eSigner CKA (Cloud Key Adapter) is a Windows based application that uses the CNG interface (KSP Key Service Provider) to allow tools such as certutil.exe and signtool.exe to use the eSigner Cloud Signature Consortium (CSC)-compliant API for enterprise code signing operations. Three prerequisites have to be met before being to able to conduct eSigner-based code signing on CI/CD tools:
- Purchase an SSL.com EV Code Signing Certificate
- Enroll your code signing certificate in eSigner
- Download and install automated eSigner CKA
.vsix Signing Example Workflows
Environment Variables- USERNAME: SSL.com account username. (Required)
- PASSWORD: SSL.com account password (Required)
- TOTP_SECRET: OAuth TOTP Secret. You can access detailed information on Automate eSigner EV Code Signing – SSL.com (Required)
- MODE: ‘sandbox’ or ‘product’ (Required)
.vsix Signing Example Workflow
# The name of the workflow.
name: Sign Artifact
# Trigger this workflow on a push
on: push
# Create an environment variable
env:
MASTER_KEY: master.key
SIGNABLE_FILE_PATH: HelloWorld.dll
SIGNABLE_VSIX_FILE_PATH: SSLcom.vsix
INSTALL_DIR: C:\Users\runneradmin\eSignerCKA
MASTER_KEY_FILE: C:\Users\runneradmin\eSignerCKA\master.key
jobs:
# Defines job named “sign-file”
sign-file:
# Run job on Windows Runner
runs-on: windows-latest
# When the workflow runs, this is the name that is logged
name: Sign DLL File with eSignerCKA
steps:
# 1) Check out the source code so that the workflow can access it.
– name: Checkout Repository
uses: actions/checkout@v3
# 2) Download and Unzip eSignerCKA Setup
– name: Download and Unzip eSignerCKA Setup
run: |
Invoke-WebRequest -OutFile eSigner_CKA_Setup.zip “https://github.com/SSLcom/eSignerCKA/releases/download/v1.0.6/SSL.COM-eSigner-CKA_1.0.6.zip”
Expand-Archive -Force eSigner_CKA_Setup.zip
Remove-Item eSigner_CKA_Setup.zip
Move-Item -Destination “eSigner_CKA_Installer.exe” -Path “eSigner_CKA_*\*.exe”
# 3) Install eSignerCKA
– name: Setup eSignerCKA in Silent Mode
run: |
New-Item -ItemType Directory -Force -Path ${{ env.INSTALL_DIR }}
./eSigner_CKA_Installer.exe /CURRENTUSER /VERYSILENT /SUPPRESSMSGBOXES /DIR=”${{ env.INSTALL_DIR }}” | Out-Null
# 4) Set SSLcom account information
– name: Config Account Information on eSignerCKA
run: |
${{ env.INSTALL_DIR }}/eSignerCKATool.exe config -mode “${{ secrets.MODE }}” -user “${{ secrets.USERNAME }}” -pass “${{ secrets.PASSWORD }}” -totp “${{ secrets.TOTP_SECRET }}” -key “${{ env.MASTER_KEY_FILE }}” -r
# 5) Unload and Load certificate to windows certificate store
– name: Load Certificate into Windows Store
run: |
${{ env.INSTALL_DIR }}/eSignerCKATool.exe unload
${{ env.INSTALL_DIR }}/eSignerCKATool.exe load
# 6) Select code signing certificate and get thumprint for signing
– name: Select Certificate From Windows Store
run: |
$CodeSigningCert = Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert | Select-Object -First 1
echo “THUMBPRINT=$($CodeSigningCert.Thumbprint)” >> $env:GITHUB_ENV
# 7) Sign artifact with signtool
– name: Sign Sample File with SignTool
run: |
& ‘C:/Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x86/signtool.exe’ sign /debug /fd sha256 /tr http://ts.ssl.com /td sha256 /sha1 ${{ env.THUMBPRINT }} ${{ env.SIGNABLE_FILE_PATH }}
# 8) Upload eSignerCKA Logs
– name: Upload eSignerCKA Logs
uses: actions/upload-artifact@v3
if: ${{ always() }}
with:
name: eSignerCKA-Logs-DLL
path: C:\Users\runneradmin\AppData\Roaming\eSignerCKA\KSP
# Defines job named “sign-vsix-file”
sign-vsix-file:
# Run job on Windows Runner
runs-on: windows-latest
# When the workflow runs, this is the name that is logged
name: Sign VSIX File with eSignerCKA
steps:
# 1) Check out the source code so that the workflow can access it.
– name: Checkout Repository
uses: actions/checkout@v3
# 2) Set up the .NET CLI environment for the workflow to use.
– name: Setup Dotnet Core
run: |
choco install dotnet-runtime -y
# 3) Download and Unzip eSignerCKA Setup
– name: Download and Unzip eSignerCKA Setup
run: |
Invoke-WebRequest -OutFile eSigner_CKA_Setup.zip “https://github.com/SSLcom/eSignerCKA/releases/download/v1.0.6/SSL.COM-eSigner-CKA_1.0.6.zip”
Expand-Archive -Force eSigner_CKA_Setup.zip
Remove-Item eSigner_CKA_Setup.zip
Move-Item -Destination “eSigner_CKA_Installer.exe” -Path “eSigner_CKA_*\*.exe”
# 4) Install eSignerCKA
– name: Setup eSignerCKA in Silent Mode
run: |
New-Item -ItemType Directory -Force -Path ${{ env.INSTALL_DIR }}
./eSigner_CKA_Installer.exe /CURRENTUSER /VERYSILENT /SUPPRESSMSGBOXES /DIR=”${{ env.INSTALL_DIR }}” | Out-Null
# 5) Set SSLcom account information
– name: Config Account Information on eSignerCKA
run: |
${{ env.INSTALL_DIR }}/eSignerCKATool.exe config -mode “${{ secrets.MODE }}” -user “${{ secrets.USERNAME }}” -pass “${{ secrets.PASSWORD }}” -totp “${{ secrets.TOTP_SECRET }}” -key “${{ env.MASTER_KEY_FILE }}” -r
# 6) Unload and Load certificate to windows certificate store
– name: Load Certificate into Windows Store
run: |
${{ env.INSTALL_DIR }}/eSignerCKATool.exe unload
${{ env.INSTALL_DIR }}/eSignerCKATool.exe load
# 7) Select code signing certificate and get thumprint for signing
– name: Select Certificate From Windows Store
run: |
$CodeSigningCert = Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert | Select-Object -First 1
echo “THUMBPRINT=$($CodeSigningCert.Thumbprint)” >> $env:GITHUB_ENV
# 8) Install OpenVsixSignTool to Custom Location (https://github.com/vcsjones/OpenOpcSignTool)
– name: Install OpenOpcSignTool
run: |
New-Item -ItemType Directory -Force -Path C:\Users\runneradmin\Desktop\dotnet-tools
Invoke-WebRequest -OutFile OpenVsixSignTool.zip https://github.com/SSLcom/eSignerCKA/releases/download/v1.0.4/OpenVsixSignTool_1.0.0-x86.zip
Move-Item -Path OpenVsixSignTool.zip -Destination C:\Users\runneradmin\Desktop\dotnet-tools\OpenVsixSignTool.zip
Expand-Archive -LiteralPath C:\Users\runneradmin\Desktop\dotnet-tools\OpenVsixSignTool.zip -DestinationPath C:\Users\runneradmin\Desktop\dotnet-tools -Force
# 9) Sign artifact with OpenOpcSignTool
– name: Sign Sample File with OpenVsixSignTool
run: |
C:\Users\runneradmin\Desktop\dotnet-tools\OpenVsixSignTool –roll-forward LatestMajor sign –sha1 ${{ env.THUMBPRINT }} –timestamp http://ts.ssl.com -ta sha256 -fd sha256 “${{ env.SIGNABLE_VSIX_FILE_PATH }}”
# 10) Upload eSignerCKA Logs
– name: Upload eSignerCKA Logs
uses: actions/upload-artifact@v3
if: ${{ always() }}
with:
name: eSignerCKA-Logs-VSIX
path: C:\Users\runneradmin\AppData\Roaming\eSignerCKA\KSP
.vsix Signing Example Workflow
# Continuous integration triggers
trigger:
– none
# Groups jobs into stages. All jobs in one stage must complete before next stage is executed.
stages:
– stage: sign
# When the workflow runs, this is the name that is logged
displayName: Sign File
jobs:
– job:
pool:
# Run job on Windows VMs
vmImage: ‘windows-latest’
steps:
# Download and Unzip eSignerCKA Setup
– powershell: |
Invoke-WebRequest -OutFile eSigner_CKA_Setup.zip “https://www.ssl.com/download/ssl-com-esigner-cka”
Expand-Archive -Force eSigner_CKA_Setup.zip
Remove-Item eSigner_CKA_Setup.zip
Move-Item -Destination “eSigner_CKA_Installer.exe” -Path “eSigner_CKA_*\*.exe”
displayName: ‘Download and Unzip eSignerCKA Setup’
# Setup eSignerCKA in Silent Mode and Check installation directory
– powershell: |
./eSigner_CKA_Installer.exe /CURRENTUSER /VERYSILENT /SUPPRESSMSGBOXES /DIR=”$(Build.BinariesDirectory)\Desktop\eSignerCKA” | Out-Null
dir $(Build.BinariesDirectory)\Desktop\eSignerCKA
Get-ChildItem -Path $(Build.BinariesDirectory)\Desktop\eSignerCKA
displayName: ‘Setup eSignerCKA in Silent Mode’
# Config Account Information on eSignerCKA
– powershell: |
$(Build.BinariesDirectory)\Desktop\eSignerCKA\eSignerCKATool.exe config -mode $(MODE) -user “$(USERNAME)” -pass “$(PASSWORD)” -totp “$(TOTP_SECRET)” -key “$(Build.BinariesDirectory)\Desktop\eSignerCKA\master.key” -r
displayName: ‘Config Account Information on eSignerCKA’
# Unload and Load Certificate into Windows Store
– powershell: |
$(Build.BinariesDirectory)\Desktop\eSignerCKA\eSignerCKATool.exe unload
$(Build.BinariesDirectory)\Desktop\eSignerCKA\eSignerCKATool.exe load
displayName: ‘Unload and Load Certificate into Windows Store’
# Select Certificate From Windows Store and Sign Sample File with SignTool
– powershell: |
$CodeSigningCert = Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert | Select-Object -First 1; echo $CodeSigningCert.Thumbprint > .Thumbprint
Set-Variable -Name Thumbprint -Value (Get-Content .Thumbprint); echo $Thumbprint
& “C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x86\signtool.exe” sign /debug /fd sha256 /tr http://ts.ssl.com /td sha256 /sha1 $Thumbprint HelloWorld.dll
displayName: ‘Sign Sample File with SignTool’
# Save artifact in order to use signing job
– task: PublishBuildArtifacts@1
displayName: ‘Save to be signed artifact for downloading’
inputs:
pathtoPublish: HelloWorld.dll
artifactName: HelloWorld.dll
– stage: sign_vsix
# When the workflow runs, this is the name that is logged
displayName: Sign VSIX
jobs:
– job:
pool:
# Run job on Windows VMs
vmImage: ‘windows-latest’
steps:
# Download and Unzip eSignerCKA Setup
– powershell: |
Invoke-WebRequest -OutFile eSigner_CKA_Setup.zip “https://www.ssl.com/download/ssl-com-esigner-cka”
Expand-Archive -Force eSigner_CKA_Setup.zip
Remove-Item eSigner_CKA_Setup.zip
Move-Item -Destination “eSigner_CKA_Installer.exe” -Path “eSigner_CKA_*\*.exe”
displayName: ‘Download and Unzip eSignerCKA Setup’
# Setup eSignerCKA in Silent Mode and Check installation directory
– powershell: |
./eSigner_CKA_Installer.exe /CURRENTUSER /VERYSILENT /SUPPRESSMSGBOXES /DIR=”$(Build.BinariesDirectory)\Desktop\eSignerCKA” | Out-Null
dir $(Build.BinariesDirectory)\Desktop\eSignerCKA
Get-ChildItem -Path $(Build.BinariesDirectory)\Desktop\eSignerCKA
displayName: ‘Setup eSignerCKA in Silent Mode’
# Config Account Information on eSignerCKA
– powershell: |
$(Build.BinariesDirectory)\Desktop\eSignerCKA\eSignerCKATool.exe config -mode $(MODE) -user “$(USERNAME)” -pass “$(PASSWORD)” -totp “$(TOTP_SECRET)” -key “$(Build.BinariesDirectory)\Desktop\eSignerCKA\master.key” -r
displayName: ‘Config Account Information on eSignerCKA’
# Unload and Load Certificate into Windows Store
– powershell: |
$(Build.BinariesDirectory)\Desktop\eSignerCKA\eSignerCKATool.exe unload
$(Build.BinariesDirectory)\Desktop\eSignerCKA\eSignerCKATool.exe load
displayName: ‘Unload and Load Certificate into Windows Store’
# Install OpenVsixSignTool to Custom Location (https://github.com/vcsjones/OpenOpcSignTool)
– powershell: |
New-Item -ItemType Directory -Force -Path $(Build.BinariesDirectory)\Desktop\eSignerCKA\dotnet-tools
Invoke-WebRequest -OutFile OpenVsixSignTool.zip https://github.com/SSLcom/eSignerCKA/releases/download/v1.0.4/OpenVsixSignTool_1.0.0-x86.zip
Move-Item -Path OpenVsixSignTool.zip -Destination $(Build.BinariesDirectory)\Desktop\eSignerCKA\dotnet-tools\OpenVsixSignTool.zip
Expand-Archive -LiteralPath $(Build.BinariesDirectory)\Desktop\eSignerCKA\dotnet-tools\OpenVsixSignTool.zip -DestinationPath $(Build.BinariesDirectory)\Desktop\eSignerCKA\dotnet-tools -Force
displayName: ‘Install OpenVsixSignTool to Custom Location’
# Select Certificate From Windows Store and Sign Sample File with OpenOpcSignTool
– powershell: |
$CodeSigningCert = Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert | Select-Object -First 1; echo $CodeSigningCert.Thumbprint > .Thumbprint
Set-Variable -Name Thumbprint -Value (Get-Content .Thumbprint); echo $Thumbprint
$(Build.BinariesDirectory)\Desktop\eSignerCKA\dotnet-tools\OpenVsixSignTool –roll-forward LatestMajor sign –sha1 $Thumbprint –timestamp http://ts.ssl.com -ta sha256 -fd sha256 SSLcom.vsix
displayName: ‘Sign Sample File with OpenOpcSignTool’
# Save artifact in order to use signing job
– task: PublishBuildArtifacts@1
displayName: ‘Save to be signed artifact for downloading’
inputs:
pathtoPublish: SSLcom.vsix
artifactName: SSLcom.vsix
# Windows Runner
.windows_runners:
# Used to select runners from the list of available runners. A runner must have all tags listed here to run the job.
tags:
– shared-windows
– windows
– windows-1809
# Groups jobs into stages. All jobs in one stage must complete before next stage is executed.
stages:
– sign
# Below is the definition of your job to sign file
sign-file:
# Define what stage the job will run in.
stage: sign
# Runner for Sign File on Windows
extends:
– .windows_runners
before_script:
# Create Install Dir
– New-Item -ItemType Directory -Force -Path C:\Users\gitlab_runner\Desktop\eSignerCKA
script:
# Download and Unzip eSignerCKA Setup
– Invoke-WebRequest -OutFile eSigner_CKA_Setup.zip “https://www.ssl.com/download/ssl-com-esigner-cka”
– Expand-Archive -Force eSigner_CKA_Setup.zip
– Remove-Item eSigner_CKA_Setup.zip
– Move-Item -Destination “eSigner_CKA_Installer.exe” -Path “eSigner_CKA_*\*.exe”
# Setup eSignerCKA in Silent Mode
– ./eSigner_CKA_Installer.exe /CURRENTUSER /VERYSILENT /SUPPRESSMSGBOXES /DIR=”C:\Users\gitlab_runner\Desktop\eSignerCKA” | Out-Null
# Check installation directory
– dir C:\Users\gitlab_runner\Desktop\eSignerCKA
# Check installation directory
– Get-ChildItem -Path C:\Users\gitlab_runner\Desktop\eSignerCKA
# Config Account Information on eSignerCKA
– C:\Users\gitlab_runner\Desktop\eSignerCKA\eSignerCKATool.exe config -mode ${MODE} -user “${USERNAME}” -pass “${PASSWORD}” -totp “${TOTP_SECRET}” -key “C:\Users\gitlab_runner\AppData\Roaming\eSignerCKA\master.key” -r
# Unload Certificate into Windows Store
– C:\Users\gitlab_runner\Desktop\eSignerCKA\eSignerCKATool.exe unload
# Load Certificate into Windows Store
– C:\Users\gitlab_runner\Desktop\eSignerCKA\eSignerCKATool.exe load
# Check data directory
– dir C:\Users\gitlab_runner\AppData\Roaming\eSignerCKA
# Check config data directory
– dir C:\Users\gitlab_runner\AppData\Roaming\eSignerCKA\Config
# Select Certificate From Windows Store
– $CodeSigningCert = Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert | Select-Object -First 1; echo $CodeSigningCert.Thumbprint > .Thumbprint
# Debug Certificate Thumbprint
– Set-Variable -Name Thumbprint -Value (Get-Content .Thumbprint); echo $Thumbprint
# Sign Sample File with SignTool
– powershell.exe -ExecutionPolicy Bypass -Command “Set-Variable -Name Thumbprint -Value (Get-Content .Thumbprint); ‘C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x86\signtool.exe sign /debug /fd sha256 /tr http://ts.ssl.com /td sha256 /sha1 $Thumbprint HelloWorld.dll'”
# Below is the definition of your job to sign file
sign-vsix:
# Define what stage the job will run in.
stage: sign
# Runner for Sign File on Windows
extends:
– .windows_runners
before_script:
# Create Install Dir
– New-Item -ItemType Directory -Force -Path C:\Users\gitlab_runner\Desktop\eSignerCKA
script:
# Download and Unzip eSignerCKA Setup
– Invoke-WebRequest -OutFile eSigner_CKA_Setup.zip “https://www.ssl.com/download/ssl-com-esigner-cka”
– Expand-Archive -Force eSigner_CKA_Setup.zip
– Remove-Item eSigner_CKA_Setup.zip
– Move-Item -Destination “eSigner_CKA_Installer.exe” -Path “eSigner_CKA_*\*.exe”
# Setup eSignerCKA in Silent Mode
– ./eSigner_CKA_Installer.exe /CURRENTUSER /VERYSILENT /SUPPRESSMSGBOXES /DIR=”C:\Users\gitlab_runner\Desktop\eSignerCKA” | Out-Null
# Check installation directory
– dir C:\Users\gitlab_runner\Desktop\eSignerCKA
# Check installation directory
– Get-ChildItem -Path C:\Users\gitlab_runner\Desktop\eSignerCKA
# Config Account Information on eSignerCKA
– C:\Users\gitlab_runner\Desktop\eSignerCKA\eSignerCKATool.exe config -mode ${MODE} -user “${USERNAME}” -pass “${PASSWORD}” -totp “${TOTP_SECRET}” -key “C:\Users\gitlab_runner\AppData\Roaming\eSignerCKA\master.key” -r
# Unload Certificate into Windows Store
– C:\Users\gitlab_runner\Desktop\eSignerCKA\eSignerCKATool.exe unload
# Load Certificate into Windows Store
– C:\Users\gitlab_runner\Desktop\eSignerCKA\eSignerCKATool.exe load
# Check data directory
– dir C:\Users\gitlab_runner\AppData\Roaming\eSignerCKA
# Check config data directory
– dir C:\Users\gitlab_runner\AppData\Roaming\eSignerCKA\Config
# Select Certificate From Windows Store
– $CodeSigningCert = Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert | Select-Object -First 1; echo $CodeSigningCert.Thumbprint > .Thumbprint
# Debug Certificate Thumbprint
– Set-Variable -Name Thumbprint -Value (Get-Content .Thumbprint); echo $Thumbprint
# Install Dotnet Runtime 7.0
– choco install dotnet-runtime -y
# Install OpenVsixSignTool to Custom Location
– New-Item -ItemType Directory -Force -Path C:\Users\gitlab_runner\Desktop\dotnet-tools
– Invoke-WebRequest -OutFile OpenVsixSignTool.zip https://github.com/SSLcom/eSignerCKA/releases/download/v1.0.4/OpenVsixSignTool_1.0.0-x86.zip
– Move-Item -Path OpenVsixSignTool.zip -Destination C:\Users\gitlab_runner\Desktop\dotnet-tools\OpenVsixSignTool.zip
– Expand-Archive -LiteralPath C:\Users\gitlab_runner\Desktop\dotnet-tools\OpenVsixSignTool.zip -DestinationPath C:\Users\gitlab_runner\Desktop\dotnet-tools -Force
# Sign Sample File with OpenVsixSignTool
– powershell.exe -ExecutionPolicy Bypass -Command ‘Set-Variable -Name Thumbprint -Value (Get-Content .Thumbprint); C:\Users\gitlab_runner\Desktop\dotnet-tools\OpenVsixSignTool –roll-forward LatestMajor sign –sha1 $Thumbprint –timestamp http://ts.ssl.com -ta sha256 -fd sha256 “SSLcom.vsix”‘
.vsix Code DLL Signing Example Workflow
# The CPU Architecture to run the job on
arch: amd64
# Default language to run tests in
language: csharp
# The Ubuntu distribution to use
dist: bionic
# The Operating System to run the job on
os: windows
# Specifies the order of build stages. All jobs in one stage must complete before next stage is executed.
stages:
– sign
jobs:
include:
– stage: sign
# The job name
name: sign-file
# The operating system to run the job on
os: windows
# Use default generic lang
language: c
# Before script to run before building the project
before_script:
# Create Install Dir
– powershell.exe -ExecutionPolicy Bypass -Command ‘New-Item -ItemType Directory -Force -Path C:\Users\travis\build\mbayrak-sslcom\eSignerCKA\SSLcom’
# Script to build the project
script:
# Download and Unzip eSignerCKA Setup
– powershell.exe -ExecutionPolicy Bypass -Command ‘Invoke-WebRequest -OutFile eSigner_CKA_Setup.zip “https://www.ssl.com/download/ssl-com-esigner-cka”‘
– powershell.exe -ExecutionPolicy Bypass -Command ‘Expand-Archive -Force eSigner_CKA_Setup.zip’
– powershell.exe -ExecutionPolicy Bypass -Command ‘Remove-Item eSigner_CKA_Setup.zip’
– powershell.exe -ExecutionPolicy Bypass -Command ‘Move-Item -Destination “eSigner_CKA_Installer.exe” -Path “eSigner_CKA_*\*.exe”‘
# Setup eSignerCKA in Silent Mode
– powershell.exe -ExecutionPolicy Bypass -Command ‘./eSigner_CKA_Installer.exe /CURRENTUSER /VERYSILENT /SUPPRESSMSGBOXES /DIR=”C:\Users\travis\build\mbayrak-sslcom\eSignerCKA\SSLcom” | Out-Null’
# Check installation directory
– powershell.exe -ExecutionPolicy Bypass -Command ‘dir C:\Users\travis\build\mbayrak-sslcom\eSignerCKA\SSLcom’
# Config Account Information on eSignerCKA
– powershell.exe -ExecutionPolicy Bypass -Command ‘C:\Users\travis\build\mbayrak-sslcom\eSignerCKA\SSLcom\eSignerCKATool.exe config -mode ${MODE} -user “${USERNAME}” -pass “${PASSWORD}” -totp “${TOTP_SECRET}” -key “C:\Users\travis\build\mbayrak-sslcom\eSignerCKA\SSLcom\master.key” -r’
# Unload Certificate into Windows Store
– powershell.exe -ExecutionPolicy Bypass -Command ‘C:\Users\travis\build\mbayrak-sslcom\eSignerCKA\SSLcom\eSignerCKATool.exe unload’
# Load Certificate into Windows Store
– powershell.exe -ExecutionPolicy Bypass -Command ‘C:\Users\travis\build\mbayrak-sslcom\eSignerCKA\SSLcom\eSignerCKATool.exe load’
# Select Certificate From Windows Store
– powershell.exe -ExecutionPolicy Bypass -Command ‘$CodeSigningCert = Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert | Select-Object -First 1; echo $CodeSigningCert.Thumbprint > .Thumbprint’
# Debug Certificate Thumbprint
– powershell.exe -ExecutionPolicy Bypass -Command ‘Set-Variable -Name Thumbprint -Value (Get-Content .Thumbprint); echo $Thumbprint’
# Sign Sample File with SignTool
– powershell.exe -ExecutionPolicy Bypass -Command “Set-Variable -Name Thumbprint -Value (Get-Content .Thumbprint); ‘C:\Program Files (x86)\Windows Kits\10\bin\x86\signtool.exe sign /debug /fd sha256 /tr http://ts.ssl.com /td sha256 /sha1 $Thumbprint HelloWorld.dll'”
– stage: sign
# The job name
name: sign-vsix
# The operating system to run the job on
os: windows
# Use default generic lang
language: c
# Before script to run before building the project
before_script:
# Create Install Dir
– powershell.exe -ExecutionPolicy Bypass -Command ‘New-Item -ItemType Directory -Force -Path C:\Users\travis\build\mbayrak-sslcom\eSignerCKA\SSLcom’
# Script to build the project
script:
# Download and Unzip eSignerCKA Setup
– powershell.exe -ExecutionPolicy Bypass -Command ‘Invoke-WebRequest -OutFile eSigner_CKA_Setup.zip “https://www.ssl.com/download/ssl-com-esigner-cka”‘
– powershell.exe -ExecutionPolicy Bypass -Command ‘Expand-Archive -Force eSigner_CKA_Setup.zip’
– powershell.exe -ExecutionPolicy Bypass -Command ‘Remove-Item eSigner_CKA_Setup.zip’
– powershell.exe -ExecutionPolicy Bypass -Command ‘Move-Item -Destination “eSigner_CKA_Installer.exe” -Path “eSigner_CKA_*\*.exe”‘
# Setup eSignerCKA in Silent Mode
– powershell.exe -ExecutionPolicy Bypass -Command ‘./eSigner_CKA_Installer.exe /CURRENTUSER /VERYSILENT /SUPPRESSMSGBOXES /DIR=”C:\Users\travis\build\mbayrak-sslcom\eSignerCKA\SSLcom” | Out-Null’
# Check installation directory
– powershell.exe -ExecutionPolicy Bypass -Command ‘dir C:\Users\travis\build\mbayrak-sslcom\eSignerCKA\SSLcom’
# Config Account Information on eSignerCKA
– powershell.exe -ExecutionPolicy Bypass -Command ‘C:\Users\travis\build\mbayrak-sslcom\eSignerCKA\SSLcom\eSignerCKATool.exe config -mode ${MODE} -user “${USERNAME}” -pass “${PASSWORD}” -totp “${TOTP_SECRET}” -key “C:\Users\travis\build\mbayrak-sslcom\eSignerCKA\SSLcom\master.key” -r’
# Unload Certificate into Windows Store
– powershell.exe -ExecutionPolicy Bypass -Command ‘C:\Users\travis\build\mbayrak-sslcom\eSignerCKA\SSLcom\eSignerCKATool.exe unload’
# Load Certificate into Windows Store
– powershell.exe -ExecutionPolicy Bypass -Command ‘C:\Users\travis\build\mbayrak-sslcom\eSignerCKA\SSLcom\eSignerCKATool.exe load’
# Select Certificate From Windows Store
– powershell.exe -ExecutionPolicy Bypass -Command ‘$CodeSigningCert = Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert | Select-Object -First 1; echo $CodeSigningCert.Thumbprint > .Thumbprint’
# Debug Certificate Thumbprint
– powershell.exe -ExecutionPolicy Bypass -Command ‘Set-Variable -Name Thumbprint -Value (Get-Content .Thumbprint); echo $Thumbprint’
# Install OpenVsixSignTool to Custom Location (https://github.com/vcsjones/OpenOpcSignTool)
– powershell.exe -ExecutionPolicy Bypass -Command ‘New-Item -ItemType Directory -Force -Path C:\Users\travis\build\mbayrak-sslcom\eSignerCKA\dotnet-tools’
powershell.exe -ExecutionPolicy Bypass -Command ‘Invoke-WebRequest -OutFile OpenVsixSignTool.zip https://github.com/SSLcom/eSignerCKA/releases/download/v1.0.4/OpenVsixSignTool_1.0.0-x86.zip’
powershell.exe -ExecutionPolicy Bypass -Command ‘Move-Item -Path OpenVsixSignTool.zip -Destination C:\Users\travis\build\mbayrak-sslcom\eSignerCKA\dotnet-tools\OpenVsixSignTool.zip’
powershell.exe -ExecutionPolicy Bypass -Command ‘Expand-Archive -LiteralPath C:\Users\travis\build\mbayrak-sslcom\eSignerCKA\dotnet-tools\OpenVsixSignTool.zip -DestinationPath C:\Users\travis\build\mbayrak-sslcom\eSignerCKA\dotnet-tools -Force’
# Sign Sample File with OpenVsixSignTool
– powershell.exe -ExecutionPolicy Bypass -Command “Set-Variable -Name Thumbprint -Value (Get-Content .Thumbprint); C:\Users\travis\build\mbayrak-sslcom\eSignerCKA\dotnet-tools\OpenVsixSignTool –roll-forward LatestMajor sign –sha1 $Thumbprint –timestamp http://ts.ssl.com -ta sha256 -fd sha256 SSLcom.vsix”
.NET Code DLL Signing Example Workflows
.NET Code DLL Signing Example Workflow
Prepare the components of the workflow
- Create a .circleci folder on your editor. Include workflows with the folder and create a yml file as config.yml under the folder.
- Set the CircleCI version. The version field is intended to be used in order to issue warnings for deprecation or breaking changes.
version: 2.1
-
Orbs are reusable packages of CircleCI configuration that you may share across projects, enabling you to create encapsulated, parameterized commands, jobs, and executors that can be used across multiple projects. To use the signtool tool this needs to be windows.
orbs:
win: circleci/windows@5.0.0
-
Invoke jobs via workflows. Workflows orchestrate a set of jobs to be run.
workflows:
# The name of the workflow.
sign-file:
# Inside the workflow, you define the jobs you want to run.
jobs:
– sign-file
- Define a job to be invoked later in a workflow.
jobs:
sign-file:
- Specify the execution environment. We must use the windows executer because signtool is needed.
executor:
name: win/server-2019
size: medium
variant: vs 2019
- Place the working directory for the job
working_directory: /home/circleci/project
- Add steps to the job See: https://circleci.com/docs/2.0/configuration-reference/#steps
steps:
- Check out the source code so that the workflow can access it.
– checkout
- Download and Unzip eSignerCKA Setup
– run:
name: Download and Unzip eSignerCKA Setup
command: |
Invoke-WebRequest -OutFile eSigner_CKA_1.0.3.zip “https://www.ssl.com/download/ssl-com-esigner-cka-1-0-3”
Expand-Archive -Force eSigner_CKA_1.0.3.zip
Remove-Item eSigner_CKA_1.0.3.zip
Move-Item -Destination “eSigner_CKA_1.0.3.exe” -Path “eSigner_CKA_1.0.3SSL.COM eSigner CKA_1.0.3.exe”
- Install eSignerCKA
– run:
name: Setup eSignerCKA in Silent Mode
command: |
mkdir -p “/home/circleci/project/eSignerCKA”
./eSigner_CKA_1.0.3.exe /CURRENTUSER /VERYSILENT /SUPPRESSMSGBOXES /DIR=”/home/circleci/project/eSignerCKA” | Out-Null
- Set SSLcom account information on eSignerCKA
– run:
name: Config Account Information on eSignerCKA
command: |
/home/circleci/project/eSignerCKA/eSignerCKATool.exe config -mode $env:MODE -user “$env:USERNAME” -pass “$env:PASSWORD” -totp “$env:TOTP_SECRET” -key “/home/circleci/project/eSignerCKA/master.key” -r
- Unload and Load certificate to windows certificate store
– run:
name: Load Certificate into Windows Store
command: |
/home/circleci/project/eSignerCKA/eSignerCKATool.exe unload
/home/circleci/project/eSignerCKA/eSignerCKATool.exe load
- Select code signing certificate and get thumbprint for signing and Sign artifact with signtool
– run:
name: Select Certificate From Windows Store and Sign Sample File with SignTool
command: |
$CodeSigningCert = Get-ChildItem Cert:CurrentUserMy -CodeSigningCert | Select-Object -First 1
& ‘C:Program Files (x86)Windows Kits10App Certification Kitsigntool.exe’ sign /debug /fd sha256 /tr http://ts.ssl.com /td sha256 /sha1 “$($CodeSigningCert.Thumbprint)” “HelloWorld.dll”
.NET Code DLL Signing Example Workflow
Prepare the components of the workflow
- Create a .github/workflows folder on your editor. Include workflows with the folder and create a sign.yml file under the folder.
- Name your project and the type of workflow involved
Name: Sign Artifact
-
Trigger this workflow on a push
on: push
-
Create an environment variable
env:
MASTER_KEY: master.key
SIGNABLE_FILE_PATH: HelloWorld.dll
INSTALL_DIR: C:UsersrunneradmineSignerCKA
MASTER_KEY_FILE: C:UsersrunneradmineSignerCKAmaster.key
-
Define the jobs on your editor
jobs:
sign-file:
-
Run job on Windows Runner
runs-on: windows-latest -
Create a name. When the workflow runs, this is the name that is logged.
name: Sign DLL File with eSignerCKA
Outline the steps for the Sign job
-
Check out the source code so that the workflow can access it.
– name: Checkout Repository
uses: actions/checkout@v3
- Download and Unzip eSignerCKA Setup
– name: Download and Unzip eSignerCKA Setup
run: |
Invoke-WebRequest -OutFile eSigner_CKA_1.0.3.zip “https://www.ssl.com/download/ssl-com-esigner-cka-1-0-3”
Expand-Archive -Force eSigner_CKA_1.0.3.zip
Remove-Item eSigner_CKA_1.0.3.zip
Move-Item -Destination “eSigner_CKA_1.0.3.exe” -Path “eSigner_CKA_1.0.3SSL.COM eSigner CKA_1.0.3.exe” - Install eSignerCKA
– name: Setup eSignerCKA in Silent Mode
run: |
New-Item -ItemType Directory -Force -Path ${{ env.INSTALL_DIR }}
./eSigner_CKA_1.0.3.exe /CURRENTUSER /VERYSILENT /SUPPRESSMSGBOXES /DIR=”${{ env.INSTALL_DIR }}” | Out-Null
- Set SSL.com account information on eSignerCKA
– name: Config Account Information on eSignerCKA
run: |
${{ env.INSTALL_DIR }}/eSignerCKATool.exe config -mode “${{ secrets.MODE }}” -user “${{ secrets.USERNAME }}”
-pass “${{ secrets.PASSWORD }}” -totp “${{ secrets.TOTP_SECRET }}” -key “${{ env.MASTER_KEY_FILE }}” -r
- Unload and Load certificate to windows certificate store
– name: Load Certificate into Windows Store
run: |
${{ env.INSTALL_DIR }}/eSignerCKATool.exe unload
${{ env.INSTALL_DIR }}/eSignerCKATool.exe load - Select code signing certificate and get thumbprint for signing
– name: Select Certificate From Windows Store
run: |
$CodeSigningCert = Get-ChildItem Cert:CurrentUserMy -CodeSigningCert | Select-Object -First 1
echo “THUMBPRINT=$($CodeSigningCert.Thumbprint)” >> $env:GITHUB_ENV - Sign artifact with signtool
– name: Sign Sample File with SignTool
run: |
& ‘C:/Program Files (x86)/Windows Kits/10/bin/10.0.17763.0/x86/signtool.exe’ sign /debug /fd sha256 /tr http://ts.ssl.com /td sha256 /sha1 ${{ env.THUMBPRINT }} ${{ env.SIGNABLE_FILE_PATH }}
Note: If this step is not working, try the solution below:
Use C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x86\ instead of C:\Program Files (x86)\Windows Kits\10\App Certification Kit\ in the line.
You can also refer to this sample workflow for signing: https://github.com/SSLcom/esigner-sample/blob/main/.github/workflows/sign.yml#L37
.NET Code DLL Signing Example Workflow
Define the components of the workflow
- Create a yml file as .gitlab-ci.yml under the folder.
- Used to select runners from the list of available runners. A runner must have all tags listed here to run the job.
.windows_runners:
tags:
– shared-windows
– windows
– windows-1809
- Groups jobs into stages. All jobs in one stage must complete before next stage is executed.
stages:
– sign
- Below is the definition of your job to sign file. Define what stage the job will run in.
sign-file:
stage: sign
- The name of one or more jobs to inherit configuration from.
extends:
– .windows_runners - Write the script to sign the file.
script:
# Download and Unzip eSignerCKA Setup
– powershell.exe -ExecutionPolicy Bypass -Command ‘Invoke-WebRequest -OutFile eSigner_CKA_1.0.3.zip “https://www.ssl.com/download/ssl-com-esigner-cka-1-0-3″‘
– powershell.exe -ExecutionPolicy Bypass -Command ‘Expand-Archive -Force eSigner_CKA_1.0.3.zip’
– powershell.exe -ExecutionPolicy Bypass -Command ‘Remove-Item eSigner_CKA_1.0.3.zip’
– powershell.exe -ExecutionPolicy Bypass -Command ‘Move-Item -Destination “eSigner_CKA_1.0.3.exe” -Path “eSigner_CKA_1.0.3SSL.COM eSigner CKA_1.0.3.exe”‘
# Setup eSignerCKA in Silent Mode
– powershell.exe -ExecutionPolicy Bypass -Command ‘./eSigner_CKA_1.0.3.exe /CURRENTUSER /VERYSILENT /SUPPRESSMSGBOXES /DIR=”C:Usersgitlab_runnerDesktopeSignerCKA”‘
# Check installation directory
– powershell.exe -ExecutionPolicy Bypass -Command ‘dir C:Usersgitlab_runnerDesktopeSignerCKA’
# Config Account Information on eSignerCKA
– powershell.exe -ExecutionPolicy Bypass -Command ‘C:Usersgitlab_runnerDesktopeSignerCKAeSignerCKATool.exe config -mode ${MODE}
-user “${USERNAME}” -pass “${PASSWORD}” -totp “${TOTP_SECRET}” -key “C:Usersgitlab_runnerAppDataRoamingeSignerCKAmaster.key” -r’
# Unload Certificate into Windows Store
– powershell.exe -ExecutionPolicy Bypass -Command ‘C:Usersgitlab_runnerDesktopeSignerCKAeSignerCKATool.exe unload’
# Load Certificate into Windows Store
– powershell.exe -ExecutionPolicy Bypass -Command ‘C:Usersgitlab_runnerDesktopeSignerCKAeSignerCKATool.exe load’
# Check data directory
– powershell.exe -ExecutionPolicy Bypass -Command ‘dir C:Usersgitlab_runnerAppDataRoamingeSignerCKA’
# Check config data directory
– powershell.exe -ExecutionPolicy Bypass -Command ‘dir C:Usersgitlab_runnerAppDataRoamingeSignerCKAConfig’
# Select Certificate From Windows Store
– powershell.exe -ExecutionPolicy Bypass -Command ‘$CodeSigningCert = Get-ChildItem Cert:CurrentUserMy -CodeSigningCert | Select-Object -First 1; echo $CodeSigningCert.Thumbprint > .Thumbprint’
# Debug Certificate Thumbprint
– powershell.exe -ExecutionPolicy Bypass -Command ‘Set-Variable -Name Thumbprint -Value (Get-Content .Thumbprint); echo $Thumbprint’
# Sign Sample File with SignTool
– powershell.exe -ExecutionPolicy Bypass -Command “Set-Variable -Name Thumbprint -Value (Get-Content .Thumbprint);
‘C:Program Files (x86)Windows Kits10bin10.0.17763.0x86signtool.exe sign /debug /fd sha256 /tr http://ts.ssl.com /td sha256 /sha1 $Thumbprint HelloWorld.dll'”
.NET Code DLL Signing Example Workflow
Define the components of the workflow
- Create a yml file as .travis.yml under the root folder.
- Place the CPU Architecture to run the job on.
arch: amd64
- Default language to run jobs on Travis CI
language: csharp
- The Operating System to run the job on
os: windows
- Specify the order of stages. All jobs in one stage must be completed before the next stage is executed.
stages:
– sign
- Define the build stage
jobs:
include:
– stage: sign
-
The job name
name: sign-file -
The operating system to run the job on
os: windows -
Current language to run jobs on Travis CI
language: c -
Write the Before script to run before building the project
before_script:
– powershell.exe -ExecutionPolicy Bypass -Command ‘New-Item -ItemType Directory -Force -Path C:Userstravisbuildesigner-sampleeSignerCKASSLcom’
-
Write the script to build the project.
script:
# Download and Unzip eSignerCKA Setup
– powershell.exe -ExecutionPolicy Bypass -Command ‘Invoke-WebRequest -OutFile eSigner_CKA_1.0.3.zip “https://www.ssl.com/download/ssl-com-esigner-cka-1-0-3″‘
– powershell.exe -ExecutionPolicy Bypass -Command ‘Expand-Archive -Force eSigner_CKA_1.0.3.zip’
– powershell.exe -ExecutionPolicy Bypass -Command ‘Remove-Item eSigner_CKA_1.0.3.zip’
– powershell.exe -ExecutionPolicy Bypass -Command ‘Move-Item -Destination “eSigner_CKA_1.0.3.exe” -Path “eSigner_CKA_1.0.3SSL.COM eSigner CKA_1.0.3.exe”‘
# Setup eSignerCKA in Silent Mode
– powershell.exe -ExecutionPolicy Bypass -Command ‘./eSigner_CKA_1.0.3.exe /CURRENTUSER /VERYSILENT /SUPPRESSMSGBOXES /DIR=”C:Userstravisbuildesigner-sampleeSignerCKASSLcom” | Out-Null’
# Check installation directory
– powershell.exe -ExecutionPolicy Bypass -Command ‘dir C:Userstravisbuildesigner-sampleeSignerCKASSLcom’
# Config Account Information on eSignerCKA
– powershell.exe -ExecutionPolicy Bypass -Command ‘C:Userstravisbuildesigner-sampleeSignerCKASSLcomeSignerCKATool.exe config -mode ${MODE} -user “${USERNAME}”
-pass “${PASSWORD}” -totp “${TOTP_SECRET}” -key “C:Userstravisbuildesigner-sampleeSignerCKASSLcommaster.key” -r’
# Unload Certificate into Windows Store
– powershell.exe -ExecutionPolicy Bypass -Command ‘C:Userstravisbuildesigner-sampleeSignerCKASSLcomeSignerCKATool.exe unload’
# Load Certificate into Windows Store
– powershell.exe -ExecutionPolicy Bypass -Command ‘C:Userstravisbuildesigner-sampleeSignerCKASSLcomeSignerCKATool.exe load’
# Select Certificate From Windows Store
– powershell.exe -ExecutionPolicy Bypass -Command ‘$CodeSigningCert = Get-ChildItem Cert:CurrentUserMy -CodeSigningCert | Select-Object -First 1; echo $CodeSigningCert.Thumbprint > .Thumbprint’
# Debug Certificate Thumbprint
– powershell.exe -ExecutionPolicy Bypass -Command ‘Set-Variable -Name Thumbprint -Value (Get-Content .Thumbprint); echo $Thumbprint’
# Sign Sample File with SignTool
– powershell.exe -ExecutionPolicy Bypass -Command “Set-Variable -Name Thumbprint -Value (Get-Content .Thumbprint); ‘C:Program Files (x86)Windows Kits10binx64signtool.exe sign /debug /fd sha256 /tr http://ts.ssl.com /td sha256 /sha1 $Thumbprint HelloWorld.dll'”
Need Custom Solutions?
With our expert knowledge and five-star support staff, we’re ready and willing to work with you on custom solutions or enterprise-level high-volume signing discounts. Fill out the form below and we’ll be in touch.