Code Sign Client Overview
The CyberArk Code Sign Client is the command-line tool that developers, release engineers, and CI/CD systems use to sync signing key references from Code Sign Manager-SaaS to a signing workstation. The keys themselves always stay on the HSM, and the use of the keys is governed by policies set in Code Sign Manager-SaaS.
The Code Sign Client does include native sign and verify capability, but these are intented primarily for testing purposes.
This section helps you install the client, authenticate it, and sync the signing key references to your signing workstations. It also provides several sample integrations for a number of common code signing applications, such as signtool, jarsigner, and apksigner.
If you are new to Code Sign Manager – SaaS, start with the product tutorials:
These tutorials show how the Code Sign Client fits into the complete end-to-end signing process.
What you can do from here
This section provides everything you need to begin using the Code Sign Client:
- Install the client on a workstation
- Authenticate using a user API key or a service account
- Configure client options (host URLs, proxy settings, logging, trace output)
- List and sync Signing Keys
- Perform a test signing and verification
- Integrate signing into build tools and CI pipelines
- Explore the full CLI reference
Administrative tasks, such as creating Projects, Signing Keys, Teams, or service accounts, are documented in the main Code Sign Manager – SaaS documentation.
Install the Code Sign Client
You can download the Code Sign Client from the Client Installation tab of any Signing Key in the CyberArk Certificate Manager – SaaS UI.
Installers are available for:
- Windows
- macOS
- Linux
Each download page also includes command-line installation instructions.
See Install the Code Sign Client
Clients available for signing
The Code Sign Client is available in two forms:
- PKCS#11 client (
pkcs11config) — available on Linux, macOS, and Windows - CSP/KSP client (
cspconfig) — available on Windows only
Both clients provide the same signing capabilities and support the same command options. The primary difference is the underlying cryptographic provider they integrate with:
- pkcs11config uses a PKCS#11 module for signing
- cspconfig integrates with the Windows Cryptographic Service Provider (CSP) and Key Storage Provider (KSP) frameworks
Which client should I use?
Most users and CI/CD systems can use the PKCS#11 client (pkcs11config) regardless of operating system. All examples in this documentation use pkcs11config for consistency.
If you are signing on Windows and prefer to use the CSP/KSP ecosystem, you may use the CSP/KSP client (cspconfig) instead of pkcs11config.
The examples in this documentation all use
pkcs11config. Other than the command name itself, all other command options are identical between the two clients.
Authenticate the client
The Code Sign Client supports two authentication models, depending on how signing will be performed.
User API key authentication
Use this method when the Code Sign Client acts on behalf of an individual user.
- Simple to configure
- Works for interactive or automated signing on the user’s machine
- Requires the user to be added as an Authorized Signer on at least one Project
See Authenticate using a user API key
Service account authentication
Use this method when signing is performed by a machine or automated workflow such as a CI/CD pipeline.
- Not tied to a specific user
- Uses a Client ID and private key generated on the signing machine
- Designed for non-interactive environments
- Requires a service account to be created in CyberArk Certificate Manager – SaaS
See Authenticate using a service account
Test signing
After authentication, you can verify that everything is working correctly:
- List available Signing Keys
- Sign a file
- Verify a signature
Explore the CLI
The Code Sign Client includes a complete CLI for inspecting configuration, performing signing operations, verifying signatures, and troubleshooting.
See Code Sign Client CLI reference
Sample integrations
The Code Sign Client can be integrated with common build tools and CI systems. For tool-specific integration examples and tutorials, see the Code Sign Manager documentation.
A reference integration demonstrating best practices is available in Sample Integrations.
Next steps
Once your client is installed and authenticated:
- Integrate the Code Sign Client into your build or release workflow
- Use sample integrations as templates
- Explore advanced client configuration
- Set up secure storage for service account credentials in CI environments