How to Integrate eSigner CKA with CI/CD Tools for Automated Code Signing

Related Content

Want to keep learning?

Subscribe to SSL.com’s newsletter, stay informed and secure.

The two tables below demonstrate how to integrate eSigner CKA with Continuous Integration/Continuous Delivery (CI/CD) tools for automated code signing. Guides for CircleCI, GitHub Actions, Gitlab CI, and Travis CI are provided for signing .NET files. Guides for Azure Pipeline, GitHub Actions, Gitlab CI, and Travis CI are provided for signing .vsix files.

eSigner CKA (Cloud Key Adapter) is a Windows based application that uses the CNG interface (KSP Key Service Provider) to allow tools such as certutil.exe and signtool.exe to use the eSigner Cloud Signature Consortium (CSC)-compliant API  for enterprise code signing operations.

Three prerequisites have to be met before being to able to conduct eSigner-based code signing on CI/CD tools:

SSL.com’s EV Code Signing certificates help protect your code from unauthorized tampering and compromise with the highest level of validation, and are available for as little as $249 per year. You can also use your EV Code Signing certificate at scale in the cloud using eSigner.

ORDER NOW

.vsix Signing Example Workflows

Environment Variables
  • USERNAME: SSL.com account username. (Required)
  • PASSWORD: SSL.com account password (Required)
  • TOTP_SECRET: OAuth TOTP Secret. You can access detailed information on Automate eSigner EV Code Signing – SSL.com (Required)
  • MODE: ‘sandbox’ or ‘product’  (Required)
GitHub IntegrationAzure PipelineGitlab CI IntegrationTravis CI Integration

.vsix Signing Example Workflow

# The name of the workflow.
name: Sign Artifact

# Trigger this workflow on a push
on: push

# Create an environment variable
env:
MASTER_KEY: master.key
SIGNABLE_FILE_PATH: HelloWorld.dll
SIGNABLE_VSIX_FILE_PATH: SSLcom.vsix
INSTALL_DIR: C:\Users\runneradmin\eSignerCKA
MASTER_KEY_FILE: C:\Users\runneradmin\eSignerCKA\master.key

jobs:
# Defines job named “sign-file”
sign-file:
# Run job on Windows Runner
runs-on: windows-latest
# When the workflow runs, this is the name that is logged
name: Sign DLL File with eSignerCKA


steps:
# 1) Check out the source code so that the workflow can access it.
– name: Checkout Repository
uses: actions/checkout@v3

# 2) Download and Unzip eSignerCKA Setup
– name: Download and Unzip eSignerCKA Setup
run: |
Invoke-WebRequest -OutFile eSigner_CKA_Setup.zip “https://github.com/SSLcom/eSignerCKA/releases/download/v1.0.6/SSL.COM-eSigner-CKA_1.0.6.zip”
Expand-Archive -Force eSigner_CKA_Setup.zip
Remove-Item eSigner_CKA_Setup.zip
Move-Item -Destination “eSigner_CKA_Installer.exe” -Path “eSigner_CKA_*\*.exe”

# 3) Install eSignerCKA
– name: Setup eSignerCKA in Silent Mode
run: |
New-Item -ItemType Directory -Force -Path ${{ env.INSTALL_DIR }}
./eSigner_CKA_Installer.exe /CURRENTUSER /VERYSILENT /SUPPRESSMSGBOXES /DIR=”${{ env.INSTALL_DIR }}” | Out-Null

# 4) Set SSLcom account information
– name: Config Account Information on eSignerCKA
run: |
${{ env.INSTALL_DIR }}/eSignerCKATool.exe config -mode “${{ secrets.MODE }}” -user “${{ secrets.USERNAME }}” -pass “${{ secrets.PASSWORD }}” -totp “${{ secrets.TOTP_SECRET }}” -key “${{ env.MASTER_KEY_FILE }}” -r

# 5) Unload and Load certificate to windows certificate store
– name: Load Certificate into Windows Store
run: |
${{ env.INSTALL_DIR }}/eSignerCKATool.exe unload
${{ env.INSTALL_DIR }}/eSignerCKATool.exe load

# 6) Select code signing certificate and get thumprint for signing
– name: Select Certificate From Windows Store
run: |
$CodeSigningCert = Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert | Select-Object -First 1
echo “THUMBPRINT=$($CodeSigningCert.Thumbprint)” >> $env:GITHUB_ENV

# 7) Sign artifact with signtool
– name: Sign Sample File with SignTool
run: |
& ‘C:/Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x86/signtool.exe’ sign /debug /fd sha256 /tr http://ts.ssl.com /td sha256 /sha1 ${{ env.THUMBPRINT }} ${{ env.SIGNABLE_FILE_PATH }}

# 8) Upload eSignerCKA Logs
– name: Upload eSignerCKA Logs
uses: actions/upload-artifact@v3
if: ${{ always() }}
with:
name: eSignerCKA-Logs-DLL
path: C:\Users\runneradmin\AppData\Roaming\eSignerCKA\KSP

# Defines job named “sign-vsix-file”
sign-vsix-file:
# Run job on Windows Runner
runs-on: windows-latest
# When the workflow runs, this is the name that is logged
name: Sign VSIX File with eSignerCKA
steps:
# 1) Check out the source code so that the workflow can access it.
– name: Checkout Repository
uses: actions/checkout@v3

# 2) Set up the .NET CLI environment for the workflow to use.
– name: Setup Dotnet Core
run: |
choco install dotnet-runtime -y

# 3) Download and Unzip eSignerCKA Setup
– name: Download and Unzip eSignerCKA Setup
run: |
Invoke-WebRequest -OutFile eSigner_CKA_Setup.zip “https://github.com/SSLcom/eSignerCKA/releases/download/v1.0.6/SSL.COM-eSigner-CKA_1.0.6.zip”
Expand-Archive -Force eSigner_CKA_Setup.zip
Remove-Item eSigner_CKA_Setup.zip
Move-Item -Destination “eSigner_CKA_Installer.exe” -Path “eSigner_CKA_*\*.exe”

# 4) Install eSignerCKA
– name: Setup eSignerCKA in Silent Mode
run: |
New-Item -ItemType Directory -Force -Path ${{ env.INSTALL_DIR }}
./eSigner_CKA_Installer.exe /CURRENTUSER /VERYSILENT /SUPPRESSMSGBOXES /DIR=”${{ env.INSTALL_DIR }}” | Out-Null

# 5) Set SSLcom account information
– name: Config Account Information on eSignerCKA
run: |
${{ env.INSTALL_DIR }}/eSignerCKATool.exe config -mode “${{ secrets.MODE }}” -user “${{ secrets.USERNAME }}” -pass “${{ secrets.PASSWORD }}” -totp “${{ secrets.TOTP_SECRET }}” -key “${{ env.MASTER_KEY_FILE }}” -r

# 6) Unload and Load certificate to windows certificate store
– name: Load Certificate into Windows Store
run: |
${{ env.INSTALL_DIR }}/eSignerCKATool.exe unload
${{ env.INSTALL_DIR }}/eSignerCKATool.exe load

# 7) Select code signing certificate and get thumprint for signing
– name: Select Certificate From Windows Store
run: |
$CodeSigningCert = Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert | Select-Object -First 1
echo “THUMBPRINT=$($CodeSigningCert.Thumbprint)” >> $env:GITHUB_ENV

# 8) Install OpenVsixSignTool to Custom Location (https://github.com/vcsjones/OpenOpcSignTool)
– name: Install OpenOpcSignTool
run: |
New-Item -ItemType Directory -Force -Path C:\Users\runneradmin\Desktop\dotnet-tools
Invoke-WebRequest -OutFile OpenVsixSignTool.zip https://github.com/SSLcom/eSignerCKA/releases/download/v1.0.4/OpenVsixSignTool_1.0.0-x86.zip
Move-Item -Path OpenVsixSignTool.zip -Destination C:\Users\runneradmin\Desktop\dotnet-tools\OpenVsixSignTool.zip
Expand-Archive -LiteralPath C:\Users\runneradmin\Desktop\dotnet-tools\OpenVsixSignTool.zip -DestinationPath C:\Users\runneradmin\Desktop\dotnet-tools -Force

# 9) Sign artifact with OpenOpcSignTool
– name: Sign Sample File with OpenVsixSignTool
run: |
C:\Users\runneradmin\Desktop\dotnet-tools\OpenVsixSignTool –roll-forward LatestMajor sign –sha1 ${{ env.THUMBPRINT }} –timestamp http://ts.ssl.com -ta sha256 -fd sha256 “${{ env.SIGNABLE_VSIX_FILE_PATH }}”

# 10) Upload eSignerCKA Logs
– name: Upload eSignerCKA Logs
uses: actions/upload-artifact@v3
if: ${{ always() }}
with:
name: eSignerCKA-Logs-VSIX
path: C:\Users\runneradmin\AppData\Roaming\eSignerCKA\KSP

 

.vsix Signing Example Workflow

# Continuous integration triggers
trigger:
– none

# Groups jobs into stages. All jobs in one stage must complete before next stage is executed.
stages:
– stage: sign
# When the workflow runs, this is the name that is logged
displayName: Sign File
jobs:
– job:
pool:
# Run job on Windows VMs
vmImage: ‘windows-latest’
steps:
# Download and Unzip eSignerCKA Setup
– powershell: |
Invoke-WebRequest -OutFile eSigner_CKA_Setup.zip “https://www.ssl.com/download/ssl-com-esigner-cka”
Expand-Archive -Force eSigner_CKA_Setup.zip
Remove-Item eSigner_CKA_Setup.zip
Move-Item -Destination “eSigner_CKA_Installer.exe” -Path “eSigner_CKA_*\*.exe”
displayName: ‘Download and Unzip eSignerCKA Setup’

# Setup eSignerCKA in Silent Mode and Check installation directory
– powershell: |
./eSigner_CKA_Installer.exe /CURRENTUSER /VERYSILENT /SUPPRESSMSGBOXES /DIR=”$(Build.BinariesDirectory)\Desktop\eSignerCKA” | Out-Null
dir $(Build.BinariesDirectory)\Desktop\eSignerCKA
Get-ChildItem -Path $(Build.BinariesDirectory)\Desktop\eSignerCKA
displayName: ‘Setup eSignerCKA in Silent Mode’

# Config Account Information on eSignerCKA
– powershell: |
$(Build.BinariesDirectory)\Desktop\eSignerCKA\eSignerCKATool.exe config -mode $(MODE) -user “$(USERNAME)” -pass “$(PASSWORD)” -totp “$(TOTP_SECRET)” -key “$(Build.BinariesDirectory)\Desktop\eSignerCKA\master.key” -r
displayName: ‘Config Account Information on eSignerCKA’

# Unload and Load Certificate into Windows Store
– powershell: |
$(Build.BinariesDirectory)\Desktop\eSignerCKA\eSignerCKATool.exe unload
$(Build.BinariesDirectory)\Desktop\eSignerCKA\eSignerCKATool.exe load
displayName: ‘Unload and Load Certificate into Windows Store’

# Select Certificate From Windows Store and Sign Sample File with SignTool
– powershell: |
$CodeSigningCert = Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert | Select-Object -First 1; echo $CodeSigningCert.Thumbprint > .Thumbprint
Set-Variable -Name Thumbprint -Value (Get-Content .Thumbprint); echo $Thumbprint
& “C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x86\signtool.exe” sign /debug /fd sha256 /tr http://ts.ssl.com /td sha256 /sha1 $Thumbprint HelloWorld.dll
displayName: ‘Sign Sample File with SignTool’

# Save artifact in order to use signing job
– task: PublishBuildArtifacts@1
displayName: ‘Save to be signed artifact for downloading’
inputs:
pathtoPublish: HelloWorld.dll
artifactName: HelloWorld.dll

– stage: sign_vsix
# When the workflow runs, this is the name that is logged
displayName: Sign VSIX
jobs:
– job:
pool:
# Run job on Windows VMs
vmImage: ‘windows-latest’
steps:
# Download and Unzip eSignerCKA Setup
– powershell: |
Invoke-WebRequest -OutFile eSigner_CKA_Setup.zip “https://www.ssl.com/download/ssl-com-esigner-cka”
Expand-Archive -Force eSigner_CKA_Setup.zip
Remove-Item eSigner_CKA_Setup.zip
Move-Item -Destination “eSigner_CKA_Installer.exe” -Path “eSigner_CKA_*\*.exe”
displayName: ‘Download and Unzip eSignerCKA Setup’

# Setup eSignerCKA in Silent Mode and Check installation directory
– powershell: |
./eSigner_CKA_Installer.exe /CURRENTUSER /VERYSILENT /SUPPRESSMSGBOXES /DIR=”$(Build.BinariesDirectory)\Desktop\eSignerCKA” | Out-Null
dir $(Build.BinariesDirectory)\Desktop\eSignerCKA
Get-ChildItem -Path $(Build.BinariesDirectory)\Desktop\eSignerCKA
displayName: ‘Setup eSignerCKA in Silent Mode’

# Config Account Information on eSignerCKA
– powershell: |
$(Build.BinariesDirectory)\Desktop\eSignerCKA\eSignerCKATool.exe config -mode $(MODE) -user “$(USERNAME)” -pass “$(PASSWORD)” -totp “$(TOTP_SECRET)” -key “$(Build.BinariesDirectory)\Desktop\eSignerCKA\master.key” -r
displayName: ‘Config Account Information on eSignerCKA’

# Unload and Load Certificate into Windows Store
– powershell: |
$(Build.BinariesDirectory)\Desktop\eSignerCKA\eSignerCKATool.exe unload
$(Build.BinariesDirectory)\Desktop\eSignerCKA\eSignerCKATool.exe load
displayName: ‘Unload and Load Certificate into Windows Store’

# Install OpenVsixSignTool to Custom Location (https://github.com/vcsjones/OpenOpcSignTool)
– powershell: |
New-Item -ItemType Directory -Force -Path $(Build.BinariesDirectory)\Desktop\eSignerCKA\dotnet-tools
Invoke-WebRequest -OutFile OpenVsixSignTool.zip https://github.com/SSLcom/eSignerCKA/releases/download/v1.0.4/OpenVsixSignTool_1.0.0-x86.zip
Move-Item -Path OpenVsixSignTool.zip -Destination $(Build.BinariesDirectory)\Desktop\eSignerCKA\dotnet-tools\OpenVsixSignTool.zip
Expand-Archive -LiteralPath $(Build.BinariesDirectory)\Desktop\eSignerCKA\dotnet-tools\OpenVsixSignTool.zip -DestinationPath $(Build.BinariesDirectory)\Desktop\eSignerCKA\dotnet-tools -Force
displayName: ‘Install OpenVsixSignTool to Custom Location’

# Select Certificate From Windows Store and Sign Sample File with OpenOpcSignTool
– powershell: |
$CodeSigningCert = Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert | Select-Object -First 1; echo $CodeSigningCert.Thumbprint > .Thumbprint
Set-Variable -Name Thumbprint -Value (Get-Content .Thumbprint); echo $Thumbprint
$(Build.BinariesDirectory)\Desktop\eSignerCKA\dotnet-tools\OpenVsixSignTool –roll-forward LatestMajor sign –sha1 $Thumbprint –timestamp http://ts.ssl.com -ta sha256 -fd sha256 SSLcom.vsix
displayName: ‘Sign Sample File with OpenOpcSignTool’

# Save artifact in order to use signing job
– task: PublishBuildArtifacts@1
displayName: ‘Save to be signed artifact for downloading’
inputs:
pathtoPublish: SSLcom.vsix
artifactName: SSLcom.vsix

# Windows Runner
.windows_runners:
# Used to select runners from the list of available runners. A runner must have all tags listed here to run the job.
tags:
– shared-windows
– windows
– windows-1809

# Groups jobs into stages. All jobs in one stage must complete before next stage is executed.
stages:
– sign

# Below is the definition of your job to sign file
sign-file:
# Define what stage the job will run in.
stage: sign
# Runner for Sign File on Windows
extends:
– .windows_runners
before_script:
# Create Install Dir
– New-Item -ItemType Directory -Force -Path C:\Users\gitlab_runner\Desktop\eSignerCKA
script:
# Download and Unzip eSignerCKA Setup
– Invoke-WebRequest -OutFile eSigner_CKA_Setup.zip “https://www.ssl.com/download/ssl-com-esigner-cka”
– Expand-Archive -Force eSigner_CKA_Setup.zip
– Remove-Item eSigner_CKA_Setup.zip
– Move-Item -Destination “eSigner_CKA_Installer.exe” -Path “eSigner_CKA_*\*.exe”
# Setup eSignerCKA in Silent Mode
– ./eSigner_CKA_Installer.exe /CURRENTUSER /VERYSILENT /SUPPRESSMSGBOXES /DIR=”C:\Users\gitlab_runner\Desktop\eSignerCKA” | Out-Null
# Check installation directory
– dir C:\Users\gitlab_runner\Desktop\eSignerCKA
# Check installation directory
– Get-ChildItem -Path C:\Users\gitlab_runner\Desktop\eSignerCKA
# Config Account Information on eSignerCKA
– C:\Users\gitlab_runner\Desktop\eSignerCKA\eSignerCKATool.exe config -mode ${MODE} -user “${USERNAME}” -pass “${PASSWORD}” -totp “${TOTP_SECRET}” -key “C:\Users\gitlab_runner\AppData\Roaming\eSignerCKA\master.key” -r
# Unload Certificate into Windows Store
– C:\Users\gitlab_runner\Desktop\eSignerCKA\eSignerCKATool.exe unload
# Load Certificate into Windows Store
– C:\Users\gitlab_runner\Desktop\eSignerCKA\eSignerCKATool.exe load
# Check data directory
– dir C:\Users\gitlab_runner\AppData\Roaming\eSignerCKA
# Check config data directory
– dir C:\Users\gitlab_runner\AppData\Roaming\eSignerCKA\Config
# Select Certificate From Windows Store
– $CodeSigningCert = Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert | Select-Object -First 1; echo $CodeSigningCert.Thumbprint > .Thumbprint
# Debug Certificate Thumbprint
– Set-Variable -Name Thumbprint -Value (Get-Content .Thumbprint); echo $Thumbprint
# Sign Sample File with SignTool
– powershell.exe -ExecutionPolicy Bypass -Command “Set-Variable -Name Thumbprint -Value (Get-Content .Thumbprint); ‘C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x86\signtool.exe sign /debug /fd sha256 /tr http://ts.ssl.com /td sha256 /sha1 $Thumbprint HelloWorld.dll'”

# Below is the definition of your job to sign file
sign-vsix:
# Define what stage the job will run in.
stage: sign
# Runner for Sign File on Windows
extends:
– .windows_runners
before_script:
# Create Install Dir
– New-Item -ItemType Directory -Force -Path C:\Users\gitlab_runner\Desktop\eSignerCKA
script:
# Download and Unzip eSignerCKA Setup
– Invoke-WebRequest -OutFile eSigner_CKA_Setup.zip “https://www.ssl.com/download/ssl-com-esigner-cka”
– Expand-Archive -Force eSigner_CKA_Setup.zip
– Remove-Item eSigner_CKA_Setup.zip
– Move-Item -Destination “eSigner_CKA_Installer.exe” -Path “eSigner_CKA_*\*.exe”
# Setup eSignerCKA in Silent Mode
– ./eSigner_CKA_Installer.exe /CURRENTUSER /VERYSILENT /SUPPRESSMSGBOXES /DIR=”C:\Users\gitlab_runner\Desktop\eSignerCKA” | Out-Null
# Check installation directory
– dir C:\Users\gitlab_runner\Desktop\eSignerCKA
# Check installation directory
– Get-ChildItem -Path C:\Users\gitlab_runner\Desktop\eSignerCKA
# Config Account Information on eSignerCKA
– C:\Users\gitlab_runner\Desktop\eSignerCKA\eSignerCKATool.exe config -mode ${MODE} -user “${USERNAME}” -pass “${PASSWORD}” -totp “${TOTP_SECRET}” -key “C:\Users\gitlab_runner\AppData\Roaming\eSignerCKA\master.key” -r
# Unload Certificate into Windows Store
– C:\Users\gitlab_runner\Desktop\eSignerCKA\eSignerCKATool.exe unload
# Load Certificate into Windows Store
– C:\Users\gitlab_runner\Desktop\eSignerCKA\eSignerCKATool.exe load
# Check data directory
– dir C:\Users\gitlab_runner\AppData\Roaming\eSignerCKA
# Check config data directory
– dir C:\Users\gitlab_runner\AppData\Roaming\eSignerCKA\Config
# Select Certificate From Windows Store
– $CodeSigningCert = Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert | Select-Object -First 1; echo $CodeSigningCert.Thumbprint > .Thumbprint
# Debug Certificate Thumbprint
– Set-Variable -Name Thumbprint -Value (Get-Content .Thumbprint); echo $Thumbprint
# Install Dotnet Runtime 7.0
– choco install dotnet-runtime -y
# Install OpenVsixSignTool to Custom Location
– New-Item -ItemType Directory -Force -Path C:\Users\gitlab_runner\Desktop\dotnet-tools
– Invoke-WebRequest -OutFile OpenVsixSignTool.zip https://github.com/SSLcom/eSignerCKA/releases/download/v1.0.4/OpenVsixSignTool_1.0.0-x86.zip
– Move-Item -Path OpenVsixSignTool.zip -Destination C:\Users\gitlab_runner\Desktop\dotnet-tools\OpenVsixSignTool.zip
– Expand-Archive -LiteralPath C:\Users\gitlab_runner\Desktop\dotnet-tools\OpenVsixSignTool.zip -DestinationPath C:\Users\gitlab_runner\Desktop\dotnet-tools -Force
# Sign Sample File with OpenVsixSignTool
– powershell.exe -ExecutionPolicy Bypass -Command ‘Set-Variable -Name Thumbprint -Value (Get-Content .Thumbprint); C:\Users\gitlab_runner\Desktop\dotnet-tools\OpenVsixSignTool –roll-forward LatestMajor sign –sha1 $Thumbprint –timestamp http://ts.ssl.com -ta sha256 -fd sha256 “SSLcom.vsix”‘

.vsix Code DLL Signing Example Workflow

# The CPU Architecture to run the job on
arch: amd64

# Default language to run tests in
language: csharp

# The Ubuntu distribution to use
dist: bionic

# The Operating System to run the job on
os: windows

# Specifies the order of build stages. All jobs in one stage must complete before next stage is executed.
stages:
– sign

jobs:
include:
– stage: sign
# The job name
name: sign-file
# The operating system to run the job on
os: windows
# Use default generic lang
language: c
# Before script to run before building the project
before_script:
# Create Install Dir
– powershell.exe -ExecutionPolicy Bypass -Command ‘New-Item -ItemType Directory -Force -Path C:\Users\travis\build\mbayrak-sslcom\eSignerCKA\SSLcom’
# Script to build the project
script:
# Download and Unzip eSignerCKA Setup
– powershell.exe -ExecutionPolicy Bypass -Command ‘Invoke-WebRequest -OutFile eSigner_CKA_Setup.zip “https://www.ssl.com/download/ssl-com-esigner-cka”‘
– powershell.exe -ExecutionPolicy Bypass -Command ‘Expand-Archive -Force eSigner_CKA_Setup.zip’
– powershell.exe -ExecutionPolicy Bypass -Command ‘Remove-Item eSigner_CKA_Setup.zip’
– powershell.exe -ExecutionPolicy Bypass -Command ‘Move-Item -Destination “eSigner_CKA_Installer.exe” -Path “eSigner_CKA_*\*.exe”‘
# Setup eSignerCKA in Silent Mode
– powershell.exe -ExecutionPolicy Bypass -Command ‘./eSigner_CKA_Installer.exe /CURRENTUSER /VERYSILENT /SUPPRESSMSGBOXES /DIR=”C:\Users\travis\build\mbayrak-sslcom\eSignerCKA\SSLcom” | Out-Null’
# Check installation directory
– powershell.exe -ExecutionPolicy Bypass -Command ‘dir C:\Users\travis\build\mbayrak-sslcom\eSignerCKA\SSLcom’
# Config Account Information on eSignerCKA
– powershell.exe -ExecutionPolicy Bypass -Command ‘C:\Users\travis\build\mbayrak-sslcom\eSignerCKA\SSLcom\eSignerCKATool.exe config -mode ${MODE} -user “${USERNAME}” -pass “${PASSWORD}” -totp “${TOTP_SECRET}” -key “C:\Users\travis\build\mbayrak-sslcom\eSignerCKA\SSLcom\master.key” -r’
# Unload Certificate into Windows Store
– powershell.exe -ExecutionPolicy Bypass -Command ‘C:\Users\travis\build\mbayrak-sslcom\eSignerCKA\SSLcom\eSignerCKATool.exe unload’
# Load Certificate into Windows Store
– powershell.exe -ExecutionPolicy Bypass -Command ‘C:\Users\travis\build\mbayrak-sslcom\eSignerCKA\SSLcom\eSignerCKATool.exe load’
# Select Certificate From Windows Store
– powershell.exe -ExecutionPolicy Bypass -Command ‘$CodeSigningCert = Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert | Select-Object -First 1; echo $CodeSigningCert.Thumbprint > .Thumbprint’
# Debug Certificate Thumbprint
– powershell.exe -ExecutionPolicy Bypass -Command ‘Set-Variable -Name Thumbprint -Value (Get-Content .Thumbprint); echo $Thumbprint’
# Sign Sample File with SignTool
– powershell.exe -ExecutionPolicy Bypass -Command “Set-Variable -Name Thumbprint -Value (Get-Content .Thumbprint); ‘C:\Program Files (x86)\Windows Kits\10\bin\x86\signtool.exe sign /debug /fd sha256 /tr http://ts.ssl.com /td sha256 /sha1 $Thumbprint HelloWorld.dll'”

– stage: sign
# The job name
name: sign-vsix
# The operating system to run the job on
os: windows
# Use default generic lang
language: c
# Before script to run before building the project
before_script:
# Create Install Dir
– powershell.exe -ExecutionPolicy Bypass -Command ‘New-Item -ItemType Directory -Force -Path C:\Users\travis\build\mbayrak-sslcom\eSignerCKA\SSLcom’
# Script to build the project
script:
# Download and Unzip eSignerCKA Setup
– powershell.exe -ExecutionPolicy Bypass -Command ‘Invoke-WebRequest -OutFile eSigner_CKA_Setup.zip “https://www.ssl.com/download/ssl-com-esigner-cka”‘
– powershell.exe -ExecutionPolicy Bypass -Command ‘Expand-Archive -Force eSigner_CKA_Setup.zip’
– powershell.exe -ExecutionPolicy Bypass -Command ‘Remove-Item eSigner_CKA_Setup.zip’
– powershell.exe -ExecutionPolicy Bypass -Command ‘Move-Item -Destination “eSigner_CKA_Installer.exe” -Path “eSigner_CKA_*\*.exe”‘
# Setup eSignerCKA in Silent Mode
– powershell.exe -ExecutionPolicy Bypass -Command ‘./eSigner_CKA_Installer.exe /CURRENTUSER /VERYSILENT /SUPPRESSMSGBOXES /DIR=”C:\Users\travis\build\mbayrak-sslcom\eSignerCKA\SSLcom” | Out-Null’
# Check installation directory
– powershell.exe -ExecutionPolicy Bypass -Command ‘dir C:\Users\travis\build\mbayrak-sslcom\eSignerCKA\SSLcom’
# Config Account Information on eSignerCKA
– powershell.exe -ExecutionPolicy Bypass -Command ‘C:\Users\travis\build\mbayrak-sslcom\eSignerCKA\SSLcom\eSignerCKATool.exe config -mode ${MODE} -user “${USERNAME}” -pass “${PASSWORD}” -totp “${TOTP_SECRET}” -key “C:\Users\travis\build\mbayrak-sslcom\eSignerCKA\SSLcom\master.key” -r’
# Unload Certificate into Windows Store
– powershell.exe -ExecutionPolicy Bypass -Command ‘C:\Users\travis\build\mbayrak-sslcom\eSignerCKA\SSLcom\eSignerCKATool.exe unload’
# Load Certificate into Windows Store
– powershell.exe -ExecutionPolicy Bypass -Command ‘C:\Users\travis\build\mbayrak-sslcom\eSignerCKA\SSLcom\eSignerCKATool.exe load’
# Select Certificate From Windows Store
– powershell.exe -ExecutionPolicy Bypass -Command ‘$CodeSigningCert = Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert | Select-Object -First 1; echo $CodeSigningCert.Thumbprint > .Thumbprint’
# Debug Certificate Thumbprint
– powershell.exe -ExecutionPolicy Bypass -Command ‘Set-Variable -Name Thumbprint -Value (Get-Content .Thumbprint); echo $Thumbprint’
# Install OpenVsixSignTool to Custom Location (https://github.com/vcsjones/OpenOpcSignTool)
– powershell.exe -ExecutionPolicy Bypass -Command ‘New-Item -ItemType Directory -Force -Path C:\Users\travis\build\mbayrak-sslcom\eSignerCKA\dotnet-tools’
powershell.exe -ExecutionPolicy Bypass -Command ‘Invoke-WebRequest -OutFile OpenVsixSignTool.zip https://github.com/SSLcom/eSignerCKA/releases/download/v1.0.4/OpenVsixSignTool_1.0.0-x86.zip’
powershell.exe -ExecutionPolicy Bypass -Command ‘Move-Item -Path OpenVsixSignTool.zip -Destination C:\Users\travis\build\mbayrak-sslcom\eSignerCKA\dotnet-tools\OpenVsixSignTool.zip’
powershell.exe -ExecutionPolicy Bypass -Command ‘Expand-Archive -LiteralPath C:\Users\travis\build\mbayrak-sslcom\eSignerCKA\dotnet-tools\OpenVsixSignTool.zip -DestinationPath C:\Users\travis\build\mbayrak-sslcom\eSignerCKA\dotnet-tools -Force’
# Sign Sample File with OpenVsixSignTool
– powershell.exe -ExecutionPolicy Bypass -Command “Set-Variable -Name Thumbprint -Value (Get-Content .Thumbprint); C:\Users\travis\build\mbayrak-sslcom\eSignerCKA\dotnet-tools\OpenVsixSignTool –roll-forward LatestMajor sign –sha1 $Thumbprint –timestamp http://ts.ssl.com -ta sha256 -fd sha256 SSLcom.vsix”

For sample codes, you can refer to the SSL.com Github repository at: https://github.com/SSLcom/esigner-sample

.NET Code DLL Signing Example Workflows

CircleCI IntegrationGitHub Actions IntegrationGitlab CI IntegrationTravis CI Integration

.NET Code DLL Signing Example Workflow

Prepare the components of the workflow

  1. Create a .circleci folder on your editor. Include workflows with the folder and create a yml file as config.yml under the folder.
  2. Set the CircleCI version. The version field is intended to be used in order to issue warnings for deprecation or breaking changes.

    version: 2.1

  3. Orbs are reusable packages of CircleCI configuration that you may share across projects, enabling you to create encapsulated, parameterized commands, jobs, and executors that can be used across multiple projects. To use the signtool tool this needs to be windows.

    orbs:

       win: circleci/windows@5.0.0

  4. Invoke jobs via workflows. Workflows orchestrate a set of jobs to be run. 

    workflows:

       # The name of the workflow.

       sign-file:

          # Inside the workflow, you define the jobs you want to run.

             jobs:

                – sign-file

  5. Define a job to be invoked later in a workflow.

    jobs:

       sign-file:

  6. Specify the execution environment. We must use the windows executer because signtool is needed.

    executor:

       name: win/server-2019

       size: medium

       variant: vs 2019

  7. Place the working directory for the job 

    working_directory: /home/circleci/project

  8. Add steps to the job See: https://circleci.com/docs/2.0/configuration-reference/#steps  

    steps:

  9. Check out the source code so that the workflow can access it.

    – checkout

  10. Download and Unzip eSignerCKA Setup

    – run:

          name: Download and Unzip eSignerCKA Setup

          command: |

             Invoke-WebRequest -OutFile eSigner_CKA_1.0.3.zip “https://www.ssl.com/download/ssl-com-esigner-cka-1-0-3”

             Expand-Archive -Force eSigner_CKA_1.0.3.zip

             Remove-Item eSigner_CKA_1.0.3.zip

             Move-Item -Destination “eSigner_CKA_1.0.3.exe” -Path “eSigner_CKA_1.0.3SSL.COM eSigner CKA_1.0.3.exe”

  11. Install eSignerCKA

    – run:

          name: Setup eSignerCKA in Silent Mode

          command: |

                mkdir -p “/home/circleci/project/eSignerCKA”

                ./eSigner_CKA_1.0.3.exe /CURRENTUSER /VERYSILENT /SUPPRESSMSGBOXES /DIR=”/home/circleci/project/eSignerCKA” | Out-Null

  12. Set SSLcom account information on eSignerCKA

    – run:

          name: Config Account Information on eSignerCKA

          command: |

                /home/circleci/project/eSignerCKA/eSignerCKATool.exe config -mode $env:MODE -user “$env:USERNAME” -pass “$env:PASSWORD” -totp “$env:TOTP_SECRET” -key “/home/circleci/project/eSignerCKA/master.key” -r

  13. Unload and Load certificate to windows certificate store

    – run:

          name: Load Certificate into Windows Store

          command: |

                /home/circleci/project/eSignerCKA/eSignerCKATool.exe unload

                /home/circleci/project/eSignerCKA/eSignerCKATool.exe load

  14. Select code signing certificate and get thumbprint for signing and Sign artifact with signtool

    – run:

          name: Select Certificate From Windows Store and Sign Sample File with SignTool

          command: |

                $CodeSigningCert = Get-ChildItem Cert:CurrentUserMy -CodeSigningCert | Select-Object -First 1

                & ‘C:Program Files (x86)Windows Kits10App Certification Kitsigntool.exe’ sign /debug /fd sha256 /tr http://ts.ssl.com /td sha256 /sha1 “$($CodeSigningCert.Thumbprint)” “HelloWorld.dll”

.NET Code DLL Signing Example Workflow

Prepare the components of the workflow

  1. Create a .github/workflows folder on your editor. Include workflows with the folder and create a sign.yml file under the folder.
  2. Name your project and the type of workflow involved 

    Name: Sign Artifact

  3. Trigger this workflow on a push 

    on: push

  4. Create an environment variable

    env:

     MASTER_KEY: master.key

     SIGNABLE_FILE_PATH: HelloWorld.dll

     INSTALL_DIR: C:UsersrunneradmineSignerCKA

     MASTER_KEY_FILE: C:UsersrunneradmineSignerCKAmaster.key

  5. Define the jobs on your editor

    jobs:

     sign-file:

  6. Run job on Windows Runner
    runs-on: windows-latest

  7. Create a name. When the workflow runs, this is the name that is logged.

    name: Sign DLL File with eSignerCKA

Outline the steps for the Sign job

  1. Check out the source code so that the workflow can access it.

    – name: Checkout Repository

       uses: actions/checkout@v3

  2. Download and Unzip eSignerCKA Setup

    – name: Download and Unzip eSignerCKA Setup

      run: |

          Invoke-WebRequest -OutFile eSigner_CKA_1.0.3.zip “https://www.ssl.com/download/ssl-com-esigner-cka-1-0-3”

          Expand-Archive -Force eSigner_CKA_1.0.3.zip

          Remove-Item eSigner_CKA_1.0.3.zip

          Move-Item -Destination “eSigner_CKA_1.0.3.exe” -Path “eSigner_CKA_1.0.3SSL.COM eSigner CKA_1.0.3.exe”
  3. Install eSignerCKA

    – name: Setup eSignerCKA in Silent Mode

      run: |

          New-Item -ItemType Directory -Force -Path ${{ env.INSTALL_DIR }}

          ./eSigner_CKA_1.0.3.exe /CURRENTUSER /VERYSILENT /SUPPRESSMSGBOXES /DIR=”${{ env.INSTALL_DIR }}” | Out-Null

  4. Set SSL.com account information on eSignerCKA

    – name: Config Account Information on eSignerCKA

      run: |

          ${{ env.INSTALL_DIR }}/eSignerCKATool.exe config -mode “${{ secrets.MODE }}” -user “${{ secrets.USERNAME }}”

         -pass “${{ secrets.PASSWORD }}” -totp “${{ secrets.TOTP_SECRET }}” -key “${{ env.MASTER_KEY_FILE }}” -r

  5. Unload and Load certificate to windows certificate store

    – name: Load Certificate into Windows Store

      run: |

          ${{ env.INSTALL_DIR }}/eSignerCKATool.exe unload

          ${{ env.INSTALL_DIR }}/eSignerCKATool.exe load
  6. Select code signing certificate and get thumbprint for signing

    – name: Select Certificate From Windows Store

      run: |

          $CodeSigningCert = Get-ChildItem Cert:CurrentUserMy -CodeSigningCert | Select-Object -First 1

          echo “THUMBPRINT=$($CodeSigningCert.Thumbprint)” >> $env:GITHUB_ENV
  7. Sign artifact with signtool

    – name: Sign Sample File with SignTool

      run: |

          & ‘C:/Program Files (x86)/Windows Kits/10/bin/10.0.17763.0/x86/signtool.exe’ sign /debug /fd sha256 /tr http://ts.ssl.com /td sha256 /sha1 ${{ env.THUMBPRINT }} ${{ env.SIGNABLE_FILE_PATH }}

    Note: If this step is not working, try the solution below:

    Use C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x86\ instead of C:\Program Files (x86)\Windows Kits\10\App Certification Kit\ in the line


    You can also refer to this sample workflow for signing: https://github.com/SSLcom/esigner-sample/blob/main/.github/workflows/sign.yml#L37

.NET Code DLL Signing Example Workflow

Define the components of the workflow

  1. Create a yml file as .gitlab-ci.yml under the folder.
  2. Used to select runners from the list of available runners. A runner must have all tags listed here to run the job.

    .windows_runners:

          tags:

                – shared-windows

                – windows

                – windows-1809

  3. Groups jobs into stages. All jobs in one stage must complete before next stage is executed.

    stages:

          – sign

  4. Below is the definition of your job to sign file. Define what stage the job will run in.

    sign-file:

         stage: sign

  5. The name of one or more jobs to inherit configuration from.

    extends:

         – .windows_runners
  6. Write the script to sign the file.

    script:

    # Download and Unzip eSignerCKA Setup

       – powershell.exe -ExecutionPolicy Bypass -Command ‘Invoke-WebRequest -OutFile eSigner_CKA_1.0.3.zip “https://www.ssl.com/download/ssl-com-esigner-cka-1-0-3″‘

       – powershell.exe -ExecutionPolicy Bypass -Command ‘Expand-Archive -Force eSigner_CKA_1.0.3.zip’

       – powershell.exe -ExecutionPolicy Bypass -Command ‘Remove-Item eSigner_CKA_1.0.3.zip’

       – powershell.exe -ExecutionPolicy Bypass -Command ‘Move-Item -Destination “eSigner_CKA_1.0.3.exe” -Path “eSigner_CKA_1.0.3SSL.COM eSigner CKA_1.0.3.exe”‘


    # Setup eSignerCKA in Silent Mode

    – powershell.exe -ExecutionPolicy Bypass -Command ‘./eSigner_CKA_1.0.3.exe /CURRENTUSER /VERYSILENT /SUPPRESSMSGBOXES /DIR=”C:Usersgitlab_runnerDesktopeSignerCKA”‘


    # Check installation directory

    – powershell.exe -ExecutionPolicy Bypass -Command ‘dir C:Usersgitlab_runnerDesktopeSignerCKA’


    # Config Account Information on eSignerCKA

    – powershell.exe -ExecutionPolicy Bypass -Command ‘C:Usersgitlab_runnerDesktopeSignerCKAeSignerCKATool.exe config -mode ${MODE}

         -user “${USERNAME}” -pass “${PASSWORD}” -totp “${TOTP_SECRET}” -key “C:Usersgitlab_runnerAppDataRoamingeSignerCKAmaster.key” -r’


    # Unload Certificate into Windows Store

    – powershell.exe -ExecutionPolicy Bypass -Command ‘C:Usersgitlab_runnerDesktopeSignerCKAeSignerCKATool.exe unload’


    # Load Certificate into Windows Store

    – powershell.exe -ExecutionPolicy Bypass -Command ‘C:Usersgitlab_runnerDesktopeSignerCKAeSignerCKATool.exe load’


       # Check data directory

       – powershell.exe -ExecutionPolicy Bypass -Command ‘dir C:Usersgitlab_runnerAppDataRoamingeSignerCKA’


       # Check config data directory

       – powershell.exe -ExecutionPolicy Bypass -Command ‘dir C:Usersgitlab_runnerAppDataRoamingeSignerCKAConfig’


    # Select Certificate From Windows Store

    – powershell.exe -ExecutionPolicy Bypass -Command ‘$CodeSigningCert = Get-ChildItem Cert:CurrentUserMy -CodeSigningCert | Select-Object -First 1; echo $CodeSigningCert.Thumbprint > .Thumbprint’

    # Debug Certificate Thumbprint

    – powershell.exe -ExecutionPolicy Bypass -Command ‘Set-Variable -Name Thumbprint -Value (Get-Content .Thumbprint); echo $Thumbprint’


    # Sign Sample File with SignTool

    – powershell.exe -ExecutionPolicy Bypass -Command “Set-Variable -Name Thumbprint -Value (Get-Content .Thumbprint);

         ‘C:Program Files (x86)Windows Kits10bin10.0.17763.0x86signtool.exe sign /debug /fd sha256 /tr http://ts.ssl.com /td sha256 /sha1 $Thumbprint HelloWorld.dll'”

.NET Code DLL Signing Example Workflow

Define the components of the workflow

  1. Create a yml file as .travis.yml under the root folder.
  2. Place the CPU Architecture to run the job on.

    arch: amd64

  3. Default language to run jobs on Travis CI

    language: csharp

  4. The Operating System to run the job on

    os: windows

  5. Specify the order of stages. All jobs in one stage must be completed before the next stage is executed.

    stages:

      – sign

  6. Define the build stage

    jobs:

      include:

         – stage: sign

  7. The job name

    name: sign-file
  8. The operating system to run the job on

    os: windows
  9. Current language to run jobs on Travis CI

    language: c
  10. Write the Before script to run before building the project

    before_script:

        – powershell.exe -ExecutionPolicy Bypass -Command ‘New-Item -ItemType Directory -Force -Path C:Userstravisbuildesigner-sampleeSignerCKASSLcom’

  11. Write the script to build the project.

    script:

    # Download and Unzip eSignerCKA Setup

    – powershell.exe -ExecutionPolicy Bypass -Command ‘Invoke-WebRequest -OutFile eSigner_CKA_1.0.3.zip “https://www.ssl.com/download/ssl-com-esigner-cka-1-0-3″‘

    – powershell.exe -ExecutionPolicy Bypass -Command ‘Expand-Archive -Force eSigner_CKA_1.0.3.zip’

    – powershell.exe -ExecutionPolicy Bypass -Command ‘Remove-Item eSigner_CKA_1.0.3.zip’

    – powershell.exe -ExecutionPolicy Bypass -Command ‘Move-Item -Destination “eSigner_CKA_1.0.3.exe” -Path “eSigner_CKA_1.0.3SSL.COM eSigner CKA_1.0.3.exe”‘


    # Setup eSignerCKA in Silent Mode

    – powershell.exe -ExecutionPolicy Bypass -Command ‘./eSigner_CKA_1.0.3.exe /CURRENTUSER /VERYSILENT /SUPPRESSMSGBOXES /DIR=”C:Userstravisbuildesigner-sampleeSignerCKASSLcom” | Out-Null’


    # Check installation directory

    – powershell.exe -ExecutionPolicy Bypass -Command ‘dir C:Userstravisbuildesigner-sampleeSignerCKASSLcom’


    # Config Account Information on eSignerCKA

    – powershell.exe -ExecutionPolicy Bypass -Command ‘C:Userstravisbuildesigner-sampleeSignerCKASSLcomeSignerCKATool.exe config -mode ${MODE} -user “${USERNAME}”

       -pass “${PASSWORD}” -totp “${TOTP_SECRET}” -key “C:Userstravisbuildesigner-sampleeSignerCKASSLcommaster.key” -r’


    # Unload Certificate into Windows Store

    – powershell.exe -ExecutionPolicy Bypass -Command ‘C:Userstravisbuildesigner-sampleeSignerCKASSLcomeSignerCKATool.exe unload’


    # Load Certificate into Windows Store

    – powershell.exe -ExecutionPolicy Bypass -Command ‘C:Userstravisbuildesigner-sampleeSignerCKASSLcomeSignerCKATool.exe load’


    # Select Certificate From Windows Store

    – powershell.exe -ExecutionPolicy Bypass -Command ‘$CodeSigningCert = Get-ChildItem Cert:CurrentUserMy -CodeSigningCert | Select-Object -First 1; echo $CodeSigningCert.Thumbprint > .Thumbprint’


    # Debug Certificate Thumbprint

    – powershell.exe -ExecutionPolicy Bypass -Command ‘Set-Variable -Name Thumbprint -Value (Get-Content .Thumbprint); echo $Thumbprint’


    # Sign Sample File with SignTool

    – powershell.exe -ExecutionPolicy Bypass -Command “Set-Variable -Name Thumbprint -Value (Get-Content .Thumbprint); ‘C:Program Files (x86)Windows Kits10binx64signtool.exe sign /debug /fd sha256 /tr http://ts.ssl.com /td sha256 /sha1 $Thumbprint HelloWorld.dll'”

Need Custom Solutions? 

With our expert knowledge and five-star support staff, we’re ready and willing to work with you on custom solutions or enterprise-level high-volume signing discounts. Fill out the form below and we’ll be in touch.

Stay Informed and Secure

SSL.com is a global leader in cybersecurity, PKI and digital certificates. Sign up to receive the latest industry news, tips, and product announcements from SSL.com.

We’d love your feedback

Take our survey and let us know your thoughts on your recent purchase.