Perform a test signing
After installing and authenticating the CyberArk Code Sign Client, you can perform a simple test signing to confirm that everything is working correctly. This page walks you through listing available Signing Keys, signing a file, and verifying the signature.
Before you begin
Make sure:
- The Code Sign Client is installed on your workstation or build machine.
- The client is authenticated using either:
- A user API key, or
- A service account
- Your identity (user or service account) has access to at least one Signing Key in Code Sign Manager – SaaS.
All examples use the
pkcs11configutility. If you are using the CSP/KSP client on Windows, replacepkcs11configwithcspconfig.
List available Signing Keys
Run the following command:
pkcs11config list
This lists the objects (certificates and keys) available to your authenticated identity.
Example output:
Certificate 1:
Label: Release Project-Release Signing Key
Subject: CN=Release Signing Certificate
ID: 34353563356132632D333634392D343065652D616261302D306132623436326632333466
Environment: Certificate
Public Key 1:
Label: Release Project-Release Signing Key
Key-Type: RSA 2048
ID: 34353563356132632D333634392D343065652D616261302D306132623436326632333466
Environment: Certificate
Note the Label of the Signing Key you want to use. You will need this value in later steps.
If you see INFO: No objects available., review the troubleshooting guidance in the authentication topics.
Create a sample file to sign
In a temporary directory, create a file to use for the test:
echo "This is my test file" > signme.txt
You can use any file type, but a simple text file is sufficient for validation.
Sign the file
Use the sign command to create a signature for the file.
You can either run the interactive wizard:
pkcs11config sign
or specify all options directly:
pkcs11config sign --filename signme.txt --label "<Signing Key Label>" --output signme.txt.sig
Replace <Signing Key Label> with the label you noted from the pkcs11config list output. For example:
pkcs11config sign --filename signme.txt --label "Release Project-Release Signing Key" --output signme.txt.sig
If the operation succeeds, you should see a message similar to:
SUCCESS: Signed file 'signme.txt', signature written to 'signme.txt.sig'.
Verify the signature
Use the verify command to confirm that the signature is valid:
pkcs11config verify --filename signme.txt --label "<Signing Key Label>" --input signme.txt.sig
If verification succeeds, you will see a confirmation message indicating that the signature is valid.
Troubleshooting
“Label not found”
This means the specified label does not match any Signing Key available to your authenticated identity.
- Re-run
pkcs11config listand copy the label exactly as shown. - Make sure you are authenticated as the correct user or service account.
Signature verification fails
Check the following:
- Ensure you are using the same file (
signme.txt) and signature (signme.txt.sig) created during the signing step. - Confirm that the label used during verification matches the label used for signing.
- Make sure the files were not modified between signing and verification.
What's next
If the test signing and verification succeed, your environment is ready for integration.
Next steps:
- Explore the full CLI capabilities in the Code Sign Client CLI reference.
- Review Sample integrations for tool-specific examples (such as Signtool, jarsigner, or cosign).