Install Code Sign Clients on signing workstations

Code Sign Clients are the link between the code signing workstation and Trust Protection Foundation. CyberArk provides the following code signing clients:

  • Windows: CSP/KSP and PKCS#11 driver, GPG SmartCard daemon
  • Linux: PKCS#11 driver, GPG SmartCard daemon
  • macOS: PKCS#11 driver, GPG SmartCard daemon, Keychain Integration

IMPORTANT  Do not install the Windows CSP/KSP and PKCS#11 driver on the Trust Protection Foundation server. Code Signing Clients should be installed on workstations from which code will be signed.

Using the Code Sign Manager - Self-Hosted Client Downloads page

If you chose to enable the Code Signing Client Distribution component, a web page is set up that provides helpful scripting information and links for downloading Code Sign Clients. You can access the page by adding /csc to your Trust Protection Foundation URL, such as:

https://TPP-Server-Name/csc

The following installers are available from the client download page:

macOS:

  • Installer (.dmg)

  • Portable package (.tgz)

Linux

  • Intel (amd64)

    • Package (.rpm)

    • Package (.deb)

    • Portable package (.tgz)

  • Arm (aarch64)

    • Package (.rpm)

    • Package (.deb)

    • Portable package (.tgz)

Windows

  • Installer (.msi)

  • Portable package (.zip)

NOTE  All code signing clients are also available from download.venafi.com. The clients are included as part of the Trust Protection Foundation .zip file.

If you are running more than one Trust Protection Foundation, you can choose to use a single one. With a browser, log in to the Trust Protection Foundation server. In the menu bar, click Policy Tree, and the select Platforms from the left navigation drop-down. Select the appropriate Trust Protection Foundation server, then click the Settings tab, and enter the URL hostname in the Code Signing Client Distribution (/csc) field. The correct site will then be automatically detected.

The following screenshot is an example of the Code Sign Manager - Self-Hosted Client Downloads page: 

The Client Downloads page lets you choose the operating system and architecture of the client you want to download.

For more information on automating and scripting the installation of Code Sign Clients, see Automate Code Sign Client installations (silent installation)

NOTE  The Windows CSP and PKCS#11 driver are both included in the MSI files referenced in the steps below.

  1. Download one of the Windows installation files from either the client download page or from download.venafi.com.

    NOTE  The Windows 32-bit client is available only from download.venafi.com.

    NOTE  To download the client using PowerShell, use Invoke-WebRequest.

    Example:

    Invoke-WebRequest `

      -Uri "https://<tpp-server-url>/csc/clients/cyberark-csc-latest-x86_64.msi" `

      -OutFile "CyberArkCodeSigningClients-25.3-x64.msi"

  2. Run the installation file with administrator authority. The Code Signing Client installation wizard opens.

  3. Accept the license agreement, and then click Next.

  4. Select the location where you want the CSP to be installed, and then click Next.

  5. Click Install.

Once installation completes, the CSP configuration wizard opens. For steps on configuring the CSP, see Configuring the CSP.

NOTE  The CSP configuration wizard only configures the CSP. For steps on configuring PKCS#11, see Configuring the PKCS#11 driver.

Installing the CSP and PKCS#11 driver using the command line

See Installing and configuring the CSP using the command line.

Download one of the Linux installation files from either the client download page or from download.venafi.com.

Clients are available for both Intel (amd64) and Arm (aarch64) architectures. The examples below show installation on the amd64 architecture.

To install an RPM package:

sudo rpm -Uvh "cyberark-code-sign-client-25.3.x-linux-x86_64.rpm"

To install a Deb package:

sudo dpkg -i "cyberark-code-sign-client-25.3.x-linux-x86_64.deb"

To install a portable package (.tgz)

tar zxvf "cyberark-code-sign-client-25.3.x-linux-x86_64.tar.gz"

The CyberArkPKCS#11 files are installed in the /opt/venafi/codesign directory.

Next Step:

  1. Download one of the macOS installation files from either the client download page or from download.venafi.com. The macOS installation files are universal.

  2. Double-click the .dmg file to open it. The .dmg contains both the installation file and the uninstall script.

  3. Double-click the CyberArk Code Sign Client v25.3.0-universal.dmg file to run the installer.

  4. The installer provides several options:

    • Integrations

      This section allows you to select which Code Sign Manager - Self-Hosted client integrations you want to install. The options are PCKS#11, GPG, and macOS Keychain.

    • SDK Documentation

      Installs the LibHsm SDK documentation in /Library/Venafi/CodeSigning/html.

  5. Complete the steps on the installation wizard.

Upon completion, the utilities are installed in the /Library/Venafi/CodeSigning/bin directory, with symbolic links to it in /usr/local/bin.

Next Step:

The most current Code Sign Manager - Self-Hosted client is backwards compatible with all supported versions of Trust Protection Foundation. Available features are determined by the Trust Protection Foundation version, not the client version. All features from previous versions are supported in newer versions unless specifically stated otherwise.

Trust Protection Foundation Version

Client Features

24.3

  • Enhanced all clients with usability features.

  • Added unsync option for gpgconfig.
24.1

  • Added support for experimental post-quantum signing, which is enabled on all clients by default. Optionally disable it with:

    pkcs11config option -name "Enable PQ Experimental" -value 0

  • Added ability to get a grant using a JWT token using the *config getgrant --jwtfile command.

  • Added client installation options:

    • Portable packages have been added for macOS (.tgz) and Windows (.zip)

    • macOS installers are now universal, so you no longer have to select Arm or Intel

    • Arm (Aarch64) installers have been added for Linux

  • Added optional venafi- prefix to all client commands on Linux and macOS.

23.3

  • Added backward compatibility so that the Code Sign Manager - Self-Hosted client supports all versions of Trust Protection Foundation

  • Added document signing

  • Added Reset support for CSP, PKCS11, and macOS clients

  • Added Benchmark tool for Windows clients

23.1

  • Enabled Environment filtering using Certificate Label or Environment ID in Code Sign Manager - Self-Hosted Client

  • Added support to prevent misuse of signing keys by disabling syncing of expired certificates/keys

22.4

  • Added Ability to directly set OAUTH grant and refresh tokens from Code Sign Manager - Self-Hosted clients

  • Added support for Windows Authentication for the Windows Code Sign Manager - Self-Hosted client

22.2

  • Added Code Sign Manager - Self-Hosted client distribution page

  • Added Code Sign Manager - Self-Hosted client Debian package

  • Added auto-update capability for Code Sign Manager - Self-Hosted clients for all OS versions

22.1

  • Added support for a single key for signing and derivation on per-user Environments

21.4

  • Integrated U-boot and mkimage

  • Added GPG public key server

  • Added ability to retrieve public keys from GPG public key server

  • Added support to sign JWT tokens