Secure Token
Using a DigiCert-Provided Hardware Token
If you've purchased a DigiCert-provided hardware Token, refer to Set Up Your DigiCert-Provided eToken
Using Your Secure Token
If you are using your own FIPS 140-2 Level 2 compliant token from a different vendor, you need to do the following:
Install the necessary Token hardware on your PC.
Install your Code Signing Certificate on your token before proceeding with the signing process.
Windows SDK
Install the Windows SDK on your computer.
Use the SignTool command to sign your files. You can run either the automatic or manual method below.
If you have more than one Code Signing Certificate on your computer, we recommend that you manually select which certificate to use for signing the code. When running any of the SignTool commands, modify the section in red to match your filename(s). After running the command, you are prompted to enter your token password.
By following the steps below, SignTool will automatically select the code signing certificate that will be used to sign your file:
Open Command Prompt as an administrator.
Run the following command:
signtool sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /a "c:\path\to\file_to_sign.exe"
In the command, replace "C:\path\to\fileToSign.exe" with the exact path where the file you're intending to sign is located.
You should then receive a confirmation that the file was successfully signed and timestamped.
You can specify the certificate you want to use to sign your file by using the manual SignTool command below:
Get the Code Signing Certificate's Subject Name
To get a certificate's subject name in your user's account, go to the Start menu, type certmgr.msc, and press Enter.
In the certmgr window, expand Personal > Certificates to list all of the certificates installed for that user account.
The subject name of the certificate is the text listed under the Issued To field
Then, in the command below, replace "subject name" with your certificate's subject name and "C:\path\to\fileToSign.exe" with the exact path where the file you're intending to sign is located:
signtool sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /n "subject name" "C:\path\to\fileToSign.exe"
You should then receive a confirmation that the file was successfully signed and timestamped.
To batch sign your files, you must enable single sign-on for the SafeNet Token. Once single sign-on is activated and you’ve logged into the token, you can batch sign your files, allowing you to enter your password only once per user session.
Open SafeNet Authentication Client Tools.
Navigate to Start > Program Files > Safenet > Safenet Authentication Client Tools.
Click the Advanced View icon (gold gear).
In the menu tree in the left pane, select Client Settings.
In the right pane, select the Advanced tab.
On the Advanced tab, select the Enable single login option.
Click Save.
To activate the single logon feature, log off from the computer and log on again.
Using the hash value of a Code Signing Certificate is another way to let signtool know which Code Signing Certificate to use.
Suppose you have multiple certificates installed in your Personal Certificate store. In that case, it may be better to use the /sha1 option to specify the hash value of the Code Signing Certificate instead of using /a or /n "subject name" in the signing command.
In this case, you would be using the thumbprint value of your Code Signing Certificate. You must remove all spaces from the thumbprint value; otherwise, it won't work.
signtool sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /sha1 [thumbprint] file.exe
For more information on the different signtool.exe options, see Microsoft's SignTool Documentation.