How to Sign Executables Using DigiCert KeyLocker CloudHSM?

DigiCert KeyLocker is a secure cloud-based HSM (Hardware Security Module) solution for safely storing your private code-signing keys and signing your software without ever downloading or exposing the keys.

KeyLocker Compatibility

General Compatibility:

• DigiCert KeyLocker is designed to integrate smoothly into existing workflows.
• It supports various third-party signing tools via PKCS#11 and Software Trust Manager in DigiCert ONE (DC1).
• For full tool compatibility and supported formats, refer to DigiCert’s article on signing Tool Integration on their official website.

Third-party Tool Support:

KeyLocker works with popular signing utilities like:

• SMCTL (DigiCert)
• SignTool (Microsoft)
• Jarsigner (Oracle)
• Mage (Microsoft)
• NuGet
• Apsigner
• Osslsigncode
• Jsign
• OpenSSL

SignTool (32-bit version) – Supported File Types:

• .doc, .docm, .dot, .dotm, .msi, .cab, .exe, .dll
• .mpp, .mpt, .pot, .potm, .ppa, .ppam
• .pps, .ppsm, .ppt, .pptm, .pub
• .vdw*, .vdx*, .vsd*, .vsdm, .vss*, .vssm
• .vst*, .vstm, .vsx*, .vtx*, .wiz*
• .xla, .xlam, .xls, .xlsb, .xlsm, .xlt, .xltm

SignTool (64-bit version) – Supported File Types:

• .appx, .appxbundle, .arx, .cab, .cat, .cbx, .cpl
• .crx, .dbx, .deploy, .dll, .drx, .efi, .exe, .js
• .msi, .msix, .msixbundle, .msm, .msp, .ocx
• .psi, .psm1, .stl, .sys, .vbs, .vsix, .wsf, .xsn

Requirements for Configuring DigiCert KeyLocker

To configure KeyLocker for secure code signing, you need:

• A valid DigiCert Code Signing or EV Code Signing Certificate stored in KeyLocker.
• DigiCert KeyLocker Tools are installed on your system
• The pkcs11properties.cfg configuration file
• Java (for Jarsigner/Jsign) or .NET SDK (for NuGet, Mage, etc.), as required
• Internet access to reach DigiCert timestamp servers

Note: Before signing, it is required to set up credentials, client tools, and configure tools. Follow our detailed blog for this.

Signing Files with Various Tools:

Here are the sign-in options:

1. Sign with SMCTL (Recommended)

The SMCTL utility from DigiCert can sign with many tools, including using a key alias or key fingerprint with the PKCS11 config.

Signing Command:

smctl sign --keypair-alias=key_123456789 --config-file="pkcs11properties.cfg" --input="file.exe"

Verify Command:

smctl sign verify --input="file.exe"

2. Sign with DigiCert Click-to-Sign

Click-to-Sign is DigiCert’s signing interface in your browser, allowing you to sign executables, Java archives, and installers all from your browser without needing to install any extra tools. This option is great for users who want an easy, GUI-based signing alternative and do not want to deal with a CLI.

To sign your file using Click-to-Sign, log in to your DigiCert ONE account, click KeyLocker > Sign Code, upload the target executable file (setup.exe), select your signing key and optional timestamping settings, and click “Sign”. After processing your signed file will be available for download.

You can verify your signature using either the smctl sign verify command provided by DigiCert or Windows SignTool:

signtool verify /pa /v signed_file.exe

Recommended: How to Configure KeyLocker for Click-to-Sign & Sign Windows Files?

3. Sign with Third-Party Tools

DigiCert KeyLocker Cloud HSM supports multiple third-party tools. Check out one by one!

Signing files with Jarsigner

Jarsigner is a signing utility for .jar, .war, or .ear files that’s based on Java. It can work with KeyLocker through PKCS#11. To sign Java archives, you will need to have the pkcs11properties.cfg file configured to use the Java Runtime.

To sign, use the command:

jarsigner -keystore NONE -storepass NONE -storetype PKCS11 -sigalg SHA256withRSA -providerClass sun.security.pkcs11.SunPKCS11 -providerArg <path to pkcs11properties.cfg> -signedjar <path to signed file output> <unsigned file path> <keypair alias> -tsa http://timestamp.digicert.com

To verify the signed JAR file, use:

jarsigner -verify "<path to signed jar file>" -certs -verbose      

Signing Files with Jsign

Jsign is a Java-based alternative to SignTool used to sign Windows PE files (.exe, .dll) and Java applications (legacy version). With Jsign you will also be able to use KeyLocker through PKCS#11. It requires the alias and an optional timestamp server.

To sign a file using Jsign, run:

java -jar <path to jsign> --keystore pkcs11.cfg --storepass changeit --storetype PKCS11 --alias <keypair alias> <unsigned file>

To verify the signature, you can use:

smctl sign verify --input "file.exe"

Signing Files with Mage

Mage.exe is a Microsoft tool that can be used to sign ClickOnce application manifests. Although Mage will not directly work with HSM/PKCS#11, you can temporarily export the certificate (if allowed by DigiCert) or via KeyLocker using a custom provider.

To sign a ClickOnce manifest, use:

mage -sign <file_name> -CertFile <file_name> -KeyContainer <keypair_alias> -CryptoProvider “DigiCert Signing Manager KSP” -a sha256RSA -TimestampUri http://timestamp.digicert.com

You can test the deployment via the ClickOnce runtime or validate the file in Windows logs.

mage -verify <file_name>

Signing files with NuGet

NuGet CLI is the best possible way to sign your .nupkg files (NuGet packages). Signing with the NuGet CLI supports signing using certificates from local store (or KeyLocker export or integration).

To sign a NuGet package, please run:

nuget sign <package folder> -Timestamper http://timestamp.digicert.com -outputdirectory <output folder> -Certificate Fingerprint <SHA1 Thumbprint> -HashAlgorithm SHA256 -Verbosity detailed -Overwrite

You can verify the signature using:

nuget verify -All package.nupkg

Signing Files with Osslsigncode

Osslsigncode now supports signing Windows executables using .exe and .dll file formats using OpenSSL with the PKCS#11 interface. Osslsigncode also does a great job signing Windows executables with certificates from KeyLocker using PKCS#11.

To sign a file using osslsigncode please run:

osslsigncode sign -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so -pkcs11module /root/smpkcs11.so -certs <path to keypair certificate> -key 'pkcs11:object=<keypair alias>;type=private' -in <file to be signed> -out <output signed file> -h sha256 -t http://timestamp.digicert.com

To verify the signed file, use:

osslsigncode verify -in <signed file>

Signing Files with SignTool

SignTool is Microsoft’s native signing tool for signing Windows based code participating .exe, .dll, .msi, .sys. SignTool can be used with certificates from DigiCert KeyLocker as long as the certificate is exposed via local store or connected via PKCS#11.

To use SignTool to sign a file, please look at this example:

signtool.exe sign /csp "DigiCert Signing Manager KSP" /kc <keypair_alias> /f <certificate_file> /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 <file_to_be_signed>

To verify the signature, run:

signtool verify /v /pa <signed file>

Signing files with OpenSSL

OpenSSL can make use of PKCS#11 to sign a hash digest with a key stored in KeyLocker, which is useful for performing signing for custom formats or for signing firmware for embedded devices.

To create a digital signature using a KeyLocker key run:

openssl dgst -engine pkcs11 -keyform engine -sha256 -sign "pkcs11:token=KeyLocker;object=myKey;type=private" -out file.sig file.exe

To verify the file signature, use:

openssl dgst -sha256 -verify pubkey.pem -signature file.sig file.exe

Conclusion

Code signing is a necessity, not an option, in an expanding landscape of threats. Digicert’s KeyLocker CloudHSM can affordably and securely put code security in place enabling trust with users.

By removing hardware dependencies and increasing automation, it is a solution for the 21st-century software developer and enterprise.

It does not matter if you are a one-person developer, devops engineer, or a member of an enterprise team- DigiCert KeyLocker makes secure code signing easier by protecting the compliance and ownership.

Search