How to Integrate eSigner CKA with CI/CD Tools for Automated Code Signing

SSL Support Team

1 week ago

The sections below demonstrate how to integrate eSigner CKA with Continuous Integration/Continuous Delivery (CI/CD) tools for automated code signing. Guides for CircleCI, GitHub Actions, Gitlab CI, and Travis CI are provided for signing .NET files. Guides for Azure Pipeline, GitHub Actions, Gitlab CI, and Travis CI are provided for signing .vsix files. eSigner CKA (Cloud Key Adapter) is a Windows based application that uses the CNG interface (KSP Key Service Provider) to allow tools such as certutil.exe and signtool.exe to use the eSigner Cloud Signature Consortium (CSC)-compliant API for enterprise code signing operations. Before enabling eSigner cloud-based code signing in your CI/CD pipeline, ensure the following checklist items are completed:

Purchase an SSL.com Code Signing Certificate that matches your needs:
- EV Code Signing Certificate
- OV Code Signing Certificate
Enroll your code signing certificate in eSigner: This links your certificate to the eSigner cloud service and enables CSC-compliant signing.

Once all checklist items are complete, you can proceed with configuring your CI/CD platform using the appropriate integration guide.

SSL.com’s EV Code Signing certificates help protect your code from unauthorized tampering and compromise with the highest level of validation, and are available for as little as $249 per year. You can also use your EV Code Signing certificate at scale in the cloud using eSigner.

ORDER NOW

.vsix Signing Example Workflows

Environment Variables

USERNAME: SSL.com account username. (Required)
PASSWORD: SSL.com account password (Required)
TOTP_SECRET: OAuth TOTP Secret. You can access detailed information on Automate eSigner EV Code Signing – SSL.com (Required)
MODE: ‘sandbox’ or ‘product’ (Required)

For sample codes, you can refer to the SSL.com Github repository at: https://github.com/SSLcom/esigner-sample

.NET Code DLL Signing Example Workflows

CircleCI IntegrationGitHub Actions IntegrationGitlab CI IntegrationTravis CI Integration

.NET Code DLL Signing Example Workflow

Prepare the components of the workflow

Create a .circleci folder on your editor. Include workflows with the folder and create a yml file as config.yml under the folder.
Set the CircleCI version. The version field is intended to be used in order to issue warnings for deprecation or breaking changes.
version: 2.1
Orbs are reusable packages of CircleCI configuration that you may share across projects, enabling you to create encapsulated, parameterized commands, jobs, and executors that can be used across multiple projects. To use the signtool tool this needs to be windows.

orbs:

win: circleci/windows@5.0.0
Invoke jobs via workflows. Workflows orchestrate a set of jobs to be run.

workflows:

   # The name of the workflow.

   sign-file:

      # Inside the workflow, you define the jobs you want to run.

         jobs:

            – sign-file
Define a job to be invoked later in a workflow.
jobs:

sign-file:
Specify the execution environment. We must use the windows executer because signtool is needed.
executor:

   name: win/server-2019

   size: medium

   variant: vs 2019
Place the working directory for the job
working_directory: /home/circleci/project
Add steps to the job See: https://circleci.com/docs/2.0/configuration-reference/#steps
steps:
Check out the source code so that the workflow can access it.
– checkout
Download and Unzip eSignerCKA Setup
– run:

      name: Download and Unzip eSignerCKA Setup

      command: |

         Invoke-WebRequest -OutFile eSigner_CKA_1.0.3.zip “https://www.ssl.com/download/ssl-com-esigner-cka-1-0-3”

         Expand-Archive -Force eSigner_CKA_1.0.3.zip

         Remove-Item eSigner_CKA_1.0.3.zip

         Move-Item -Destination “eSigner_CKA_1.0.3.exe” -Path “eSigner_CKA_1.0.3SSL.COM eSigner CKA_1.0.3.exe”
Install eSignerCKA
– run:

      name: Setup eSignerCKA in Silent Mode

      command: |

            mkdir -p “/home/circleci/project/eSignerCKA”

            ./eSigner_CKA_1.0.3.exe /CURRENTUSER /VERYSILENT /SUPPRESSMSGBOXES /DIR=”/home/circleci/project/eSignerCKA” | Out-Null
Set SSLcom account information on eSignerCKA
– run:

      name: Config Account Information on eSignerCKA

      command: |

            /home/circleci/project/eSignerCKA/eSignerCKATool.exe config -mode $env:MODE -user “$env:USERNAME” -pass “$env:PASSWORD” -totp “$env:TOTP_SECRET” -key “/home/circleci/project/eSignerCKA/master.key” -r
Unload and Load certificate to windows certificate store
– run:

      name: Load Certificate into Windows Store

      command: |

            /home/circleci/project/eSignerCKA/eSignerCKATool.exe unload

            /home/circleci/project/eSignerCKA/eSignerCKATool.exe load
Select code signing certificate and get thumbprint for signing and Sign artifact with signtool
– run:

      name: Select Certificate From Windows Store and Sign Sample File with SignTool

      command: |

            $CodeSigningCert = Get-ChildItem Cert:CurrentUserMy -CodeSigningCert | Select-Object -First 1

            & ‘C:\Program Files (x86)\Windows Kits\10\App Certification Kit\signtool.exe’ sign /debug /fd sha256 /tr http://ts.ssl.com /td sha256 /sha1 “$($CodeSigningCert.Thumbprint)” “HelloWorld.dll”

Note: If error occurs when using the x64 version of SignTool, use the x86 version. For example: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x86\signtool.exe

.NET Code DLL Signing Example Workflow

Prepare the components of the workflow

Create a .github/workflows folder on your editor. Include workflows with the folder and create a sign.yml file under the folder.
Name your project and the type of workflow involved
Name: Sign Artifact
Trigger this workflow on a push

on: push
Create an environment variable

env:

MASTER_KEY: master.key

SIGNABLE_FILE_PATH: HelloWorld.dll

INSTALL_DIR: C:UsersrunneradmineSignerCKA

MASTER_KEY_FILE: C:UsersrunneradmineSignerCKAmaster.key
Define the jobs on your editor

jobs:

sign-file:
Run job on Windows Runner
runs-on: windows-latest
Create a name. When the workflow runs, this is the name that is logged.

name: Sign DLL File with eSignerCKA

Outline the steps for the Sign job

Check out the source code so that the workflow can access it.

– name: Checkout Repository

uses: actions/checkout@v3
Download and Unzip eSignerCKA Setup
– name: Download and Unzip eSignerCKA Setup

  run: |

      Invoke-WebRequest -OutFile eSigner_CKA_1.0.3.zip “https://www.ssl.com/download/ssl-com-esigner-cka-1-0-3”

      Expand-Archive -Force eSigner_CKA_1.0.3.zip

      Remove-Item eSigner_CKA_1.0.3.zip
      Move-Item -Destination “eSigner_CKA_1.0.3.exe” -Path “eSigner_CKA_1.0.3SSL.COM eSigner CKA_1.0.3.exe”
Install eSignerCKA
– name: Setup eSignerCKA in Silent Mode

  run: |

      New-Item -ItemType Directory -Force -Path ${{ env.INSTALL_DIR }}

      ./eSigner_CKA_1.0.3.exe /CURRENTUSER /VERYSILENT /SUPPRESSMSGBOXES /DIR=”${{ env.INSTALL_DIR }}” | Out-Null
Set SSL.com account information on eSignerCKA
– name: Config Account Information on eSignerCKA

  run: |

      ${{ env.INSTALL_DIR }}/eSignerCKATool.exe config -mode “${{ secrets.MODE }}” -user “${{ secrets.USERNAME }}”

     -pass “${{ secrets.PASSWORD }}” -totp “${{ secrets.TOTP_SECRET }}” -key “${{ env.MASTER_KEY_FILE }}” -r
Unload and Load certificate to windows certificate store
– name: Load Certificate into Windows Store

  run: |

      ${{ env.INSTALL_DIR }}/eSignerCKATool.exe unload
      ${{ env.INSTALL_DIR }}/eSignerCKATool.exe load
Select code signing certificate and get thumbprint for signing
– name: Select Certificate From Windows Store

  run: |

      $CodeSigningCert = Get-ChildItem Cert:CurrentUserMy -CodeSigningCert | Select-Object -First 1
      echo “THUMBPRINT=$($CodeSigningCert.Thumbprint)” >> $env:GITHUB_ENV
Sign artifact with signtool
– name: Sign Sample File with SignTool

run: |
& ‘C:\Program Files (x86)\Windows Kits\10\App Certification Kit\signtool.exe’ sign /debug /fd sha256 /tr http://ts.ssl.com /td sha256 /sha1 ${{ env.THUMBPRINT }} ${{ env.SIGNABLE_FILE_PATH }}

Note: If error occurs when using the x64 version of SignTool, use the x86 version. For example: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x86\signtool.exe
You can also refer to this sample workflow for signing: https://github.com/SSLcom/esigner-sample/blob/main/.github/workflows/sign.yml#L37

.NET Code DLL Signing Example Workflow

Define the components of the workflow

Create a yml file as .gitlab-ci.yml under the folder.
Used to select runners from the list of available runners. A runner must have all tags listed here to run the job.
.windows_runners:

      tags:

            – shared-windows

            – windows

            – windows-1809
Groups jobs into stages. All jobs in one stage must complete before next stage is executed.
stages:

– sign
Below is the definition of your job to sign file. Define what stage the job will run in.
sign-file:

stage: sign
The name of one or more jobs to inherit configuration from.
extends:
– .windows_runners
Write the script to sign the file.
script:

# Download and Unzip eSignerCKA Setup

   – powershell.exe -ExecutionPolicy Bypass -Command ‘Invoke-WebRequest -OutFile eSigner_CKA_1.0.3.zip “https://www.ssl.com/download/ssl-com-esigner-cka-1-0-3″‘

   – powershell.exe -ExecutionPolicy Bypass -Command ‘Expand-Archive -Force eSigner_CKA_1.0.3.zip’

   – powershell.exe -ExecutionPolicy Bypass -Command ‘Remove-Item eSigner_CKA_1.0.3.zip’

   – powershell.exe -ExecutionPolicy Bypass -Command ‘Move-Item -Destination “eSigner_CKA_1.0.3.exe” -Path “eSigner_CKA_1.0.3SSL.COM eSigner CKA_1.0.3.exe”‘

# Setup eSignerCKA in Silent Mode

– powershell.exe -ExecutionPolicy Bypass -Command ‘./eSigner_CKA_1.0.3.exe /CURRENTUSER /VERYSILENT /SUPPRESSMSGBOXES /DIR=”C:Usersgitlab_runnerDesktopeSignerCKA”‘

# Check installation directory

– powershell.exe -ExecutionPolicy Bypass -Command ‘dir C:Usersgitlab_runnerDesktopeSignerCKA’

# Config Account Information on eSignerCKA

– powershell.exe -ExecutionPolicy Bypass -Command ‘C:Usersgitlab_runnerDesktopeSignerCKAeSignerCKATool.exe config -mode ${MODE}

     -user “${USERNAME}” -pass “${PASSWORD}” -totp “${TOTP_SECRET}” -key “C:Usersgitlab_runnerAppDataRoamingeSignerCKAmaster.key” -r’

# Unload Certificate into Windows Store

– powershell.exe -ExecutionPolicy Bypass -Command ‘C:Usersgitlab_runnerDesktopeSignerCKAeSignerCKATool.exe unload’

# Load Certificate into Windows Store

– powershell.exe -ExecutionPolicy Bypass -Command ‘C:Usersgitlab_runnerDesktopeSignerCKAeSignerCKATool.exe load’

   # Check data directory

   – powershell.exe -ExecutionPolicy Bypass -Command ‘dir C:Usersgitlab_runnerAppDataRoamingeSignerCKA’

   # Check config data directory

   – powershell.exe -ExecutionPolicy Bypass -Command ‘dir C:Usersgitlab_runnerAppDataRoamingeSignerCKAConfig’

# Select Certificate From Windows Store

– powershell.exe -ExecutionPolicy Bypass -Command ‘$CodeSigningCert = Get-ChildItem Cert:CurrentUserMy -CodeSigningCert | Select-Object -First 1; echo $CodeSigningCert.Thumbprint > .Thumbprint’

# Debug Certificate Thumbprint

– powershell.exe -ExecutionPolicy Bypass -Command ‘Set-Variable -Name Thumbprint -Value (Get-Content .Thumbprint); echo $Thumbprint’

# Sign Sample File with SignTool

– powershell.exe -ExecutionPolicy Bypass -Command “Set-Variable -Name Thumbprint -Value (Get-Content .Thumbprint);

     ‘C:Program Files (x86)Windows Kits10bin10.0.17763.0x86signtool.exe sign /debug /fd sha256 /tr http://ts.ssl.com /td sha256 /sha1 $Thumbprint HelloWorld.dll'”

Note: If error occurs when using the x64 version of SignTool, use the x86 version. For example: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x86\signtool.exe

.NET Code DLL Signing Example Workflow

Define the components of the workflow

Create a yml file as .travis.yml under the root folder.
Place the CPU Architecture to run the job on.
arch: amd64
Default language to run jobs on Travis CI

language: csharp
The Operating System to run the job on

os: windows
Specify the order of stages. All jobs in one stage must be completed before the next stage is executed.

stages:

– sign
Define the build stage

jobs:

include:

– stage: sign
The job name
name: sign-file
The operating system to run the job on
os: windows
Current language to run jobs on Travis CI
language: c
Write the Before script to run before building the project

before_script:

– powershell.exe -ExecutionPolicy Bypass -Command ‘New-Item -ItemType Directory -Force -Path C:Userstravisbuildesigner-sampleeSignerCKASSLcom’
Write the script to build the project.

script:

# Download and Unzip eSignerCKA Setup

– powershell.exe -ExecutionPolicy Bypass -Command ‘Invoke-WebRequest -OutFile eSigner_CKA_1.0.3.zip “https://www.ssl.com/download/ssl-com-esigner-cka-1-0-3″‘

– powershell.exe -ExecutionPolicy Bypass -Command ‘Expand-Archive -Force eSigner_CKA_1.0.3.zip’

– powershell.exe -ExecutionPolicy Bypass -Command ‘Remove-Item eSigner_CKA_1.0.3.zip’

– powershell.exe -ExecutionPolicy Bypass -Command ‘Move-Item -Destination “eSigner_CKA_1.0.3.exe” -Path “eSigner_CKA_1.0.3SSL.COM eSigner CKA_1.0.3.exe”‘

# Setup eSignerCKA in Silent Mode

– powershell.exe -ExecutionPolicy Bypass -Command ‘./eSigner_CKA_1.0.3.exe /CURRENTUSER /VERYSILENT /SUPPRESSMSGBOXES /DIR=”C:Userstravisbuildesigner-sampleeSignerCKASSLcom” | Out-Null’

# Check installation directory

– powershell.exe -ExecutionPolicy Bypass -Command ‘dir C:Userstravisbuildesigner-sampleeSignerCKASSLcom’

# Config Account Information on eSignerCKA

– powershell.exe -ExecutionPolicy Bypass -Command ‘C:Userstravisbuildesigner-sampleeSignerCKASSLcomeSignerCKATool.exe config -mode ${MODE} -user “${USERNAME}”

-pass “${PASSWORD}” -totp “${TOTP_SECRET}” -key “C:Userstravisbuildesigner-sampleeSignerCKASSLcommaster.key” -r’

# Unload Certificate into Windows Store

– powershell.exe -ExecutionPolicy Bypass -Command ‘C:Userstravisbuildesigner-sampleeSignerCKASSLcomeSignerCKATool.exe unload’

# Load Certificate into Windows Store

– powershell.exe -ExecutionPolicy Bypass -Command ‘C:Userstravisbuildesigner-sampleeSignerCKASSLcomeSignerCKATool.exe load’

# Select Certificate From Windows Store

– powershell.exe -ExecutionPolicy Bypass -Command ‘$CodeSigningCert = Get-ChildItem Cert:CurrentUserMy -CodeSigningCert | Select-Object -First 1; echo $CodeSigningCert.Thumbprint > .Thumbprint’

# Debug Certificate Thumbprint

– powershell.exe -ExecutionPolicy Bypass -Command ‘Set-Variable -Name Thumbprint -Value (Get-Content .Thumbprint); echo $Thumbprint’

# Sign Sample File with SignTool

– powershell.exe -ExecutionPolicy Bypass -Command “Set-Variable -Name Thumbprint -Value (Get-Content .Thumbprint); ‘C:Program Files (x86)Windows Kits10binx64signtool.exe sign /debug /fd sha256 /tr http://ts.ssl.com /td sha256 /sha1 $Thumbprint HelloWorld.dll'”

Note: If error occurs when using the x64 version of SignTool, use the x86 version. For example: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x86\signtool.exe

Related Guides

In addition to eSigner CKA, eSigner CodeSignTool can be used for CI/CD-based code signing. CodeSignTool is a secure, multi-platform Java command-line utility for remotely signing Microsoft Authenticode and Java code using eSigner EV code signing certificates. Only file hashes are transmitted to SSL.com for signing, ensuring the source code itself is never sent—making CodeSignTool well suited for signing sensitive files. It also supports automated batch signing and seamless integration into high-volume CI/CD workflows. Below are specific guides for popular CI/CD tools using eSigner CodeSignTool.

Need Custom Solutions?

With our expert knowledge and five-star support staff, we’re ready and willing to work with you on custom solutions or enterprise-level high-volume signing discounts. Fill out the form below and we’ll be in touch.

Was this article helpful?

Yes

Thanks for your feedback!