How to sign with a token without entering a password

A common problem for our users is having to enter the token password for every single signature. This is not only annoying, but also prevents automation. In this article, we have finally come up with a solution.

Option one - Single logon

A trivial and quick option is to enable the Enable single logon option in Clients settings and the Advanced tab. This means that after you enter your password, Safenet will not ask you for it again until you log out.

Single logon settings in Safenet
Single logon settings in Safenet

Option two - enter the password when signing

During the signing itself, there is an option to enter a password when signing the file - then Safenet does not ask for the password. To do this, use the /f, /csp and /k parameters; in the second one, you need to put the password together with the name of the container.

Here is an example where you can find the necessary data values, prepare them:

    Certificate export from Safenet
    Certificate export from Safenet
  • /f CERTIFICATE.cer - the location of the export of the certificate from the token to a file (of course, the private key cannot be exported.
  • Container name and Cryptographic provider detection
    Container name and Cryptographic provider detection
  • /csp - name of the Cryptographic provider - you can find it in Safenet in the private key section, e.g. "eToken Base Cryptographic Provider"
  • /k - password for the token, which is entered when signing. Combine it with the name of the container; helo must be enclosed in parentheses as in the example below.
    "[{{TokenPasswordHere}}]=KeyContainerNameHere"

Combine everything and start signing

All the information found above is added to the signature command using parameters. The entire signing command looks like this:

signtool sign /f "C:UsersUserCERTIFICATE.cer" /csp "eToken Base Cryptographic Provider" /k "[{{tokenpassword}}]=Containername" /fd SHA256 /t http://timestamp.digicert.com "C:UsersUserAPP.exe"

Signtool signs the file without asking for a password; the prompt to enter the Safenet password does not pop up either.

Source:

Thread Automate Extended Validation (EV) code signing with SafeNet eToken at StackOverflow