Automate Extended Validation (EV) code signing with SafeNet eToken

by

Expanding on answers already in this thread, it is possible to provide the token password using the standard signtool program from microsoft.

0. Open SafeNet Client in Advanced View

Install paths may vary, but for me the SafeNet client is installed to: C:\Program Files\SafeNet\Authentication\SAC\x64\SACTools.exe

Click the gear icon in the upper right to open “advanced view”.
SafeNet Advanced View

1. Export your public certificate to a file from the SafeNet Client
Exporting the Certificate to a File

2. Find your private key container name
Private Key Container Name

3. Find your reader name
Reader Name

4. Format it all together

The eToken CSP has hidden (or at least not widely advertised) functionality to parse the token password out of the container name.

The format is one of the following four options:

[]=name
[reader]=name
[{{password}}]=name
[reader{{password}}]=name

Where:

  • reader is the “Reader name” from the SafeNet Client UI
  • password is your token password
  • name is the “Container name” from the SafeNet Client UI

Presumably you must specify the reader name if you have more than one reader connected – as I only have one reader I cannot confirm this.

Note that the double curly braces ({{ and }}) are part of the syntax and must be included in the command line argument.

5. Pass the information to signtool

  • /f certfile.cer
  • /csp "eToken Base Cryptographic Provider"
  • /k "<value from step 4>"
  • any other signtool flags you require

Example signtool command as follows

signtool sign /f mycert.cer /csp "eToken Base Cryptographic Provider" /k "[{{TokenPasswordHere}}]=KeyContainerNameHere" myfile.exe

Some Images taken from this answer: https://stackoverflow.com/a/47894907/5420193

More Related Contents:

  1. Automate Extended Validation (EV) code signing
  2. Is it worth hashing passwords on the client side
  3. Why are plain text passwords bad, and how do I convince my boss that his treasured websites are in jeopardy? [closed]
  4. getpasswd functionality in Go?
  5. Implement password recovery best practice
  6. How can I make an expect script prompt for a password?
  7. android lock password combinations
  8. How can I store my users’ passwords safely?
  9. Is “double hashing” a password less secure than just hashing it once?
  10. Using PHP 5.5’s password_hash and password_verify function
  11. Simple way to encode a string according to a password?
  12. Masking password input from the console : Java
  13. Changing the symbols shown in a HTML password field
  14. Setting the MySQL root user password on OS X
  15. MySQL user DB does not have password columns – Installing MySQL on OSX
  16. Securely Erasing Password in Memory (Python)
  17. Read password from stdin [duplicate]
  18. Getting around Chrome’s Malicious File Warning
  19. iOS 7.0 No code signing identities found
  20. Microsoft SmartScreen – suspended using Inno Setup installer?
  21. How to upload dmg file for notarization in xcode
  22. How to get a “codesigned” gdb on OSX?
  23. What happens when a code signing certificate expires?
  24. Signing product flavors with gradle
  25. How to decrypt a password from SQL server?
  26. Code Sign error: The identity ‘iPhone Developer: x Xxxxx’ doesn’t match any identity in any profile
  27. str_shuffle and randomness
  28. Disable drop paste in HTML input fields? [duplicate]
  29. How do I safely store database login and password in a C# application?
  30. Test app on iPhone without paying $99 to Apple [closed]

Leave a Comment