PDA

View Full Version : Cannot use codesigning with in cloud certificate



ccordes
08-28-2024, 09:23 AM
Hello,
Is there any way that SB could use the thumbprint of the certificate rather than the PFX and password?
Signtool works perfectly using the /SHA1 tag and the certificate thumbprint. Everything else is the same. I always thought that it shells out or calls signtool to codesign itself.
Right now I have it working by turning off the Add a Digital Signature, Installer Integrity Check and Verify Code-Signed At Startup.
FYI - I have the same problem in anything that auto-codesigns during/after a compile.
Is there another work around for this?

Thanks :)

linder
08-28-2024, 09:38 AM
Hello,

yes, we have completely rewritten the code-signing stuff in the new version. We are using the thumbprint now. BTW, we are waiting for our new Microsoft Thrusted Signing access. After that, we'll finish development of the code-signing module. We have an EV code-signing and an EV in the cloud certificate now and it's working fine!

I'll keep you posted. It would great, if you could test it when available.

Friedrich

ccordes
08-28-2024, 09:59 AM
That's sounds great!
I don't have an EV certificate, it's a standard one, but it still has the keys in the cloud.

Let me know whenever you're ready.

linder
08-28-2024, 11:18 AM
I think a standard (cloud) certificate should work fine, too. Just the identity background check for EV is different.

I'll come back to you when I am ready with the new code-signing module.

Thank you for your help!

Friedrich

Geoff Thomson
10-16-2024, 01:38 AM
We're purchasing a yubikey with our next certificate. Does SB require the HSM model for signing, or is it possible to use a yubikey for certificate authentication?
If not, we'll be using the yubikey just to sign the exes and dlls (using ECDSA, which I understand signtool supports) within the install, and then then install itself via HSM. I presume that having signed the exes and dlls with the yubikey won't affect the signing of the install using HSM (RSA). Is that correct?

linder
10-16-2024, 05:37 AM
Hi Geoff,

We can use our EV certificate (valid until August 2027) powered by a HSM in the current SetupBuilder version. When you have received yours, please let me know and we can configure it.

BTW, the upcoming SetupBuilder 2025 supports Cloud based (EV) code-signing certificates and Microsoft Trusted Signing...

Friedrich

Geoff Thomson
10-16-2024, 07:16 AM
OK. Thanks.

So if I understand correctly, you're not planning on implementing ECDSA signing with a yubikey?

linder
10-16-2024, 08:11 AM
Hi Geoff,

as I understand it, ECDSA certificates work with signtool. So I think, we can implement it (if it does not already work). Yubikey is just hardware authentication device, so IMO it should work fine.

When you have received the certificate with the hardware, please let me know and we can work on it (or test what we already have implemented in SB 2025).

What do you think?

Friedrich

linder
10-16-2024, 10:06 AM
Hi Geoff,
BTW, the upcoming SetupBuilder 2025 supports Cloud based (EV) code-signing certificates and Microsoft Trusted Signing...


BTW, HSM is supported too.

Friedrich

Unregistered
10-18-2024, 03:58 AM
OK. Thanks.