Code Signing Integration with AppViewX CSP/PKCS#11

Using Signtool with AppViewX CSP

  1. Execute the AppViewX SIGN Installer to set up the necessary prerequisites for utilizing the AppViewX CSP/PKCS11 Providers.
  2. Copy the signtool command from the README file and incorporate it into the Azure Pipeline Configuration File by updating the relevant stage and script.
    - script: signtool.exe sign /f <path to certificate>  /fd <digest algorithm>  /csp <csp_name> /k <key_alias_name> /tr <timestamp_url> /td <timestamp digest algorithm>  <input_file_path>
displayName: Signtool Signing
    • /f <path to certificate>: Path to your code-signing certificate.
    • /fd <digest algorithm>: Specifies the hashing algorithm.
    • /csp <csp_name>: Name of Cryptographic Service Provider (CSP).
    • /k <key_alias_name>: Key Container Name.
    • /tr <timestamp_url>: Provides a timestamp from a trusted timestamping authority.
    • /tr <timestamp_digest>: Specifies the timestamping Digest algorithm.
    • <input_file_path>: Path to the file to be signed.
    The parameters <path to certificate>, <digest algorithm>, <csp_name>, <key_alias_name>, <timestamp_url>, and <timestamp_digest> are automatically generated according to the signing policy configurations outlined in the README file after executing the SIGN Installer.

Using JarSigner with AppViewX CSP

  1. Execute the AppViewX SIGN Installer to install the prerequisites for using the AppViewX CSP/PKCS11 Providers.
  2. Copy the jarsigner command from the README file and update the Azure Pipeline Configuration File with the correct stage and script.
    - script: jarsigner.exe -verbose -storetype "Windows-My" -keyStore NONE -tsa <time_stamp_url> <input_file_path> -signedjar <output_file_path> -sigalg <signature algorithm> <keypair alias>
  displayName: Jarsigner Signing
    The parameters <time_stamp_url>, <signature algorithm> and <keypair alias> are automatically generated in the README file after executing the SIGN Installer.

Using Nuget with AppViewX CSP

  1. Execute the AppViewX SIGN Installer to set up the prerequisites for using the AppViewX CSP/PKCS11 Providers.
  2. Copy the nuget command from the README file and update the Azure Pipeline Configuration File with the relevant stage and script.
    - script: nuget.exe sign <input_file_path> -Timestamper <timestamp_url> -CertificateFingerprint <certificate_fingerprint> -HashAlgorithm <hashing_algorithm> -Verbosity detailed -Overwrite
  displayName: Nuget Signing
    The parameters <time_stamp_url>, <certificate_fingerprint> and <hashing_algorithm> are automatically generated in the README file after executing the SIGN Installer.

Using JarSigner with AppViewX PKCS#11 Provider

  1. Execute the AppViewX SIGN Installer to install the prerequisites needed for the AppViewX CSP/PKCS11 Providers.
  2. Copy the jarsigner command from the README file and update the Azure Pipeline Configuration File with the corresponding stage and script.
    - script: jarsigner.exe -verbose -keystore NONE -storetype PKCS11 -certs -providerclass sun.security.pkcs11.SunPKCS11 -providerArg <path to AVXPKCS11V1.cfg> <input_file_path> -signedjar <output_file_path> -tsa <time_stamp_url> -sigalg <signature algorithm> <keypairalias>
  displayName: Jarsigner Signing
    The parameters <path to AVXPKCS11V1.cfg>, <time_stamp_url>, <signature algorithm> and <keypair alias> are automatically generated in the README file after executing the SIGN Installer.

Using JSign with AppViewX PKCS#11 Provider

  1. Execute the AppViewX SIGN Installer to install the prerequisites necessary for using the AppViewX CSP/PKCS11 Providers.
  2. Copy the JSign command from the README file and update the Azure Pipeline Configuration File with the appropriate stage and script.
    - script: java -jar <path_to_jsign_jar> --keystore <path to AVXPKCS11V1.cfg> --storetype PKCS11 --storepass 12345678 --alias <keypair alias>  --alg <digest algorithm> --tsaurl <timestamp url> <input_file_path>
  displayName: JSign Signing
    The parameters <path to AVXPKCS11V1.cfg>, <keypair alias>, <digest algorithm> and <timestamp url> are automatically generated according to the signing policy configurations outlined in the README file after executing the SIGN Installer.

Using APKSigner with AppViewX PKCS#11 Provider

  1. Run the AppViewX SIGN Installer to install the prerequisites for using the AppViewX CSP/PKCS11 Providers.
  2. Copy the APKSigner command from the README file and update the Azure Pipeline Configuration File with the corresponding stage and script.
    - script: java -jar <path_to_apk_signer_jar> sign --provider-class sun.security.pkcs11.SunPKCS11 --provider-arg <path to AVXPKCS11V1.cfg> --ks NONE --ks-type PKCS11 --ks-pass pass:12345678 --ks-key-alias <keypair alias> --in "<input_file_path>" --out "<output_file_path>" --v1-signing-enabled false --v2-signing-enabled false --v3-signing-enabled true --v4-signing-enabled false
  displayName: APKSigner Signing
    The parameters <path to AVXPKCS11V1.cfg>, <keypair alias> are automatically generated according to the signing policy configurations outlined in the README file after executing the SIGN Installer.