.

(3) Review the following Click-to-Sign / smctl.log errors:

level="error" msg="Error : jarsigner error: java.lang.Exception: Provider \"sun.security.pkcs11.SunPKCS11\" not found\r\n - exit status 1: " executable="smctl" func="securesigning/cli/cli/command/sign.runCommand:78"

This error indicates that the path to your PKCS#11 properties file hasn't been mapped correctly. To troubleshoot:

Open Click-to-Sign, and then update the Pkcs11 configuration file field.
- The default path is: C:\Program Files\DigiCert\DigiCert KeyLocker Tools\pkcs11properties.cfg.

SignTool errors

For SignTool, review the smksp.log file.

(1) Review the following SignTool / smksp.log error:

level="error" msg="failed to sign: status_code=403, message={\"error\":{\"status\":\"access_denied\",\"message\":\"User - <User Name> does not have privileges to access the keypair - mykeylockertcert.\"}}, nested_error=<nil>" executable="signtool" func="main.SMKSPSignHashInternal:727

This error indicates that you haven't assigned a signer to your code signing certificate. To troubleshoot:

In DigiCert ONE, assign a signer for your certificate. To learn more, see Verify that you're ready to sign (optional).

This error can also indicate if the incorrect keypair alias was specified in the signing command. To troubleshoot:

Ensure that you've selected the correct keypair alias in Click-to-Sign. To learn how to view a keypair alias, see View certificates.

JarSigner errors

For JarSigner, review the smpkcs11.log file.

(1) Review the following SignTool / smksp.log error:

level="error" msg="failed to sign, nested_error=\"hash signing failed for hash: 72e6ca0f8566785e48b00630f32c13af7945f7c6139b03ea87bc2f51fea62e76, keypair_id: e57271a3-53f5-4540-8d8a-23f8854cb7fd, signature_algorithm: SHA256withRSA: status_code=403, message={\"error\":{\"status\":\"access_denied\",\"message\":\"User - <User Name> does not have privileges to access the keypair - key_linux.\"}}, nested_error=<nil>\"" executable="jarsigner" func="securesigning/cli/pkcs11.(*Context).SignFinal:411"

This error indicates that you haven't assigned a signer to your code signing certificate. To troubleshoot:

In DigiCert ONE, assign a signer for your certificate. To learn more, see Verify that you're ready to sign (optional).

This error can also indicate if the incorrect keypair alias was specified in the signing command. To troubleshoot:

Ensure that you've selected the correct keypair alias in Click-to-Sign. To learn how to view a keypair alias, see View certificates.

jSign errors

注意

jSign is not listed among the mapped signing tools in the healthcheck.

(1) Review the following jSign error

'jsign' is not recognized as an internal or external command, operable program or batch file.

This error indicates that the path to jsin.exe is not mapped correctly. To troubleshoot:

Open your environment variables, and then ensure that the path to jsign.exe has been added as a variable.

(2) Review the following jSign error:

This error indicates that your KeyLocker credentials have not been configured or the incorrect API key was used. To troubleshoot:

If the API key string is incorrect, delete the existing credentials by running the following command:
```
smctl credentials delete
```

To add your credentials, run the following command:

smctl credentials save <API token> <client certificate password>

(3) Review the following jSign error:

jsign: Couldn't sign C:\filestosignpath\myfile.exejava.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_FUNCTION_FAILED        at jdk.crypto.cryptoki/sun.security.pkcs11.P11Signature.engineSign(P11Signature.java:671)        at java.base/java.security.Signature$Delegate.engineSign(Signature.java:1423)        at java.base/java.security.Signature.sign(Signature.java:712)        at net.jsign.bouncycastle.operator.jcajce.JcaContentSignerBuilder$1.getSignature(Unknown Source)        at net.jsign.bouncycastle.cms.SignerInfoGenerator.generate(Unknown Source)        at net.jsign.bouncycastle.cms.CMSSignedDataGenerator.generate(Unknown Source)        at net.jsign.bouncycastle.cms.CMSSignedDataGenerator.generate(Unknown Source)        at net.jsign.asn1.authenticode.AuthenticodeSignedDataGenerator.generate(AuthenticodeSignedDataGenerator.java:50)        at net.jsign.AuthenticodeSigner.createSignedData(AuthenticodeSigner.java:373)        at net.jsign.AuthenticodeSigner.sign(AuthenticodeSigner.java:348)        at net.jsign.SignerHelper.sign(SignerHelper.java:394)        at net.jsign.JsignCLI.execute(JsignCLI.java:132)        at net.jsign.JsignCLI.main(JsignCLI.java:40)Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_FUNCTION_FAILED        at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.C_SignFinal(Native Method)        at jdk.crypto.cryptoki/sun.security.pkcs11.P11Signature.engineSign(P11Signature.java:621)        ... 12 moreTry `java -jar jsign.jar --help' for more information.

This error indicates that the password for your client is incorrect. To troubleshoot:

Delete the existing credentials by running the following command:
```
smctl credentials delete
```
Once the credentials have been deleted, add the correct credentials by running this command:
```
smctl credentials save <API token> <client certificate password>
```

This error could also indicate that you haven't added a signer to your certificate. To troubleshoot:

In DigiCert ONE, assign a signer for your certificate. To learn more, see Verify that you're ready to sign (optional).

(4) Review the following jSign error:

Error: Unable to access jarfile <file path>

This error indicates that the path to jsign5-0.jar contains spaces, such as C:\jsign path\jsign-5.0.jar. To troubleshoot:

Enclose the full path to the file in quotation marks:
```
“C:\jsign path\jsign-5.0.jar”
```

(5) Review the following jSign error:

jsign: The file <file path> couldn’t be found

This error indicates that either the pkcs11properties.cfg file or the file that you want to sign can't be found. To troubleshoot:

Ensure that the correct paths and file names have been included in your signing command. If the path contains spaces, enclose the full path to the file in quotation marks:
```
"C:\files to sign path\myfile.exe" 
```

(6) Review the following jSign error:

jsign: No certificate found under the alias '<keypairalias>' in the keystore SunPKCS11-signingmanager (available aliases: <keypairalias1>, <keypairalias2>)Try `java -jar jsign.jar --help' for more information.

This error indicates that that an incorrect keypair alias was referenced in the signing command. To troubleshoot:

Ensure that you use the correct keypair alias in the signing command. To learn how to view a keypair alias, see View certificates.

(7) Review the following jSign error:

jsign: keystore option should either refer to the SunPKCS11 configuration file or to the name of the provider configured in jre/lib/security/java.securityTry `java -jar jsign.jar --help' for more information.

This error indicates that jSign cannot locate your pkcs11properties.cfg file. To troubleshoot:

Ensure that you are referencing the correct file name and path in your signing command.

Additional troubleshooting content

Error message / issue	Troubleshooting steps
Invalid API key or host server	Ensure that you entered the correct API key string in the API key field. Ensure that you entered https://clientauth.one.digicert.com in the Host field.
Invalid client certificate or password	Ensure that you specified the correct path for the correct client certificate file. Ensure that you entered the correct password for your client certificate.

本节内容如下:

DigiCert​​®​​ Click-to-sign