These directions will show you how to use CodeSignTool to sign code objects without being prompted for manual OTP entry for each file, enabling automated EV code signing with eSigner certificates. Because of its automated option, CodeSignTool is suitable for enterprise code signing. Please refer to SSL.com’s eSigner code signing guide for instructions on installation and basic use of CodeSignTool.
For instructions on how to automate EV Code Signing using signtool.exe or certutil.exe please review this how-to.
Method 1: TOTP Secret
- When the eSigner QR code is displayed for your certificate, copy and save the
secret codevalue shown in a safe location. This is the TOTP (time-based one-time password) secret value associated with your eSigner certificate. In the same way that 2FA authentication software like Authy can use this value as scanned from the QR code to generate valid OTPs for code signing, CodeSignTool can use it to generate OTPs automatically when signing code.
SSL.com offers Custom Solutions for your IoT needs. Reach out for more information!
- Use the TOTP secret in your
CodeSignToolcommand as follows. (Replace the values in
ALL-CAPSwith your actual values):
CodeSignTool sign -credential_id=CREDENTIAL-ID -username=USERNAME -password=PASSWORD -totp_secret="TOTP-SECRET" -output_dir_path=OUTPUT-FILE-PATH -input_file_path=INPUT-FILE-PATHNote: Whenever possible, you should store these credentials as secrets in your build tool rather than including them directly in your commands and build scripts. Please refer to your software’s documentation for more information.
- CodeSignTool will use the secret value specified to calculate an OTP and the input file specified will be signed without an OTP prompt.
Code signed successfully: C:\Users\Aaron Russell\Desktop\CodeSignTool-v1.0-windows\output\test.exeIf you get the error message,
Error: invalid otpwhen attempting to sign a file with automation, it could be caused by one or more of these issues:
- The TOTP secret in the command is associated with a different user account and/or certificate than indicated by the login credentials and credential ID specified.
- The TOTP secret in the command is otherwise invalid.
- Your system time is not synchronized with a reliable time server. The TOTP algorithm depends on your computer’s time closely matching the signing server’s.
Method 2: batch_sign Command
- Version 1.2.0 of CodeSignTool includes the command
batch_sign, allowing you to sign up to 100 files at one time with one OTP or your TOTP secret. Use a command like the following to sign the code objects in a directory with one OTP. (Replace the values in ALL-CAPS with your actual values. INPUT-DIR-PATH is the directory with files you wish to sign.):
CodeSignTool batch_sign -username=USERNAME -password=PASSWORD -credential_id=CERDENTIAL-ID -input_dir_path=INPUT-DIR-PATH -output_dir_path=OUTPUT-DIR-PATH Enter the OTP - Press enter to continue: 455145 Batch sign command executed successfully. Output directory for signed files: output
- Like the
signcommand, you can also use your TOTP secret with
CodeSignTool batch_sign -username=USERNAME -password=PASSWORD -credential_id=CERDENTIAL-ID -input_dir_path=INPUT-DIR-PATH -output_dir_path=OUTPUT-DIR-PATH -totp_secret=TOTP-SECRET Batch sign command executed successfully. Output directory for signed files: output