These directions will show you how to use CodeSignTool to sign code objects without being prompted for manual OTP entry for each file, enabling automated EV code signing with eSigner certificates. Because of its automated option, CodeSignTool is suitable for enterprise code signing. Please refer to SSL.com’s eSigner code signing guide for instructions on installation and basic use of CodeSignTool.
For instructions on how to automate EV Code Signing using signtool.exe or certutil.exe please review this how-to.
Method 1: TOTP Secret
- When the eSigner QR code is displayed for your certificate, copy and save the
secret codevalue shown in a safe location. This is the TOTP (time-based one-time password) secret value associated with your eSigner certificate. In the same way that 2FA authentication software like Authy can use this value as scanned from the QR code to generate valid OTPs for code signing, CodeSignTool can use it to generate OTPs automatically when signing code.
- Use the TOTP secret in your
CodeSignToolcommand as follows. (Replace the values in
ALL-CAPSwith your actual values):
CodeSignTool sign -credential_id=CREDENTIAL-ID -username=USERNAME -password=PASSWORD -totp_secret="TOTP-SECRET" -output_dir_path=OUTPUT-FILE-PATH -input_file_path=INPUT-FILE-PATH
- CodeSignTool will use the secret value specified to calculate an OTP and the input file specified will be signed without an OTP prompt.
Code signed successfully: C:\Users\Aaron Russell\Desktop\CodeSignTool-v1.0-windows\output\test.exe
Method 2: batch_sign Command
- Version 1.2.0 of CodeSignTool includes the command
batch_sign, allowing you to sign up to 100 files at one time with one OTP or your TOTP secret. Use a command like the following to sign the code objects in a directory with one OTP. (Replace the values in ALL-CAPS with your actual values. INPUT-DIR-PATH is the directory with files you wish to sign.):
CodeSignTool batch_sign -username=USERNAME -password=PASSWORD -credential_id=CERDENTIAL-ID -input_dir_path=INPUT-DIR-PATH -output_dir_path=OUTPUT-DIR-PATH Enter the OTP - Press enter to continue: 455145 Batch sign command executed successfully. Output directory for signed files: output
- Like the
signcommand, you can also use your TOTP secret with
CodeSignTool batch_sign -username=USERNAME -password=PASSWORD -credential_id=CERDENTIAL-ID -input_dir_path=INPUT-DIR-PATH -output_dir_path=OUTPUT-DIR-PATH -totp_secret=TOTP-SECRET Batch sign command executed successfully. Output directory for signed files: output