Yay! My Dongle Works!
-
A month and a half ago, when my code-signing certificate was expiring, I found that a simple renewal was not possible...the rules had changed and there were only 2 choices. 0): depend on their hosted service to manage certs/signing 1): get an eToken h/w dongle for a hefty fee IIUC, option 0 meant uploading/downloading which isn't attractive, especially if signing is part of an existing automated deployment process, so I went with option 1. The little blue usb device arrived a few weeks ago, and has been sitting on my desk with an instructive little business card daring me to try it...'To set up and start using your Code Signing token, please go to http://theirwebsite...blah, blah'. (kinda funny they use http) Well, today is the day. If I follow the instructions carefully, it should go smoothly. :~ At step 4, it reminded me that I needed that one-time-available-only password from step 2. :confused: What password? :wtf: There was an initialization code, but no password. Oh well, there's an option for when you don't know the password. (rabbit hole) Something I did caused an unhandled exception and the tool crashed. When I bring it back up, I'm still unable to change the password per the instructions. (if you don't know the token password, you it's useless) Finally, I called for support. I got the cert reissued and went through the process again, but this time actually knowing the correct password and got through the process of installing the certificate. But how do I know that it works? Google finds me an obscure link to a Japanese site where a utility can be downloaded. I download and start it. There's an option to sign/timestamp an executable...and it works the first time! :) Now that I know it works, I can move on the get it integrated with signcode in the chain. I already have some sample code from @RickZeeland to get me started. Thanks again Rick! :thumbsup: It's been a busy Friday so far...now, on to more little victories! :laugh: Have a great weekend!
"Go forth into the source" - Neal Morse "Hope is contagious"
-
A month and a half ago, when my code-signing certificate was expiring, I found that a simple renewal was not possible...the rules had changed and there were only 2 choices. 0): depend on their hosted service to manage certs/signing 1): get an eToken h/w dongle for a hefty fee IIUC, option 0 meant uploading/downloading which isn't attractive, especially if signing is part of an existing automated deployment process, so I went with option 1. The little blue usb device arrived a few weeks ago, and has been sitting on my desk with an instructive little business card daring me to try it...'To set up and start using your Code Signing token, please go to http://theirwebsite...blah, blah'. (kinda funny they use http) Well, today is the day. If I follow the instructions carefully, it should go smoothly. :~ At step 4, it reminded me that I needed that one-time-available-only password from step 2. :confused: What password? :wtf: There was an initialization code, but no password. Oh well, there's an option for when you don't know the password. (rabbit hole) Something I did caused an unhandled exception and the tool crashed. When I bring it back up, I'm still unable to change the password per the instructions. (if you don't know the token password, you it's useless) Finally, I called for support. I got the cert reissued and went through the process again, but this time actually knowing the correct password and got through the process of installing the certificate. But how do I know that it works? Google finds me an obscure link to a Japanese site where a utility can be downloaded. I download and start it. There's an option to sign/timestamp an executable...and it works the first time! :) Now that I know it works, I can move on the get it integrated with signcode in the chain. I already have some sample code from @RickZeeland to get me started. Thanks again Rick! :thumbsup: It's been a busy Friday so far...now, on to more little victories! :laugh: Have a great weekend!
"Go forth into the source" - Neal Morse "Hope is contagious"
-
That subject line. Please never use it ever again, especially on a site where a bunch of aging software developers hang out.
"Hang out"? :~ Hoist on your own complaint, me thinks. ;P
TTFN - Kent
-
A month and a half ago, when my code-signing certificate was expiring, I found that a simple renewal was not possible...the rules had changed and there were only 2 choices. 0): depend on their hosted service to manage certs/signing 1): get an eToken h/w dongle for a hefty fee IIUC, option 0 meant uploading/downloading which isn't attractive, especially if signing is part of an existing automated deployment process, so I went with option 1. The little blue usb device arrived a few weeks ago, and has been sitting on my desk with an instructive little business card daring me to try it...'To set up and start using your Code Signing token, please go to http://theirwebsite...blah, blah'. (kinda funny they use http) Well, today is the day. If I follow the instructions carefully, it should go smoothly. :~ At step 4, it reminded me that I needed that one-time-available-only password from step 2. :confused: What password? :wtf: There was an initialization code, but no password. Oh well, there's an option for when you don't know the password. (rabbit hole) Something I did caused an unhandled exception and the tool crashed. When I bring it back up, I'm still unable to change the password per the instructions. (if you don't know the token password, you it's useless) Finally, I called for support. I got the cert reissued and went through the process again, but this time actually knowing the correct password and got through the process of installing the certificate. But how do I know that it works? Google finds me an obscure link to a Japanese site where a utility can be downloaded. I download and start it. There's an option to sign/timestamp an executable...and it works the first time! :) Now that I know it works, I can move on the get it integrated with signcode in the chain. I already have some sample code from @RickZeeland to get me started. Thanks again Rick! :thumbsup: It's been a busy Friday so far...now, on to more little victories! :laugh: Have a great weekend!
"Go forth into the source" - Neal Morse "Hope is contagious"
Want to go down a rabbit hole? I have an EV certificate from what I believe to be the same company. Run the following command on any file that you have signed with your certificate:
>signtool verify filename.exe
I'm curious if it displays the same behavior for you as it does for me.
The difficult we do right away... ...the impossible takes slightly longer.
-
Want to go down a rabbit hole? I have an EV certificate from what I believe to be the same company. Run the following command on any file that you have signed with your certificate:
>signtool verify filename.exe
I'm curious if it displays the same behavior for you as it does for me.
The difficult we do right away... ...the impossible takes slightly longer.
I just ran that command and got the following error:
SignTool Error: A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.Number of errors: 1
Under explorer properties, the digital sig/cert/path all look fine. Very strange. Shall I name the company?
"Go forth into the source" - Neal Morse "Hope is contagious"
-
I just ran that command and got the following error:
SignTool Error: A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.Number of errors: 1
Under explorer properties, the digital sig/cert/path all look fine. Very strange. Shall I name the company?
"Go forth into the source" - Neal Morse "Hope is contagious"
Hallelujah! I'm so happy that it's not just me! Isn't that a strange error message? I worked with DigiCert support for days trying to get to the bottom of why their root certificate is not trusted, or why signtool is saying that. Turns out that it doesn't prevent my kernel mode driver from loading, so it's harmless in practice.
The difficult we do right away... ...the impossible takes slightly longer.
-
A month and a half ago, when my code-signing certificate was expiring, I found that a simple renewal was not possible...the rules had changed and there were only 2 choices. 0): depend on their hosted service to manage certs/signing 1): get an eToken h/w dongle for a hefty fee IIUC, option 0 meant uploading/downloading which isn't attractive, especially if signing is part of an existing automated deployment process, so I went with option 1. The little blue usb device arrived a few weeks ago, and has been sitting on my desk with an instructive little business card daring me to try it...'To set up and start using your Code Signing token, please go to http://theirwebsite...blah, blah'. (kinda funny they use http) Well, today is the day. If I follow the instructions carefully, it should go smoothly. :~ At step 4, it reminded me that I needed that one-time-available-only password from step 2. :confused: What password? :wtf: There was an initialization code, but no password. Oh well, there's an option for when you don't know the password. (rabbit hole) Something I did caused an unhandled exception and the tool crashed. When I bring it back up, I'm still unable to change the password per the instructions. (if you don't know the token password, you it's useless) Finally, I called for support. I got the cert reissued and went through the process again, but this time actually knowing the correct password and got through the process of installing the certificate. But how do I know that it works? Google finds me an obscure link to a Japanese site where a utility can be downloaded. I download and start it. There's an option to sign/timestamp an executable...and it works the first time! :) Now that I know it works, I can move on the get it integrated with signcode in the chain. I already have some sample code from @RickZeeland to get me started. Thanks again Rick! :thumbsup: It's been a busy Friday so far...now, on to more little victories! :laugh: Have a great weekend!
"Go forth into the source" - Neal Morse "Hope is contagious"
Finally discovered your special purpose?
-
Want to go down a rabbit hole? I have an EV certificate from what I believe to be the same company. Run the following command on any file that you have signed with your certificate:
>signtool verify filename.exe
I'm curious if it displays the same behavior for you as it does for me.
The difficult we do right away... ...the impossible takes slightly longer.
We also have a strange problem with our Sectigo (formerly known as Comodo) certificate, Windows 11 says the publisher is not trusted when running our software, while there is no problem under Windows 10. :~
