Automate Extended Validation (EV) code signing with SafeNet eToken

Question

We recently purchased a DigiCert EV code signing certificate. We are able to sign .exe files using signtool.exe. However, every time we sign a file, it prompts for the SafeNet eToken password.

How can we automate this process, without user intervention, by storing/caching the password somewhere?

Answer 1

Expanding on answers already in this thread, it is possible to provide the token password using the standard signtool program from microsoft.

0. Open SafeNet Client in Advanced View

Install paths may vary, but for me the SafeNet client is installed to: C:\Program Files\SafeNet\Authentication\SAC\x64\SACTools.exe

Click the gear icon in the upper right to open "advanced view".

1. Export your public certificate to a file from the SafeNet Client

2. Find your private key container name

3. Find your reader name

4. Format it all together

The eToken CSP has hidden (or at least not widely advertised) functionality to parse the token password out of the container name.

The format is one of the following four options:

[]=name
[reader]=name
[{{password}}]=name
[reader{{password}}]=name

Where:

• reader is the "Reader name" from the SafeNet Client UI
• password is your token password
• name is the "Container name" from the SafeNet Client UI

Presumably you must specify the reader name if you have more than one reader connected - as I only have one reader I cannot confirm this.

Note that the double curly braces ({{ and }}) are part of the syntax and must be included in the command line argument.

5. Pass the information to signtool

• /f certfile.cer
• /csp "eToken Base Cryptographic Provider"
• /k "<value from step 4>"
• any other signtool flags you require

Example signtool command as follows

signtool sign /f mycert.cer /csp "eToken Base Cryptographic Provider" /k "[{{TokenPasswordHere}}]=KeyContainerNameHere" myfile.exe

Some Images taken from this answer: https://stackoverflow.com/a/47894907/5420193