We recently purchased a DigiCert EV code signing certificate. We are able to sign .exe files using signtool.exe. However, every time we sign a file, it prompts for the SafeNet eToken password.
How can we automate this process, without user intervention, by storing/caching the password somewhere?
Expanding on answers already in this thread, it is possible to provide the token password using the standard signtool program from microsoft.
0. Open SafeNet Client in Advanced View
Install paths may vary, but for me the SafeNet client is installed to: C:\Program Files\SafeNet\Authentication\SAC\x64\SACTools.exe
Click the gear icon in the upper right to open "advanced view".
1. Export your public certificate to a file from the SafeNet Client
2. Find your private key container name
4. Format it all together
The eToken CSP has hidden (or at least not widely advertised) functionality to parse the token password out of the container name.
The format is one of the following four options:
[]=name
[reader]=name
[{{password}}]=name
[reader{{password}}]=name
Where:
reader
is the "Reader name" from the SafeNet Client UIpassword
is your token passwordname
is the "Container name" from the SafeNet Client UIPresumably you must specify the reader name if you have more than one reader connected - as I only have one reader I cannot confirm this.
Note that the double curly braces ({{
and }}
) are part of the syntax and must be included in the command line argument.
5. Pass the information to signtool
/f certfile.cer
/csp "eToken Base Cryptographic Provider"
/k "<value from step 4>"
Example signtool command as follows
signtool sign /f mycert.cer /csp "eToken Base Cryptographic Provider" /k "[{{TokenPasswordHere}}]=KeyContainerNameHere" myfile.exe
Some Images taken from this answer: https://stackoverflow.com/a/47894907/5420193