View Full Version : EV code signing certificate
Colin
10-07-2021, 09:39 AM
After spending all day struggling with this I finally managed to code sign from the command line with my new Sectigo EV dongle. What eventually worked for me was to install the certificate while logged in as administrator and under the local machine store: Trusted Packaged App Installation Authorities. But so far I've been unable to make hardware code signing work from within SetupBuilder. I really miss the convenience of this so does anyone happen to have a magic incantation please?
linder
10-07-2021, 12:35 PM
Hi Colin,
assuming, you have already installed SafeNet.
A "macro" (EVCS = Extended Validation Code Signing) can be used in the "PFX File" entry field (Options -> Code Signing tab).
For example: EVCS://subject name
where subject name is the text listed under the "Issued to" field in Personal/Certificates. The compiler will then select the EV code-signing certificate.
Leave the password blank because SafeNet handles it.
Does this help?
Friedrich
Colin
11-01-2021, 03:45 AM
Hi Colin,
assuming, you have already installed SafeNet.
A "macro" (EVCS = Extended Validation Code Signing) can be used in the "PFX File" entry field (Options -> Code Signing tab).
For example: EVCS://subject name
where subject name is the text listed under the "Issued to" field in Personal/Certificates. The compiler will then select the EV code-signing certificate.
Leave the password blank because SafeNet handles it.
Does this help?
Friedrich
Hi Friedrich. No, unfortunately the EVCS macro doesn't work for me. For the Sectigo hardware dongle to work I had to install the certificate while logged in as administrator and under the local machine store: Trusted Packaged App Installation Authorities. In the next release would it be possible to directly setup the signtool command line please?
Thanks.
PS. Sorry about the delay in my reply. Broken by my recent Sectigo experience (3 weeks, customers more irate by the day), I took time off to build a greenhouse.
linder
11-01-2021, 06:12 AM
Hi Collin,
hmmm, as far as I know, only SafeNet can handle EV certificates?! I checked this with Sectigo support some time ago and they told me that only SafeNet can handle it.
What exact command line switches are you using to code-sign with your EV certificate from signtool.exe (which version)?
Thank you!
Friedrich
Colin
11-01-2021, 03:15 PM
Hi Friedrich,
Yes, the SafeNet app must be running for the EV dongle to work. It pops up a dialog for me to enter my password. I guess Sectigo did some deal.
Here is my signtool command, latest version as installed with Visual Studio, run from Powershell in administrator mode because of the location of the certificate.
signtool sign /debug /n "VSProwess Ltd" /tr http://timestamp.comodoca.com /td SHA256 /fd SHA256 "D:\vsSource\SetupBuilder\VSProwessX\VSProwessX_set up_2X.X.exe".
FYI: it is important to check the timestamp was correctly applied. signtool appears to fail silently if the timeserver is not available and eventually you'll discover that your exe unexpectedly has a shelf life.
Thanks for looking at this.
linder
11-01-2021, 03:35 PM
Hi Colin,
I checked this with two SetupBuilder developers this morning. They are using Sectigo EV (hardware dongle!!) without any problem.
https://www.churnite.com/knowledge/content/digicertknowledgebase/en/us/solution/SO20695.html
So the one million question is, what causes the issue on your environment...
1. Open SafeNet Authentication Client Tools.
Navigate to Start > Program Files > Safenet > Safenet Authentication Client Tools.
2. Click the Advanced View icon (gold gear).
3. In the menu tree in the left pane, select Client Settings.
4. In the right pane, select the Advanced tab.
5. On the Advanced tab, select the Enable single logon option.
6. Click Save.
7. To activate the single logon feature, log off from the computer and log on again.
Friedrich
Colin
11-02-2021, 10:56 AM
Hi Colin,
I checked this with two SetupBuilder developers this morning. They are using Sectigo EV (hardware dongle!!) without any problem.
https://www.churnite.com/knowledge/content/digicertknowledgebase/en/us/solution/SO20695.html
So the one million question is, what causes the issue on your environment...
1. Open SafeNet Authentication Client Tools.
Navigate to Start > Program Files > Safenet > Safenet Authentication Client Tools.
2. Click the Advanced View icon (gold gear).
3. In the menu tree in the left pane, select Client Settings.
4. In the right pane, select the Advanced tab.
5. On the Advanced tab, select the Enable single logon option.
6. Click Save.
7. To activate the single logon feature, log off from the computer and log on again.
Friedrich
Hi Friedrich,
Thanks, it's good to know someone has gotten this to work. I enabled SafeNet single log-on but sadly still no joy. I'll persevere but FYI here is the error message:
Processing Uninstall Code-Signing...
Adding Digital Certificate to Uninstall...
Resolve CSI...
SIGNTOOL
SVER: 10.0.19041.685
EVCS: VSProwess Ltd [6]
SHA2: 1
Compiler error GEN1053: Code signing process failed. Error Code: 1
signtool error code 1 just means that it didn't work. Perhaps include the debug flag in the next version to enable a more useful error message, and also log the expanded signtool command line. Anyway, thanks for looking at this. SetupBuilder is, by the way, an extremely useful tool, much appreciated here. This is the first snag I've hit in almost 10 years of using SB.
Colin
Colin
12-27-2021, 08:50 AM
Hi Colin,
assuming, you have already installed SafeNet.
A "macro" (EVCS = Extended Validation Code Signing) can be used in the "PFX File" entry field (Options -> Code Signing tab).
For example: EVCS://subject name
where subject name is the text listed under the "Issued to" field in Personal/Certificates. The compiler will then select the EV code-signing certificate.
Leave the password blank because SafeNet handles it.
Does this help?
Friedrich
I'm still struggling with this problem. I wonder if it might be simply because for the EVCS "subject name" I used my company's name, but this includes a space character? Would be useful if EVCS macro could include the signtool debug option please?
linder
12-27-2021, 09:51 AM
Hi Colin,
you have to use the name that you see in the certificate store! It does not make a difference whether you export a PFX to the store or use a EV CS.
Code-signing is completely handled through signtool.exe (and SafeNet for EV certificates). SetupBuilder itself just passes the required parameters to signtool, nothing more or less.
Friedrich
linder
12-27-2021, 10:04 AM
BTW, in the soon coming SetupBuilder 2022 you can see the error messages (in a human readable form) returned from the signtool.exe. This is not possible in SetupBuilder 2019. signtool.exe only returns an error code value when called from a Windows API.
Another idea: try to develop a small application that uses the ShellExecute Windows API to execute the signtool.exe and let it code-sign a test.exe (do NOT use the command line or a batch!). This is exactly what the SetupBuilder compiler is doing. It calls signtool.exe via ShellExecuteA and passes the required switches and parameters. IMO, this will also fail in your case (because SafeNet might not be correctly configured?!). From the calling program's point-of-view, there is no difference between signing with a PFX or an EV certificate.
Friedrich
linder
12-27-2021, 10:11 AM
I'll setup a test machine where we have "VSProwess Ltd" as subject name to see if the space character makes a difference...
Friedrich
Colin
02-09-2022, 07:46 AM
Hi Friedrich,
Stand down. EV hardware code-signing is presently working here. The problem was actually with the time-stamping. SignTool seems not to be waiting long enough for the time-server. Fortunately we can live without time-stamps for now because our EV certificate still has a good 2 years left on the clock.
Thank you very much for your support and for all of your good work on SeupBuilder.
Regards,
Colin Humphries
VSPROWESS LTD
linder
02-09-2022, 09:03 AM
Colin,
interesting! Thanks so much for the information and your kind words !!!
Friedrich
Powered by vBulletin® Version 4.2.5 Copyright © 2024 vBulletin Solutions Inc. All rights reserved.