Code Signing Integration with AppViewX CSP/PKCS#11

Using Signtool with AppViewX CSP

  1. Execute the AppViewX SIGN+ Installer to set up the necessary prerequisites for utilizing the AppViewX CSP/PKCS11 Providers.
  2. Copy the signtool command from the README file and incorporate it into the Azure Pipeline Configuration File by updating the relevant stage and script.
    - script: signtool.exe sign /f <path to certificate>  /fd <digest algorithm>  /csp <csp_name> /k <key_alias_name> /tr <timestamp_url> /td <timestamp digest algorithm>  <input_file_path>
displayName: Signtool Signing
    • /f <path to certificate>: Path to your code-signing certificate.
    • /fd <digest algorithm>: Specifies the hashing algorithm.
    • /csp <csp_name>: Name of Cryptographic Service Provider (CSP).
    • /k <key_alias_name>: Key Container Name.
    • /tr <timestamp_url>: Provides a timestamp from a trusted timestamping authority.
    • /tr <timestamp_digest>: Specifies the timestamping Digest algorithm.
    • <input_file_path>: Path to the file to be signed.
    The parameters <path to certificate>, <digest algorithm>, <csp_name>, <key_alias_name>, <timestamp_url>, and <timestamp_digest> are automatically generated according to the signing policy configurations outlined in the README file after executing the SIGN+ Installer.

Using JarSigner with AppViewX CSP

  1. Execute the AppViewX SIGN+ Installer to install the prerequisites for using the AppViewX CSP/PKCS11 Providers.
  2. Copy the jarsigner command from the README file and update the Azure Pipeline Configuration File with the correct stage and script.
    - script: jarsigner.exe -verbose -storetype "Windows-My" -keyStore NONE -tsa <time_stamp_url> <input_file_path> -signedjar <output_file_path> -sigalg <signature algorithm> <keypair alias>
  displayName: Jarsigner Signing
    The parameters <time_stamp_url>, <signature algorithm> and <keypair alias> are automatically generated in the README file after executing the SIGN+ Installer.

Using Nuget with AppViewX CSP

  1. Execute the AppViewX SIGN+ Installer to set up the prerequisites for using the AppViewX CSP/PKCS11 Providers.
  2. Copy the nuget command from the README file and update the Azure Pipeline Configuration File with the relevant stage and script.
    - script: nuget.exe sign <input_file_path> -Timestamper <timestamp_url> -CertificateFingerprint <certificate_fingerprint> -HashAlgorithm <hashing_algorithm> -Verbosity detailed -Overwrite
  displayName: Nuget Signing
    The parameters <time_stamp_url>, <certificate_fingerprint> and <hashing_algorithm> are automatically generated in the README file after executing the SIGN+ Installer.

Using JarSigner with AppViewX PKCS#11 Provider

  1. Execute the AppViewX SIGN+ Installer to install the prerequisites needed for the AppViewX CSP/PKCS11 Providers.
  2. Copy the jarsigner command from the README file and update the Azure Pipeline Configuration File with the corresponding stage and script.
    - script: jarsigner.exe -verbose -keystore NONE -storetype PKCS11 -certs -providerclass sun.security.pkcs11.SunPKCS11 -providerArg <path to AVXPKCS11V1.cfg> <input_file_path> -signedjar <output_file_path> -tsa <time_stamp_url> -sigalg <signature algorithm> <keypairalias>
  displayName: Jarsigner Signing
    The parameters <path to AVXPKCS11V1.cfg>, <time_stamp_url>, <signature algorithm> and <keypair alias> are automatically generated in the README file after executing the SIGN+ Installer.

Using JSign with AppViewX PKCS#11 Provider

  1. Execute the AppViewX SIGN+ Installer to install the prerequisites necessary for using the AppViewX CSP/PKCS11 Providers.
  2. Copy the JSign command from the README file and update the Azure Pipeline Configuration File with the appropriate stage and script.
    - script: java -jar <path_to_jsign_jar> --keystore <path to AVXPKCS11V1.cfg> --storetype PKCS11 --storepass 12345678 --alias <keypair alias>  --alg <digest algorithm> --tsaurl <timestamp url> <input_file_path>
  displayName: JSign Signing
    The parameters <path to AVXPKCS11V1.cfg>, <keypair alias>, <digest algorithm> and <timestamp url> are automatically generated according to the signing policy configurations outlined in the README file after executing the SIGN+ Installer.

Using APKSigner with AppViewX PKCS#11 Provider

  1. Run the AppViewX SIGN+ Installer to install the prerequisites for using the AppViewX CSP/PKCS11 Providers.
  2. Copy the APKSigner command from the README file and update the Azure Pipeline Configuration File with the corresponding stage and script.
    - script: java -jar <path_to_apk_signer_jar> sign --provider-class sun.security.pkcs11.SunPKCS11 --provider-arg <path to AVXPKCS11V1.cfg> --ks NONE --ks-type PKCS11 --ks-pass pass:12345678 --ks-key-alias <keypair alias> --in "<input_file_path>" --out "<output_file_path>" --v1-signing-enabled false --v2-signing-enabled false --v3-signing-enabled true --v4-signing-enabled false
  displayName: APKSigner Signing
    The parameters <path to AVXPKCS11V1.cfg>, <keypair alias> are automatically generated according to the signing policy configurations outlined in the README file after executing the SIGN+ Installer.