passwordscode-signingcode-signing-certificateauthenticodesafenet

Automate Extended Validation (EV) code signing with SafeNet eToken


We recently purchased a DigiCert EV code signing certificate. We are able to sign .exe files using signtool.exe. However, every time we sign a file, it prompts for the SafeNet eToken password.

How can we automate this process, without user intervention, by storing/caching the password somewhere?


Solution

  • Expanding on answers already in this thread, it is possible to provide the token password using the standard signtool program from microsoft.

    0. Open SafeNet Client in Advanced View

    Install paths may vary, but for me the SafeNet client is installed to: C:\Program Files\SafeNet\Authentication\SAC\x64\SACTools.exe

    Click the gear icon in the upper right to open "advanced view". SafeNet Advanced View

    1. Export your public certificate to a file from the SafeNet Client Exporting the Certificate to a File

    2. Find your private key container name
    Private Key Container Name

    3. Find your reader name Reader Name

    4. Format it all together

    The eToken CSP has hidden (or at least not widely advertised) functionality to parse the token password out of the container name.

    The format is one of the following four options:

    []=name
    [reader]=name
    [{{password}}]=name
    [reader{{password}}]=name
    

    Where:

    Presumably you must specify the reader name if you have more than one reader connected - as I only have one reader I cannot confirm this.

    Note that the double curly braces ({{ and }}) are part of the syntax and must be included in the command line argument.

    5. Pass the information to signtool

    Example signtool command as follows

    signtool sign /f mycert.cer /csp "eToken Base Cryptographic Provider" /k "[{{TokenPasswordHere}}]=KeyContainerNameHere" myfile.exe
    

    Some Images taken from this answer: https://stackoverflow.com/a/47894907/5420193