en English
X

Select Language

Powered by Google TranslateTranslate

We hope you will find the Google translation service helpful, but we don’t promise that Google’s translation will be accurate or complete. You should not rely on Google’s translation. English is the official language of our site.

en English
X

Select Language

Powered by Google TranslateTranslate

We hope you will find the Google translation service helpful, but we don’t promise that Google’s translation will be accurate or complete. You should not rely on Google’s translation. English is the official language of our site.

Remote EV Code Signing with eSigner

With SSL.com’s eSigner service, you can use your SSL.com user credentials to sign code from any internet-connected device. This guide will show you how to enroll an EV Code Signing certificate order in eSigner and sign code with the eSigner Express web app, or from the command line with CodeSignTool or SSL.com’s CSC-compliant code signing API.

eSigner can be used for Microsoft Authenticode and Java code signing, and can sign MSI installers and various types of scripts. A complete list of supported file types is available at the end of this guide.

Before getting started, you’ll need an EV Code Signing certificate from SSL.com. For information on ordering your certificate from SSL.com, please read this how-to.

Enroll in eSigner

First, you’ll need to enroll an EV Code Signing certificate order with eSigner.

  1. Navigate to an issued EV Code Signing order in your SSL.com account. Note that the order is labeled eSigner Ready.
    eSigner-ready EV code signing order
  2. Click one of the download links.
    download links
  3. Create and confirm a 4-digit PIN and click the create PIN button.
    If you need to reset your eSigner PIN, please read this how-to.
    Create PIN
  4. Your certificate will be generated, and after a few moments a QR code will appear above the certificate downloads table.
    The next time you reload the page the QR code will not be visible. If you need to to view or reset your eSigner QR code, please read this how-to.
    QR Code
  5. Scan the QR code into a 2-factor authentication app on your mobile device, such as Google Authenticator or Authy. The app will provide you with one-time passwords (OTPs) for use when signing. Each OTP is valid for 30 seconds.
    OTP in Authy

Sign Code with eSigner Express

eSigner express is a convenient web-based GUI tool for signing code and documents. Here’s how to use it to sign a code file.

  1. Navigate to https://express.esigner.com/ with your web browser.
    express.esigner.com
  2. Click the Login with SSL.com account button.
    Login with SSL.com account
  3. Enter your SSL.com username and password, then click the Member Login button.
    login window
  4. The main eSigner screen will appear. Drag and a file to be signed into the drop area or click and navigate to the file.
    Upload PDF File
  5. Enter a 6-digit code from your two-factor authentication app.
    two-factor authentication
  6. You should see a notice that your file has successfully been signed. Click the Download file button and choose a location to save the file.
    Download file
  7. Check the file properties to confirm the digital signature.
    Digital signature

Sign Code with CodeSignTool

This section includes instructions for signing code with CodeSignTool, a command-line tool supplied by SSL.com. With CodeSignTool, you can sign a file with one command.

Install CodeSignTool

Next, download CodeSignTool, a command-line code signing utility for eSigner. Note that the Windows download has Java runtime embedded, but the Linux/macOS version requires Java runtime to be installed on your computer.

To install, simply download CodeSignTool for your OS and unzip the file:

Working with CodeSignTool

You can use CodeSignTool to sign code, get a list of credential IDs associated with an SSL.com user account, or display EV certificate information bound to a credential ID and user.

Sign Code

  1. When you’re ready to start signing open a terminal and navigate to the directory with CodeSignTool.bat (Windows) or CodeSignTool.sl (macOS/Linux).
  2. Enter the following command to sign a file. (Replace values in ALL-CAPS with your actual values):
    CodeSignTool sign -username=USERNAME -password=PASSWORD -input_file_path=PATH/TO/FILE -output_dir_path=PATH/TO/OUTPUT/DIRECTORY
    • If you have more than one eSigner-enrolled EV code signing certificates, you must specify the one to use with the -credential-id option. See below for information on retrieving a list of credential IDs.
  3. You will be prompted for an OTP. Get an OTP from your authentication app and enter it.
    Enter the OTP - Press enter to continue: 123456
    
    Generation of the OTP may be automated, enabling automated use of CodeSignTool in build scripts and CI/CD pipelines. Please read Automate eSigner EV Code Signing for more information.
  4. You should receive a message that your file was signed successfully. Check the output file properties for the digital signature.
    Code signed successfully: C:\Users\Aaron Russell\Desktop\CodeSignTool-v1.0-windows\output\test.exe

    Digital signature

Get Credential IDs

Use the following command to get credential IDs associated with an SSL.com account. (Replace values in ALL-CAPS with your actual values):

CodeSignTool get_credential_ids -username=USERNAME -password=PASSWORD

Get EV Code Signing Information

Use the following command to EV code signing certificate information bound to a credential ID and user. (Replace values in ALL-CAPS with your actual values):

CodeSignTool credential_info -username=USERNAME -password=PASSWORD -credential_id=CREDENTIAL-ID

Sign Code with Code Signing API

You can also use API calls to integrate eSigner code signing into your applications and scripts. The example commands shown below use cURL, so you’ll need to make sure it’s available on your computer before getting started. You’ll also need your Client ID (also known as an Application ID. Please refer to this how-to for instructions on generating this credential).

Retrieve Access Token

The first step is to retrieve an access token from SSL.com. You’ll need your Client ID available, as well as the username and password for your SSL.com account. Access tokens are valid for one hour after they are issued.

  1. Use the following command to request an access token. Replace the values shown in ALL-CAPS with your actual values:
    curl --location --request POST "https://login.ssl.com/oauth2/token" \
    --header "Content-Type: application/json" \
    --data-raw "{
      \"client_id\"      : \"YOUR-CLIENT-ID\",
      \"grant_type\"     : \"password\",
      \"username\"       : \"YOUR-USERNAME\",
      \"password\"       : \"YOUR-PASSWORD\"
    }"
  2. You should receive a JSON object containing an access token and a refresh token. Copy the access token value to paste into your API requests. You won’t need the refresh token for these examples.
    {"access_token":"eyJraWQiOiJmUE1yYUdlbXVMWGUtcG9JWUtLem1CMEYwYXlFczktUEpiN29lTWFlY2I0IiwiYWxnIjoiUlMyNTYifQ.eyJpc3MiOiJTU
    0wuY29tIEF1dGhlbnRpY2F0aW9uIFNlcnZpY2UiLCJleHAiOjE2MTQ4OTcxNDIsImlhdCI6MTYxNDg5MzU0MiwianRpIjoiZmI2OTZlNDUtMTIzOS00ZGE4LW
    I1MmYtODNkZDE2MTY3ZTM3IiwidXNlciI6eyJ1c2VyX2lkIjoxMzIyODU4LCJ1c2VyX2VtYWlsIjoiYWFyb24uZS5ydXNzZWxsQGdtYWlsLmNvbSIsInNzbF9
    hY2NvdW50X2lkIjo0NzQzMDJ9LCJjbGllbnQiOnsiaWQiOiJmUE1yYUdlbXVMWGUtcG9JWUtLem1CMEYwYXlFczktUEpiN29lTWFlY2I0In19.fCKDs1igjsI
    UDG2sUN_2OTb90Jw1nKNPHcD1MyEUR6sHCv_aJmcvcaFRne_eKLHzeQ9WtT5y3Fb2ppc50kMnjPG6JgX5gnFMptMn-ySsI277CtKbkSn3u-WSDSovn51jPm82
    4wTeJmuXEzdv9clRjTwp6VoM9eqHCIaDAd3MP2xpMaa35cZbDaaAFKQ7jxWo9dUuTZY7DsKK0p1LloUEnmNxtNimQ3GDwkj_M600WB1zYrhDL9_3oZKaXcUx9
    qzHcBCLzGgeaZ0xdpZtADxmXDUCcmkZi20yQ53bxqVL2w00sJ73efKB7JGeGWVehO-ZlGs3PUQwooox1JgEgcsA","token_type":"Bearer",
    "expires_in":3599,"refresh_token":"o-3V2YD1iIVCh3iJFwFonTohlq_LbGXaJcUvy37ciYA","created_at":1614893542}%

Retrieve Credential ID

Next, you’ll need to retrieve the credential ID associated with your eSigner-enrolled EV code signing certificate.

  1. Use the following command to retrieve your account’s list of EV code signing credential IDs. (Replace MY-ACCESS-TOKEN with your actual access token):
    curl --location --request POST "https://cs.ssl.com/csc/v0/credentials/list" \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer MY-ACCESS-TOKEN" \
    --data-raw "{
        \"clientData\": \"EVCS\"
    }"
  2. You should receive a JSON object with a list of credential IDs associated with the user. Your list will probably contain one value. Copy and paste your credential ID into a text editor for use in later requests.
    {"credentialIDs":["e4763186-5006-48de-bb15-a977e0e84281"]}%

Upload File

The next step is to upload your file to be signed.

  1. Use the following command to upload a file for signing. (Replace the values shown in ALL-CAPS with your actual values):
    curl --location --request POST "https://cds.ssl.com/v1/code/upload" \
    --header "Credential-Id: MY-CREDENTIAL-ID" \
    --header "Content-Type: application/exe" \
    --header "Authorization: Bearer MY-ACCESS-TOKEN" \
    --data-binary "@/PATH/TO/FILE"
  2. You should receive a JSON object with an id value to use in the sign file request:
    {"id":"6035539b-4055-43f2-8749-3ad6e559b4cd"}%

Sign File

  1. Now you can sign the file, using the file ID you got in the previous request and an OTP from your 2FA app. (Replace the values shown in ALL-CAPS with your actual values):
    curl --location --request POST "https://cds.ssl.com/v1/code/sign" \
    --output "PATH/TO/OUTPUT/FILE" \
    --header "Content-Transfer-Encoding: application/json" \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer MY-ACCESS-TOKEN" \
    --data-raw "{
        \"id\": \"MY-FILE-ID\",
        \"otp\":\"MY-OTP\"
    }"
  2. You should receive a signed file in the location you specified with --output in the command above. Check the file properties to confirm the digital signature.
    Digital signature

 

Supported File Types for eSigner Code Signing

Microsoft Authenticode File Types
  • acm
  • ax
  • cpl
  • dll
  • drv
  • efi
  • exe
  • mui
  • ocx
  • scr
  • sys
  • tsp
MSI File Types
  • msi
PowerShell Scripts File Types
  • ps1
  • ps1xml
Other Scripts File Types
  • js
  • vbs
  • wsf
Java File Types
  • jar

SSL.com’s EV Code Signing certificates offer Windows 10 kernel-mode code signing and an instant SmartScreen reputation boost, all for as low as $240.00 per year. They are delivered on secure YubiKey FIPS USB tokens with two-factor authentication.

ORDER NOW

Share on twitter
Twitter
Share on facebook
Facebook
Share on linkedin
LinkedIn
Share on reddit
Reddit
Share on email
Email