Install CodeSign Protect Clients on signing workstations

Venafi code signing clients are the link between the code signing workstation and Trust Protection Platform. Venafi provides the following code signing clients:

  • Windows: CSP/KSP and PKCS#11 driver, GPG SmartCard daemon
  • Linux: PKCS#11 driver, GPG SmartCard daemon
  • macOS: PKCS#11 driver, GPG SmartCard daemon, Keychain Integration

IMPORTANT  Do not install the Windows CSP/KSP and PKCS#11 driver on the Trust Protection Platform server. Code Signing Clients should be installed on workstations from which code will be signed.

Using the CodeSign Protect Client Downloads page

If you chose to install the Code Signing Client Distribution component during the Trust Protection Platform installation, a web page is set up that provides helpful scripting information and links for downloading CodeSign Protect clients. You can access the page by adding /csc to your Trust Protection Platform URL, such as:

https://TPP-Server-Name/csc

If you are running more than one Trust Protection Platform, you can choose to use a single one. With a browser, log in to the Trust Protection Platform server. Select Configuration > Classic Policy Tree > Platforms, select the appropriate Trust Protection Platform server, then click the Settings tab, and enter the URL hostname in the Code Signing Client Distribution (/csc) field. The correct site will then be automatically detected.

The following screenshot is an example of the Code Signing Client Downloads page: 

CodeSign Protect Client Downloads page lets you choose the operating system and architecture of the CodeSign Protect client you want to download.

For more information on automating and scripting the installation of CodeSign Protect clients, see Automate CodeSign Protect client installations (silent installation)

NOTE  The Windows CSP and PKCS#11 driver are both included in the MSI files referenced in the steps below.

  1. Download the installation file. For 64-bit operating systems, download VenafiCodeSigningClients-23.1.0-x64.msi. For 32-bit operating systems, download VenafiCodeSigningClients-23.1.0-x86.msi.
  2. Run the installation file with administrator authority. The Code Signing Client installation wizard opens.
  3. Accept the license agreement, and then click Next.
  4. Select the location where you want the CSP to be installed, and then click Next.
  5. Click Install.

Once installation completes, the CSP configuration wizard opens. For steps on configuring the CSP, see Configuring the Venafi CSP.

NOTE  The CSP configuration wizard only configures the CSP. For steps on configuring PKCS#11, see Configuring the PKCS#11 driver.

Installing the CSP and PKCS#11 driver using the command line

See Installing and configuring the CSP using the command line.

Download the installation file venafi-codesigningclients-23.1.0-linux-x86_64.rpm.

To install on distributions that support RPM, run the following command:

rpm -i venafi-codesigningclients-23.1.x-linux-x86_64.rpm

To install on distributions that do not support RPM, you can use alien to run the installation:

alien -i --scripts venafi-codesigningclients-23.1.x-linux-x86_64.rpm

NOTE  The --script flag is required to run the RPM post install script.

The VenafiPKCS#11 files are installed in the /opt/venafi/codesign directory.

Next Step:

  1. Download the installation file for your platform:

    • Intel-based Macs: Venafi CodeSign Protect Clients v23.1.0.dmg.

    • M1 Macs: Venafi CodeSign Protect Clients v23.1.0-arm64.dmg

  2. Double-click the .dmg file to open it. The .dmg contains both the installation file and the uninstall script.

  3. Double-click the Venafi Code Signing Clients.pkg file to run the installer.

  4. The installer provides three options:

    • Command-line clients

      This installs the pkcs11config and gpgconfig command line clients

    • Keychain integration

      This installs the tkdriverconfig client, which integrates with Apple Keychain. It also includes the CodeSign Protect status menu

    • SDK Documentation

      Installs the LibHsm SDK documentation in /Library/Venafi/CodeSigning/html.

  5. Complete the steps on the installation wizard.

Upon completion, the utilities are installed in the /Library/Venafi/CodeSigning/bin directory, with symbolic links to it in /usr/local/bin.

Next Step: