How to Automate EV Code Signing With SignTool.exe or Certutil.exe Using eSigner CKA (Cloud Key Adapter)

SSL Support Team

1 month ago

eSigner CKA (Cloud Key Adapter) is a Windows based application that uses the CNG interface (KSP Key Service Provider) to allow tools such as certutil.exe and signtool.exe to use the eSigner CSC for signing operations. It acts like a virtual USB token and loads the code signing certs to the certificate store. This feature helps make your eSigner cert more flexible with options to automate signings in CI/CD processes that do not exist with a physical USB token.

This guide shows how to perform manual and automated code signing on Windows SignTool using a production certificate or test certificate.

Note: eSigner CKA allows for flexible options to automate signings in CI/CD processes that do not exist with a physical USB token. For guidance on how to use eSigner CKA for automated code signing in CI/CD tools including CircleCI, GitHub Actions, Gitlab CI, and Travis CI, please visit this page: How to Integrate eSigner CKA with CI/CD Tools for Automated Code Signing.

Requirements

A Code Signing certificate issued by SSLcom.
Code Signing certificate must be currently enrolled on eSigner. Refer to this guide: Enroll with eSigner for Remote Document and Code Signing
Install eSigner CKA on your computer and configure the mode of signing (manual or automated ) and the type of signing (production or test). Refer to this article for installation instructions: How to Install SSL.com eSigner Cloud Key Adapter (CKA).

Users can sign code with eSigner’s Extended Validation Code Signing capability. Click below for more info.

LEARN MORE

Optional Procedure: Use Pre-Signing Malware Scan

Malware Scan is a crucial service from SSL.com that ensures software is free of malware before it is signed with a code signing certificate. By integrating Malware Scan, developers add a robust layer of security, automatically halting the signing process if malware is detected and alerting the developer to take necessary actions.

Instructions:

Login to your SSL.com account. Click the orders tab followed by the download link of your certificate to display its details. Scroll down to the SIGNING CREDENTIALS section and locate the part showing your eSigner certificate credentials. Make sure that the radio buttons that say signing credential enabled and malware blocker enabled are chosen.
Install eSigner Cloud Key Adapter.
Install eSigner CodeSignTool. Click here to download eSigner CodeSignTool.
Scan the code on CodeSignTool using the following command: scan_code [-hV] -input_file_path=<inputFilePath> -password=<PASSWORD> [-program_name=<programName>] -username=<USERNAME>
Use SignTool to sign the code with eSigner CKA using the following command: scan_code -username=<USERNAME> -password=<PASSWORD> -credential_id=<eSigner Credential ID> -input_file_path=<inputFilePath>

Parameters:

-input_file_path=<PATH>: Path of code object to be signed.
-username=<USERNAME>: SSL.com account username
-password=<PASSWORD>: SSL.com account password.
-program_name=<PROGRAM_NAME>: Name of program
-credential_id=<CREDENTIAL_ID>: Credential ID for signing certificate. Your eSigner Credential ID is located in your SSL.com certificate order page.

Formulate the Command for Signing Code

Components of the Comand

For both manual and automated code signing, the command contains:

The location of SignTool (command-line tool that is responsible for digitally signing a file and verifies the signature), enclosed in double quotation marks. Example: “C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x86\signtool.exe”
Note: Location of SignTool will depend on the version of the SDK downloaded and the architecture being used.
The /fd sha256 option which specifies the Hash Algorithm
The /tr http://ts.ssl.com option which specifies the timestamp server address
/td sha256 option which specifies the timestamp digest algorithm
The /sha1 option which specifies the thumbprint that SignTool uses to find the appropriate code signing certificate from the key store
The actual certificate thumbprint
The path of the file that will be signed, enclosed in double quotation marks: “SIGNABLE FILE PATH”

Over-all the command should look like the following:

“C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x86\signtool.exe” sign /fd sha256 /tr http://ts.ssl.com /td sha256 /sha1 certificate thumbprint “SIGNABLE FILE PATH”.

Note: By default, SSL.com supports timestamps from ECDSA keys.

If you encounter this error: The timestamp certificate does not meet a minimum public key length requirement, you should contact your software vendor to permit timestamps from ECDSA keys.

If there is no way for your software vendor to allow for the normal endpoint to be used, you can use this legacy endpoint http://ts.ssl.com/legacy to get a timestamp from an RSA Timestamping Unit.

Locating your Certificate Thumbprint

Later, upon installing eSigner CKA and adding your EV Code Signing certificate to the User Certificate store, you will be able to check your EV Code Signing certificate thumbprint by pressing Windows key + R and then type in certmgr.msc to access the User Certificate store. When the certificate manager window pops up, click the Personal folder on the left panel and then select the Certificates subfolder on the right to locate your EV Code Signing certificate.

Double click the certificate. Select the Details tab and then scroll down to reveal the Thumbprint. Copy the Thumbprint and include it into your command when you are signing code.

Go to top

Manual Code Signing

Install eSigner CKA

Download SSL.COM eSigner CKA

Access SignTool via the Command Line

To recall, the command for code signing looks like the following:

“C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x86\signtool.exe” sign /fd sha256 /tr http://ts.ssl.com /td sha256 /sha1 certificate thumbprint “SIGNABLE FILE PATH”

Upon writing the command and pressing Enter, you will see the message Done Adding Additional Store. A window will then pop-up requiring you to place your SSL.com account username and password.

Success! Your code is now signed.

Enter the One Time Password (OTP)

A One Time Password (OTP) for your eSigner-enrolled EV Code Signing Certificate will be sent to your Authenticator app. Upon successful input, Command Prompt will indicate that your file has been successfully signed.

Check the Digital Signature on the File

After successful code signing, you can now check the details of the digital signature on the file. Right-click the signed file, click Properties, followed by the Digital Signatures Tab. Here you will see the name of the Signer, the digest algorithm used, and the timestamp of the signature. Click the Details button to get more information about the signed code.

You will be able to read the information stating This digital signature is OK. Proceed to click the View Certificate button.

After clicking the View Certificate button, you will read information indicating that the Digital Certificate issued for the signed file ensures that it came from the publisher and protects it from alteration after publication.

Go to top

Automated Code Signing

Access SignTool via the Command

To recall, the command for code signing looks like the following:

C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x86\signtool.exe” sign /fd sha256 /tr http://ts.ssl.com /td sha256 /sha1 certificate thumbprint “SIGNABLE FILE PATH”

Open Command Prompt and place the command. After pressing enter, you will see the notice saying Done Adding Additional Store.

After a few seconds, you will see the notice Successfully signed. This indicates that your file has been signed in an automated manner, without the additional need for OTPs.

Check the presence of the digital signature on your file

Open the folder location of your signed file. Right-click it and then click Properties. Click on the tab Digital Signatures and here you will see the secure hash algorithm used has 256 bits. Click the immediate space showing the name of the signer, digest algorithm, and Timestamp. After it gets highlighted, proceed to click the Details button.

A pop-up window will then show stating that the digital signature on the file is valid as well as indicating the specific time when it was signed. Click the View Certificate button to see more information about the EV Code Signing digital certificate that was issued.

You will see information about the EV Code Signing certificate stating that it validates you as the creator of the executable and protects your file from being tampered with.

Go to top

Related Code Signing Guides using eSigner CKA

How to Sign a Hardware Lab Kit (HLK) file using eSigner CKA and HLKSigntool. The Hardware Lab Kit (HLK) is utilized for testing and preparing kernel mode drivers for submission to Microsoft. For integration with Microsoft’s HLK platform, eSigner CKA also mandates the installation of HLKSigntool.
How to sign VBA Macros using eSigner CKA. Microsoft Visual Basic for Applications (VBA) allows those without programming expertise to record, create, and modify macros that automate repetitive tasks within Office applications.
How to Sign .app files using eSigner CKA. The Microsoft_Application.app file comprehensively contains all the extensions that constitute a solution, offering an efficient method to define and reference the identity of this solution.
How to Sign vsix files using eSigner CKA. A .vsix file is an installer package for extensions and add-ons for Visual Studio, Microsoft’s integrated development environment (IDE).