PDA

View Full Version : How to code sign with new EV usb tokem?



torrid
01-18-2023, 10:47 PM
I just got one and it requires Safenet Auth to access drive.
You cannot copy it and it is not a pfx file.

I have a microsoft signtool command I can run to sign but wondering if I can
get SB to use this so I don't have to manually do it on every build.

I did search the forums and did not find anything other than your announcement
about getting EV certs through you at a discount.

Regards,
-Tim

linder
01-19-2023, 08:53 AM
Tim,

a "macro" (EVCS = Extended Validation Code Signing) can be used in the "PFX File" entry field (Options -> Code Signing tab).

For example: EVCS://subject name

where subject name is the text listed under the "Issued to" field in Personal/Certificates. The compiler will then select the EV code-signing certificate.

Leave the password blank because SafeNet handles it.

IIRC, you have to do the following to configure the SafeNet thing:

1. Open SafeNet Authentication Client Tools.
Navigate to Start > Program Files > Safenet > Safenet Authentication Client Tools.
2. Click the Advanced View icon (gold gear).
3. In the menu tree in the left pane, select Client Settings.
4. In the right pane, select the Advanced tab.
5. On the Advanced tab, select the Enable single logon option.
6. Click Save.
7. To activate the single logon feature, log off from the computer and log on again.

Does this help?

Friedrich

torrid
03-06-2023, 10:55 PM
Friedrich,
No can't get it to work.
I get GEN1053: Code signing process failed. Error Code: 1

The PFX File field is set to: EVCS://Torrid Technologies, Inc.
and that's the exact Issued to: text in the certificate.
Safenet is indeed running and the certificate is listed on the SafeNet Client tools screen with that same text.

I had gone through the 1-7 steps. I have Enable single logon checked.
Do I also need to check Enable single logon for PKCS#11 ???

Not sure what else to try. I can sign the installer exe from the terminal command line as my backup but would be nice not to have to do that step.

-Tim

linder
03-07-2023, 03:10 AM
Hi Tim,

what command line arguments are you using? And did you leave the password field in SB blank?

Friedrich

torrid
03-07-2023, 10:19 PM
Hi,
I dont think I am using any command line arguments. Your instructions did not mention that... or maybe I missed it.

And YES left the password field blank.

Was going to show screenshot but pasting in here does not work and the image icon lets me select file from computer but
then there is no button to OK and paste it in.

-Tim

linder
03-08-2023, 01:50 AM
Hi Tim,

sorry for the confusion. You mentioned you can sign the installer exe from the terminal command line. What command line arguments are you using?

BTW, it's not a good idea to manually code-sign your installer because you'll miss the uninstaller signing.

Friedrich

P.S. Uploading screenshots here works without any problem.

torrid
01-22-2024, 04:56 PM
Friedrich,
Sorry I never saw your response from last year.
Now tackling same issue this year.
If I run this in cmd terminal, it does pop up asking password and succeeds:

"C:\Program Files\Microsoft SDKs\Windows\v7.0\Bin\signtool" sign /tr http://timestamp.sectigo.com /td sha256 /fd sha256 /n "Torrid Technologies, Inc." /a "E:\TorridDataDrive\__PLANCUR\Xojo\RetirementView.e xe"

I have attached screenshot of the SB10 digital signature settings as well as a screenshot of the failed output.

5145
5146

torrid
01-24-2024, 10:41 AM
Anything to try to solve this?

torrid
02-12-2024, 10:11 AM
@Friedrich any additional thoughts on this???

pproducts2
02-12-2024, 11:42 AM
Hi

I just got a new code sign certificate and having the exact same issue.
Is there a step by step guide on the instructions on how to install it and then use it in setupbuilder.

Thanks
Greg

pproducts2
02-12-2024, 12:13 PM
Hi

I got it running by using safenet to install the certificate to the local user.
I originally installed it to local machine.

All works fine now using the global sha-1 only setting in the setupbuilder global options.

Greg

torrid
02-13-2024, 12:04 PM
Good for you Greg. Thanks for circling back.
Long story but I had safenet working and unlocked the cert but now can't get safenet to work.
Told to uninstall and reinstall and it no longer works. Sectigo cust support tried a couple of calls
and then ended with can't help me due to "problem with my computer". So it's fun.
If issue is that I need to install cert for local user and I did not then I am stuck.
Any idea how to check that?
-Tim

pproducts2
02-16-2024, 10:34 AM
I tried it again today and it is no longer working and I have no idea why.
This needs to be fixed or we need some clear instructions on how to get it to work.

pproducts2
02-19-2024, 12:18 PM
I have not been able to get hold of anyone from setupbuilder support but here is what I have found out.
You have to put in your password the first time you sign a file after you log into your computer. It does not work from setupbuilder so you have to do it elsewhere.
The script you are using with signtool works ok for it.
So what I did was make a .bat file to use signtool to sign a single file and it will popup a message to enter the password.
After you enter it for the first time setupbuilder will work fine until you log out of your computer.
I called Sectigo and they confirmed I would need do it this way.
Hopefully someone from setupbuilder will fix this.

Greg

arrigob
05-23-2024, 12:54 PM
I just got mine yesterday. For the ones that have had issues, did you open the SafeNet Authentication client and logon to the token? That was the only other step that I did that was not listed here. It came in the instructions from Sectigo. One I did that, I then followed the steps above. Then I restarted my workstation and attempted to compile an installer. Worked like a charm.