Announcement

Collapse
No announcement yet.

Code signing from Token

Collapse
This is a sticky topic.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Code signing from Token

    Updated my Code Signing cert yesterday after my 3 year cert expired. But things have changed and the new cert is stored on a USB Smart Card (token). So today I am scratching my head about how I can use this like I did with .pfx... signing from within Setup Factory.

    Any ideas?
    ArtistScope - Copy Protection & DRM Software

  • #2
    I answered this here. Perhaps this helps.

    Ulrich

    Comment


    • #3
      The process seems to be the same, ie: running SignTool from the Windows SDK. The only change needed is being able to select a cert from the Store (instead of path to PFX) which is where the USB token can be found.
      ArtistScope - Copy Protection & DRM Software

      Comment


      • #4
        If it is any help a good video tutorial is at
         
        ArtistScope - Copy Protection & DRM Software

        Comment


        • #5
          The SafeNet Authentication Client that you see in the video is merely the USB Driver prompting for password when required.

          The command-line used would be like:
          Code:
          cd C:\Program Files (x86)\Windows Kits\8.1\bin\x86\
          signtool sign /a /tr http://rfc3161timestamp.globalsign.com/advanced /td SHA256 MyApp.exe
          ArtistScope - Copy Protection & DRM Software

          Comment


          • #6
            I am looking forward to a followup and solution for this problem. Having to use Signtool separately after each SUF compile is a RPIA.

            More and more developers must now be forced to use Cert Tokens because PFX certs are no longer issued. Now all of must use Tokens as our certs get renewed.

            Most developers like myself will only have one cert and after installing the token software, that cert will be installed as the default code-signing cert. I'll upload a short video soon showing how easy it is to locate.
            ArtistScope - Copy Protection & DRM Software

            Comment


            • #7
              This video show SignTool using the Token cert. As you can see it finds and loads the default cert no problem. Surely the SUF codesign option can be modified to do this... after all PFX certs are now obsolete. Also, a good reason for everyone to have to upgrade SUF to the latest version :-)

              https://artistscope.com/test_codesign.asp

              If you don't have a Token cert and that is the reason for not being able to write/test a new script, I am willing to make my desktop available via TeamViewer to help.

              ArtistScope - Copy Protection & DRM Software

              Comment


              • #8
                Assuming you're using a version of SUF that supports SHA-256 signing, you should still be able to sign within SUF using SignTool (or another third party tool) instead of separately even without a certificate file. So in that case you would just leave it blank and specify the arguments you want to pass to SignTool in the "Additional arguments" field. You can find further information in SUF's help topic for the dialog:

                https://www.indigorose.com/webhelp/s...de_Signing.htm

                You can also find SignTool's supported arguments at the following page:

                https://docs.microsoft.com/en-us/win...rypto/signtool

                When building you can see the full command passed to SignTool in the setup's build log for debugging purposes. So if it isn't working, perhaps you can provide further information about what you are using and what's occurring.

                Comment


                • #9
                  I think that you guys are missing my point that I am NOT using a PFX and therefore cannot sign my application from SUF.

                  These days I have to use a USB Smart Card (token) because to sign Windows drivers for Windows 10 that is the minimum requirement.
                  ArtistScope - Copy Protection & DRM Software

                  Comment


                  • #10
                    As you can see in the video above, code-signing using a SafeNet Token is easy. In fact I have an easier method than depicted in the video... instead of using SignTool, I use SignCode which does the job in a few clicks. No need to locate the the signing exes as I use a dedicated folder at C:\Signcode and copied the EXEs to that folder (they are portable). Using Signcode.exe, it opens as a GUI where you can select the file, the cert and the timestamp URL... much quicker.

                    But none of this or the above solves the problem that I originally posted!

                    Why can't the code-signing be done from SUF at the end of the build process???
                    ArtistScope - Copy Protection & DRM Software

                    Comment


                    • #11
                      Why can't the code-signing be done from SUF at the end of the build process?
                      ArtistScope - Copy Protection & DRM Software

                      Comment


                      • #12
                        It can, as I pointed out in my first reply: Use the Run After Build project setting to invoke the program or batch file.

                        Ulrich

                        Comment


                        • #13
                          This is SUF... where is "Run after Build" exactly?
                          ArtistScope - Copy Protection & DRM Software

                          Comment


                          • #14
                            https://www.indigorose.com/webhelp/s...Post_Build.htm

                            Click image for larger version

Name:	SCRN-2019-07-18-01.png
Views:	316
Size:	22.5 KB
ID:	303578

                            Ulrich

                            Comment


                            • #15
                              Here is another approach for using a token for the code signing procedure. Create a batch file named codesign-helper.bat with this content:

                              Code:
                              @ECHO OFF
                              D:\proper-path-to\signtool.exe sign %1 %2 %3 %4 %5 %6 %7
                              where D:\proper-path-to\ is the actual path to the folder where signtool.exe is stored. Assuming that you saved this file in the same folder as the project file, you can use these settings in Setup Factory: Click image for larger version

Name:	SCRN-2019-10-10-01.png
Views:	413
Size:	35.8 KB
ID:	304024


                              The batch file will be called during the build process, and starts signtool.exe with the arguments passed by Setup Factory, such as

                              /a /t [SHA-1 timestaming url] [full path of *.tmp file]
                              /
                              a /tr [SHA-256 timestaming url] /td sha256 [full path of *.tmp file]

                              In both cases, as long as the token is recognized as the default certificate via the /a parameter, you should be prompted for the token access password, and the process should continue. You will be prompted a few times for the password, as the installer runtime, the uninstaller, and the self-extractor are all signed in the same way.

                              Ulrich
                              Last edited by Ulrich; 12-11-2019, 01:58 PM.

                              Comment

                              Working...
                              X