Code Signing Nuget Packages with eSigner

Order a Code Signing Certificate

Production Certificate

For instructions on how to order a production code signing certificate, please refer to the guide article: Ordering Process for Code and Document Signing Certificates.

Test Certificate

For users who want to try code signing using a test certificate, the SSL.com sandbox environment offers a place where they can freely experiment. Follow the steps below to order an SSL.com test certificate.

1. Login to your sandbox account at https://sandbox.ssl.com/login. If there is no sandbox account yet, a new one can be created at https://sandbox.ssl.com/users/new.
2. Once logged in to the sandbox account, click the Dashboard tab.
3. Scroll down to the developers and integration section and click the developer tools link.
4. Select the test EV certificate you want to order. Specify the validity duration of the certificate. Finally, click the Create Test Order button.
5. Contact SSL.com  support team (support@ssl.com) for the test code signing certificate to be validated.

Enroll your Certificate in eSigner Cloud Code Signing

Once your certificate has been validated, you can now enroll it in eSigner. There are two methods on how to do this:

1. QR code method: https://www.ssl.com/how-to/enroll-esigner-remote-document-ev-code-signing/
2. OTP SMS method: https://www.ssl.com/guide/how-to-enable-otp-sms-two-factor-authentication-for-esigner-cloud-code-or-document-signing/

Sign your NuGet Package with eSigner Cloud Key Adapter (CKA)

eSigner CKA (Cloud Key Adapter) is a Windows based application that uses the Cryptography API: Next Generation interface (KSP Key Service Provider) to allow tools such as certutil.exe and signtool.exe to use the eSigner Cloud Signature Consortium (CSC)-compliant API for enterprise code signing operations. It acts like a virtual USB token and loads the code signing certs to the certificate store.

1. Refer to this article to know how to install eSigner CKA on your computer.
2. Login to eSigner CKA with your SSL.com account credentials.
3. Use the sign command below to sign your NuGet file on Windows SignTool: 
   
   dotnet nuget sign "D:\Data\unsigned.nupkg" --timestamper http://ts.ssl.com/legacy --certificate-fingerprint YOUR CERTIFICATE THUMBPRINT --certificate-store-location CurrentUser --certificate-store-name My

Sign your NuGet Package with eSigner CodeSignTool

SSL.com’s eSigner  CodeSignTool is a secure, privacy-oriented multi-platform Java command line utility for remotely signing Microsoft Authenticode and Java code objects with eSigner-enrolled code signing certificates. It is able to sign Nuget packages efficiently and in a user-friendly manner.

Refer to the article eSigner CodeSignTool Command Guide to download the application and gain an overview of all the available commands.

1. To be able to sign Nuget files using CodeSignTool, first you have to add the timestamp legacy endpoint in the Properties Source File of CodeSignTool. Open CodeSignTool folder > Open conf subfolder > Open code_sign_tool Properties Source File. Add the legacy endpoint: TSA_LEGACY_URL=http://ts.ssl.com/legacy
   
   If you are using a test certificate, you also need to replace the contents of conf/code_sign_tool.properties with the following text:
   

   CLIENT_ID=qOUeZCCzSqgA93acB3LYq6lBNjgZdiOxQc-KayC3UMw 
   OAUTH2_ENDPOINT=https://oauth-sandbox.ssl.com/oauth2/token 
   CSC_API_ENDPOINT=https://cs-try.ssl.com 
   TSA_URL=http://ts.ssl.com

2. Open your command-line tool and change the directory to point to the installation folder of CodeSignTool by using the cd command. Example: C:\Users\Admin>cd C:\Users\Admin\My PC\Desktop\CodeSignTool
3. Use this command to sign your Nuget File:
   CodeSignTool sign -username=USERNAME -password=PASSWORD -credential_id=CREDENTIAL ID -input_file_path=INPUT FILE PATH -output_dir_path=OUTPUT DIRECTORY PATH
4. After entering the sign command, your Command Line Tool will prompt you for the One Time Password (OTP) linked to the tool you used to enroll your certificate in eSigner: either a QR code app or SMS/mobile phone: Enter the OTP - Press enter to continue: 
5. Code Signed Successfully! You will be notified that your Nuget file has been successfully signed. Example:
   Code signed successfully: C:\Users\Admin\\My PC\Desktop\Signed Nuget Files\sample.nupkg
   

Required Parameters

• -credential_id=<CREDENTIAL_ID>: Credential ID for signing certificate.
• -input_file_path=<PATH>: Path of code object to be signed.
• -otp=<OTP>: OAuth OTP value from authentication app.
• -output_dir_path=<PATH>: Directory where signed code object(s) will be written.
• -password=<PASSWORD>: SSL.com account password.
• -username=<USERNAME>: SSL.com account username

Troubleshooting Signing Errors

1. If your password includes special characters, enclose it in quotes (e.g. -password=”P!@^^ssword12″).
2. If you encounter signing errors like:
   • 'C:\Users\Admin\Dropbox\My' is not recognized as an internal or external command, operable program or batch file.
   • The system cannot find the path specified.
   • WARNING: sun.reflect.Reflection.getCallerClass is not supported. This will impact performance.
   • \Documents\sample was unexpected at this time.

Try the following:

• • Enclose your input file path and output directory path in quotes.
  • Type or directly copy+paste the required parameters on the command line tool. Refrain from typing and copy-pasting the command from other text editors.