Skip to main content

Code Sign Client Overview

The CyberArk Code Sign Client is the command-line tool that developers, release engineers, and CI/CD systems use to sync signing key references from Code Sign Manager-SaaS to a signing workstation. The keys themselves always stay on the HSM, and the use of the keys is governed by policies set in Code Sign Manager-SaaS.

The Code Sign Client does include native sign and verify capability, but these are intented primarily for testing purposes.

This section helps you install the client, authenticate it, and sync the signing key references to your signing workstations. It also provides several sample integrations for a number of common code signing applications, such as signtool, jarsigner, and apksigner.

If you are new to Code Sign Manager – SaaS, start with the product tutorials:

These tutorials show how the Code Sign Client fits into the complete end-to-end signing process.

What you can do from here

This section provides everything you need to begin using the Code Sign Client:

  • Install the client on a workstation
  • Authenticate using a user API key or a service account
  • Configure client options (host URLs, proxy settings, logging, trace output)
  • List and sync Signing Keys
  • Perform a test signing and verification
  • Integrate signing into build tools and CI pipelines
  • Explore the full CLI reference

Administrative tasks, such as creating Projects, Signing Keys, Teams, or service accounts, are documented in the main Code Sign Manager – SaaS documentation.

Install the Code Sign Client

You can download the Code Sign Client from the Client Installation tab of any Signing Key in the CyberArk Certificate Manager – SaaS UI.

Installers are available for:

  • Windows
  • macOS
  • Linux

Each download page also includes command-line installation instructions.

See Install the Code Sign Client

Clients available for signing

The Code Sign Client is available in two forms:

  • PKCS#11 client (pkcs11config) — available on Linux, macOS, and Windows
  • CSP/KSP client (cspconfig) — available on Windows only

Both clients provide the same signing capabilities and support the same command options. The primary difference is the underlying cryptographic provider they integrate with:

  • pkcs11config uses a PKCS#11 module for signing
  • cspconfig integrates with the Windows Cryptographic Service Provider (CSP) and Key Storage Provider (KSP) frameworks

Which client should I use?

Most users and CI/CD systems can use the PKCS#11 client (pkcs11config) regardless of operating system. All examples in this documentation use pkcs11config for consistency.

If you are signing on Windows and prefer to use the CSP/KSP ecosystem, you may use the CSP/KSP client (cspconfig) instead of pkcs11config.

The examples in this documentation all use pkcs11config. Other than the command name itself, all other command options are identical between the two clients.

Authenticate the client

The Code Sign Client supports two authentication models, depending on how signing will be performed.

User API key authentication

Use this method when the Code Sign Client acts on behalf of an individual user.

  • Simple to configure
  • Works for interactive or automated signing on the user’s machine
  • Requires the user to be added as an Authorized Signer on at least one Project

See Authenticate using a user API key

Service account authentication

Use this method when signing is performed by a machine or automated workflow such as a CI/CD pipeline.

  • Not tied to a specific user
  • Uses a Client ID and private key generated on the signing machine
  • Designed for non-interactive environments
  • Requires a service account to be created in CyberArk Certificate Manager – SaaS

See Authenticate using a service account

Test signing

After authentication, you can verify that everything is working correctly:

  • List available Signing Keys
  • Sign a file
  • Verify a signature

See Perform a test signing

Explore the CLI

The Code Sign Client includes a complete CLI for inspecting configuration, performing signing operations, verifying signatures, and troubleshooting.

See Code Sign Client CLI reference

Sample integrations

The Code Sign Client can be integrated with common build tools and CI systems. For tool-specific integration examples and tutorials, see the Code Sign Manager documentation.

A reference integration demonstrating best practices is available in Sample Integrations.

Next steps

Once your client is installed and authenticated:

  • Integrate the Code Sign Client into your build or release workflow
  • Use sample integrations as templates
  • Explore advanced client configuration
  • Set up secure storage for service account credentials in CI environments