Code Signing Changes
-
My (company's) code signing certificate expires in less than a month, so over the weekend I intended to renew it. Unbeknownst to me, there are new rules and regulations that prevent the straight download/install/export of a certificate. (for pfx signing) It seems the only options these days are using their keyvault or using a hardware token, both at a cost of course. In fact, the price has almost doubled from just 3 years ago! :omg: I have no choice but to roll with the changes, I just hope that I don't have to change too much in my current deployment toolchain. :sigh: (currently using signtool/pfx)
"Go forth into the source" - Neal Morse "Hope is contagious"
-
My (company's) code signing certificate expires in less than a month, so over the weekend I intended to renew it. Unbeknownst to me, there are new rules and regulations that prevent the straight download/install/export of a certificate. (for pfx signing) It seems the only options these days are using their keyvault or using a hardware token, both at a cost of course. In fact, the price has almost doubled from just 3 years ago! :omg: I have no choice but to roll with the changes, I just hope that I don't have to change too much in my current deployment toolchain. :sigh: (currently using signtool/pfx)
"Go forth into the source" - Neal Morse "Hope is contagious"
Is it an EV certificate or just a code signing certificate? I would understand them requiring a token if it's an Extended Validation cert.
The difficult we do right away... ...the impossible takes slightly longer.
-
Is it an EV certificate or just a code signing certificate? I would understand them requiring a token if it's an Extended Validation cert.
The difficult we do right away... ...the impossible takes slightly longer.
It's just a code signing certificate. Up until this renewal, my CA (DigiCert) has allowed me to simply install the certificate directly into IE/Edge where I can export it to pfx for use on other systems. It seems I now need to either become dependent on them to store/use the private key, or get it shipped on a hardware token, both cost more money and both will require me to alter the custom deployment system. (unless I will have the ability with the hardware token/dongle to create the pfx) Either way, it's silly that shipping a cheap usb stick should add hundreds of dollars to a product that doubled in price over 3 years. I may go shopping, but it might mean having to get reverified (time and effort) if I change providers instead of renewing. Not sure yet. :confused:
"Go forth into the source" - Neal Morse "Hope is contagious"
-
My (company's) code signing certificate expires in less than a month, so over the weekend I intended to renew it. Unbeknownst to me, there are new rules and regulations that prevent the straight download/install/export of a certificate. (for pfx signing) It seems the only options these days are using their keyvault or using a hardware token, both at a cost of course. In fact, the price has almost doubled from just 3 years ago! :omg: I have no choice but to roll with the changes, I just hope that I don't have to change too much in my current deployment toolchain. :sigh: (currently using signtool/pfx)
"Go forth into the source" - Neal Morse "Hope is contagious"
It took us months to change our TeamCity builders that no longer could use a copy of the .pfx signing certificate. The builders now send the files to be signed to a "Signing PC" which has the USB dongle with the EV token. I also had to write a signing application to automate signing as we did not want to sign files manually.
-
It took us months to change our TeamCity builders that no longer could use a copy of the .pfx signing certificate. The builders now send the files to be signed to a "Signing PC" which has the USB dongle with the EV token. I also had to write a signing application to automate signing as we did not want to sign files manually.
:thumbsup:Thanks for confirming my fears! :laugh: I'm the only person here building/signing/deploying, so the only problem will be keeping up with the dongle when I travel. Of course, I don't know what I'm up against with the automation part of things yet...if it can be scripted like signtool, then it shouldn't be too much of a hassle.
"Go forth into the source" - Neal Morse "Hope is contagious"
-
:thumbsup:Thanks for confirming my fears! :laugh: I'm the only person here building/signing/deploying, so the only problem will be keeping up with the dongle when I travel. Of course, I don't know what I'm up against with the automation part of things yet...if it can be scripted like signtool, then it shouldn't be too much of a hassle.
"Go forth into the source" - Neal Morse "Hope is contagious"
It is a hassle I'm afraid, there is no official documentation on how to automate signing with an EV token. I only found a useful tip on StackOverflow after much searching. I don't have it at hand at the moment, tomorrow I wil send you the link.
-
:thumbsup:Thanks for confirming my fears! :laugh: I'm the only person here building/signing/deploying, so the only problem will be keeping up with the dongle when I travel. Of course, I don't know what I'm up against with the automation part of things yet...if it can be scripted like signtool, then it shouldn't be too much of a hassle.
"Go forth into the source" - Neal Morse "Hope is contagious"
Automate Extended Validation (EV) code signing with SafeNet eToken https://stackoverflow.com/questions/17927895/automate-extended-validation-ev-code-signing-with-safenet-etoken[^]
signtool sign /f mycert.cer /csp "eToken Base Cryptographic Provider" /k "[{{TokenPasswordHere}}]=KeyContainerNameHere" myfile.exe
To speed up the process and sign multiple files with timestamp in a directory I use this:
string pw = @"[{{MyPassword}}]";
string signToolMs = @"C:\Program Files (x86)\Windows Kits\10\App Certification Kit\signtool.exe";string command = $"sign /fd sha256 /tr http://timestamp.sectigo.com /td sha256 /f \"z:\\Certificate.cer\" /csp \"eToken Base Cryptographic Provider\" /k \"{pw}=Sectigo_12345678\" file1.exe file2.dll";
ProcessRun(signToolMs, command, dirName); -
My (company's) code signing certificate expires in less than a month, so over the weekend I intended to renew it. Unbeknownst to me, there are new rules and regulations that prevent the straight download/install/export of a certificate. (for pfx signing) It seems the only options these days are using their keyvault or using a hardware token, both at a cost of course. In fact, the price has almost doubled from just 3 years ago! :omg: I have no choice but to roll with the changes, I just hope that I don't have to change too much in my current deployment toolchain. :sigh: (currently using signtool/pfx)
"Go forth into the source" - Neal Morse "Hope is contagious"
Went through that fun last year. We chose to use Azure Key Vault to store the cert, which meant switching from
signtooltoAzureSignTool(vcsjones/AzureSignTool[^]). Which then meant switching fromSquirrel.WindowstoClowd.Squirrel, since the former offers no way to customize the signing tool path used. And it looks like we may now need to switch to the updated tool,velopack, sinceClowd.Squirrelis effectively in maintenance mode now. Oh, and the build time went up drastically, since the tool now has to send each file to be signed up to Azure, wait for Azure to sign it, then download the signed copy. :sigh:
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
Automate Extended Validation (EV) code signing with SafeNet eToken https://stackoverflow.com/questions/17927895/automate-extended-validation-ev-code-signing-with-safenet-etoken[^]
signtool sign /f mycert.cer /csp "eToken Base Cryptographic Provider" /k "[{{TokenPasswordHere}}]=KeyContainerNameHere" myfile.exe
To speed up the process and sign multiple files with timestamp in a directory I use this:
string pw = @"[{{MyPassword}}]";
string signToolMs = @"C:\Program Files (x86)\Windows Kits\10\App Certification Kit\signtool.exe";string command = $"sign /fd sha256 /tr http://timestamp.sectigo.com /td sha256 /f \"z:\\Certificate.cer\" /csp \"eToken Base Cryptographic Provider\" /k \"{pw}=Sectigo_12345678\" file1.exe file2.dll";
ProcessRun(signToolMs, command, dirName);Woo hoo! Thanks for this.
The difficult we do right away... ...the impossible takes slightly longer.
-
Automate Extended Validation (EV) code signing with SafeNet eToken https://stackoverflow.com/questions/17927895/automate-extended-validation-ev-code-signing-with-safenet-etoken[^]
signtool sign /f mycert.cer /csp "eToken Base Cryptographic Provider" /k "[{{TokenPasswordHere}}]=KeyContainerNameHere" myfile.exe
To speed up the process and sign multiple files with timestamp in a directory I use this:
string pw = @"[{{MyPassword}}]";
string signToolMs = @"C:\Program Files (x86)\Windows Kits\10\App Certification Kit\signtool.exe";string command = $"sign /fd sha256 /tr http://timestamp.sectigo.com /td sha256 /f \"z:\\Certificate.cer\" /csp \"eToken Base Cryptographic Provider\" /k \"{pw}=Sectigo_12345678\" file1.exe file2.dll";
ProcessRun(signToolMs, command, dirName);
