PDA

View Full Version : Code signing



NewsArchive
09-28-2013, 07:12 AM
I think that in order to make the end user more comfortable downloading
and installing a unknown application it is now necessary to have a code
signing certificate.

That said, the process is a real PIA and I am stuck getting the .spc and
..pvk out of a comodo certificate I purchased through SetupBuilder (good
Value)

SO,

Does anyone Know of a utility to extract those files from the
Certificate, why the mystery after you have been verified as legitimate?

Bill

NewsArchive
09-28-2013, 07:12 AM
I feel your pain. <G>

Gave up on that approach but I ended up using SignTool. It must be
downloaded as part of the Windows SDK Much easier when things work. From an
earlier post:

Here's what I learned!
~~~~~~~~~~~~~~~~~~
1. The Group is awesome. Couldn't have done it without your help.
Especially Friedrich, David Troxell and John Grffith. Thanks a million
guys.

2. When downloading the SDK to Win 7 64 the download will/could fail if you
have recent versions of C++ installed. Thanks Friedrich for pointing this
out. I deleted the newer versions and all went well.

3. The default folder that MS installs signtool.exe in is the 64 bit
program folder. If you access it there from SB it did not work (for me).
But copying signtool.exe to C:\Program Files (x86)\Lindersoft\SetupBuilder 8
Developer\Lib\signtool.exe solved the problem. Thanks David for filling in
that piece of the puzzle.!

There is just one signtool.exe but it has to be in the right spot.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Much easier than the other way.

Lynn Howard

NewsArchive
09-28-2013, 07:13 AM
How to purchase and use Code Signing Certificate

1. Ensure that you are using the same browser and computer for
purchasing and also subsequently retrieving (after identity validation
by Comodo, they will inform that certificate is ready for collection.

2. If using FireFox, after collection, Firefox will register your
Certificate in its Certificate Manager (Internet Explorer as the browser
of choice for ordering your certificate). To get to the Certificate
Manager, open Firefox, select Tools in the menu and then select Options.

3. Click to view all the available certificates.

4. Click on to backup your Code Signing Certificated collected. Save
file as aapr4.p12.

5. The browser security will prompt for Backup password. Ensure to
write down the backup password entered.

6. If Firefox browser is being used, you will not get a credentials
(.spc) or a private key file (.pvk). With the aapr4.p12 file, you will
have to convert the .p12 into .spc and .pvk files.

7. Your only option is to Backup the certificate. This will create a PFX
file; however, firefox saves the file as a *.p12 file. If a PFX file is
required, you may rename the *.p12 into PFX extension. But for
Lindersoft SetupBuilder tow work, you will have to create the .spc and
..pvk files. Note: The password you use for the backup is the password
you will use for the certificate in all of the following steps and in
SetupBuilder.

8. Once you have your backup file you need to use some other tools to
produce your credentials file and private key file. To export your
private key and software publishing certificate from the .pfx file you
need the OpenSSL tools (Win32OpenSSL_Light-1_0_1e.EXE). You can download
a ready compiled Windows binary package from Shining Light Productions.
The 'light' package is all you need.

9. The OpenSSL utility will export the private key to an OpenSSL .pem
format file. The .pvk private key format required by the code signing
tools is a Microsoft proprietary format which OpenSSL does not support.
Dr. Stephen N Henson, an OpenSSL consultant in the UK, has
reverse-engineered the .pvk file format and developed a conversion
utility which you can download here. In case you should have trouble
accessing the server it is also mirrored here. The utility is contained
in a Zip archive and you simply need to extract it to the same folder as
the OpenSSL tools.

10. Exporting the files
Having downloaded and installed the conversion tools, you are ready to
export your code signing certificate and private key file from the .pfx
(.p12) file. The commands given below assume that the location of the
conversion tools has been added to the PATH environment variable.
Otherwise you should type the full path to each program.

In the examples we will also assume that the .pfx (.p12) file name is
mycert.pfx (mycert.p12) and that the desired output filenames are
mykey.pvk and mycert.spc. You may, of course, substitute other names if
you so wish, and specify a full path if the files are located in a
different folder. Remember to quote the paths to the files if they
contain spaces.

11. Exporting the private key
First export the private key to an OpenSSL .pem format file.

openssl.exe pkcs12 -in mycert.p12 -nocerts -nodes -out mykey.pem

You will be asked for the password of the private key file, if you
specified one.

Now you use Dr. Henson's conversion utility to convert the .pem file
into the proprietary Microsoft .pvk format.

pvk.exe -in mykey.pem -topvk -strong -out mykey.pvk

That takes care of the private key file.

12. Exporting the software publishing certificate
Converting your code signing certificate into a software publishing
certificate .spc file is also a two stage process. First, the
certificate is exported to an OpenSSL .pem format file, and then this is
converted to the final .spc format.

openssl.exe pkcs12 -in mycert.p12 -nokeys -out mycert.pem
openssl.exe crl2pkcs7 -nocrl -certfile mycert.pem -outform DER -out
mycert.spc

Again, you will be asked for the password of the private key file if you
specified one.

13. You now have a .pvk and .spc pair which you can use to digitally
sign executables using signcode.exe. The intermediate .pem files created
during the conversion are no longer needed, and may be deleted.

Kelvin Chua

NewsArchive
09-28-2013, 07:13 AM
Or if you want to access my site directly...

http://www.aapr4.com/howtocodesign.htm

Thanks.

Kelvin Chua
SINGAPORE

NewsArchive
09-28-2013, 07:14 AM
Kelvin,

Just a quick comment ;-)

The following is not correct:

> But for Lindersoft SetupBuilder tow work, you will have to create the
> .spc and .pvk files. Note: The password you use for the backup is the
> password you will use for the certificate in all of the following steps
> and in SetupBuilder.

Of course, SetupBuilder supports certificates in form of .PFX and .PVK/.SPC
;-)

http://www.lindersoft.com/CodeSign.pdf

http://www.lindersoft.com/forums/showthread.php?t=36060

http://www.lindersoft.com/forums/showthread.php?p=69545#post69545

There is no need to convert the .PFX into the .PVK/.SPC format.

Friedrich

NewsArchive
09-28-2013, 07:14 AM
Dear Mr. Morris,

> That said, the process is a real PIA and I am stuck getting the .spc and
> ..pvk out of a comodo certificate I purchased through SetupBuilder (good
> Value)

You already *have* the certificate in form of the .PVK. You forgot to
switch your Authenticode code-signing process to SignTool.exe.

In my last support email I wrote:

---
>> Okay, here is your "problem". You have a "billwithprivatekey.pfx" but
>> you
>> are using SignCode.exe to code-sign. You need SignTool.exe to use
>> certificates in the .pfx format.
>>
>> So you only have to change (see screenshot you sent) the "SignCode.exe or
>> SignTool.exe Location" entry field to the SignTool.exe location (at the
>> moment you still have set it to SignCode.exe) and you are done ;-) This
>> will then switch Microsoft Authenticode to the .PFX format.
>>
>> Does this help?
---

> Does anyone Know of a utility to extract those files from the
> Certificate, why the mystery after you have been verified as legitimate?

Why 'extract'? The .PFX *is* your certificate!

1. Add "billwithprivatekey.pfx" to the "PFX File" entry (see attached
screenshot "Bill1.PNG" taken from one of your support emails).

2. Add the fully qualified path to your SignTool.exe utility in "Tools" |
"Options..." | File Locations tab. See attached "Bill2.PNG".

That's it. Compile and you are done.

Best Regards,

:-( :-( :-( :-(

--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910

--Helping You Build Better Installations
--SetupBuilder "point. click. ship"
--Create Windows 8 ready installations in minutes
--Official COMODO Code Signing and SSL Certificate Partner

NewsArchive
09-30-2013, 11:02 AM
Sir.

Use the Code Signing Utility from Intel Corp.

No need to use the PFX, it will use the installed certificate.

It makes everything as easy as drag and drop.

http://software.intel.com/en-us/articles/app-signing-tool-download

Jesus Cortes

NewsArchive
09-30-2013, 11:03 AM
Jesus,

> Use the Code Signing Utility from Intel Corp.
>
> No need to use the PFX, it will use the installed certificate.
>
> It makes everything as easy as drag and drop.
>
> http://software.intel.com/en-us/articles/app-signing-tool-download

No, that is not correct. It's *not* possible to use the Code Signing
Utility from Intel in this scenario.

Friedrich

--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910

--Helping You Build Better Installations
--SetupBuilder "point. click. ship"
--Create Windows 8 ready installations in minutes
--Official COMODO Code Signing and SSL Certificate Partner

NewsArchive
09-30-2013, 11:03 AM
Of course, it should read: "...You already *have* the certificate in form of
the .PFX..."

Sorry for that.

Friedrich

NewsArchive
10-01-2013, 03:17 AM
Sir. you are right, I use a different installer. The Code Signing
Utility from Intel is able to use a PFX certificate or to use the
installed Certificate. I use Wininstall and I just drag and drop the
installer and it gets signed. I also sign the original exe file.
Sometimes I need a program to run as Administrator and this is the only
way a user will trust such elevation.

Jesus Cortes

NewsArchive
10-01-2013, 03:18 AM
Jesus,

> Sir. you are right, I use a different installer. The Code Signing Utility
> from Intel is able to use a PFX certificate or to use the installed
> Certificate. I use Wininstall and I just drag and drop the installer and
> it gets signed. I also sign the original exe file. Sometimes I need a
> program to run as Administrator and this is the only way a user will trust
> such elevation.

If you are using a fully automated environment (companies are using the
SetupBuilder compiler to embed manifests and then code-sign hundreds and
thousands of files in a nightly build process) then drag and drop is not an
option. SetupBuilder does all this quietly behind the scenes.

A major drawback of the Intel tool is its dependencies. It's a .NET
application and requires Microsoft .NET framework 4 and Microsoft Visual C++
2010 SP1 Redistributable Package.

Intel's idea of providing an alternative to the M$ code-signing tools was
most welcome. But unfortunately, their solution can't be used in a
professional environment. I was in contact with Intel some time ago to
discuss a native Win32/Win64 port of their tool. But their solution is
purely .NET and they don't expect an enhanced Win32/Win64 version anytime
soon :-(

BTW, as an additional note. Of course, the Microsoft tool can also
code-sign directly from the certificate store. But 100% (I hope <g>) of all
developers have at least one backup of their certificate in form of .PFX or
.PVK/.SPC. Once the certificate gets lost it can't be recovered.

Friedrich

--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910

--Helping You Build Better Installations
--SetupBuilder "point. click. ship"
--Create Windows 8 ready installations in minutes
--Official COMODO Code Signing and SSL Certificate Partner