Announcement

**Ulrich** · 07-05-2018, 07:16 AM

I answered this here. Perhaps this helps.

Ulrich

**artistscope** · 07-18-2018, 04:55 PM

The process seems to be the same, ie: running SignTool from the Windows SDK. The only change needed is being able to select a cert from the Store (instead of path to PFX) which is where the USB token can be found.

**artistscope** · 07-18-2018, 05:47 PM

If it is any help a good video tutorial is at

**artistscope** · 07-18-2018, 05:51 PM

The SafeNet Authentication Client that you see in the video is merely the USB Driver prompting for password when required.

The command-line used would be like:

Code:

cd C:\Program Files (x86)\Windows Kits\8.1\bin\x86\
signtool sign /a /tr http://rfc3161timestamp.globalsign.com/advanced /td SHA256 MyApp.exe

**artistscope** · 01-02-2019, 03:10 PM

I am looking forward to a followup and solution for this problem. Having to use Signtool separately after each SUF compile is a RPIA.

More and more developers must now be forced to use Cert Tokens because PFX certs are no longer issued. Now all of must use Tokens as our certs get renewed.

Most developers like myself will only have one cert and after installing the token software, that cert will be installed as the default code-signing cert. I'll upload a short video soon showing how easy it is to locate.

**artistscope** · 01-02-2019, 04:29 PM

This video show SignTool using the Token cert. As you can see it finds and loads the default cert no problem. Surely the SUF codesign option can be modified to do this... after all PFX certs are now obsolete. Also, a good reason for everyone to have to upgrade SUF to the latest version :-)

404 - File or directory not found.

https://artistscope.com/test_codesign.asp

If you don't have a Token cert and that is the reason for not being able to write/test a new script, I am willing to make my desktop available via TeamViewer to help.

**Darryl** · 01-09-2019, 07:46 AM

Assuming you're using a version of SUF that supports SHA-256 signing, you should still be able to sign within SUF using SignTool (or another third party tool) instead of separately even without a certificate file. So in that case you would just leave it blank and specify the arguments you want to pass to SignTool in the "Additional arguments" field. You can find further information in SUF's help topic for the dialog:

Code Signing

https://www.indigorose.com/webhelp/suf9/Program_Reference/Build_Settings/Code_Signing.htm

You can also find SignTool's supported arguments at the following page:

SignTool - Win32 apps

https://docs.microsoft.com/en-us/windows/desktop/SecCrypto/signtool

Learn how to use SignTool, a command-line tool that digitally signs files, verifies the signatures in files, and time stamps files.

When building you can see the full command passed to SignTool in the setup's build log for debugging purposes. So if it isn't working, perhaps you can provide further information about what you are using and what's occurring.

**artistscope** · 06-17-2019, 06:51 AM

I think that you guys are missing my point that I am NOT using a PFX and therefore cannot sign my application from SUF.

These days I have to use a USB Smart Card (token) because to sign Windows drivers for Windows 10 that is the minimum requirement.

**artistscope** · 07-01-2019, 04:06 PM

As you can see in the video above, code-signing using a SafeNet Token is easy. In fact I have an easier method than depicted in the video... instead of using SignTool, I use SignCode which does the job in a few clicks. No need to locate the the signing exes as I use a dedicated folder at C:\Signcode and copied the EXEs to that folder (they are portable). Using Signcode.exe, it opens as a GUI where you can select the file, the cert and the timestamp URL... much quicker.

But none of this or the above solves the problem that I originally posted!

Why can't the code-signing be done from SUF at the end of the build process???

**artistscope** · 07-10-2019, 12:32 PM

Why can't the code-signing be done from SUF at the end of the build process?

**Ulrich** · 07-10-2019, 12:37 PM

It can, as I pointed out in my first reply: Use the Run After Build project setting to invoke the program or batch file.

Ulrich

**artistscope** · 07-18-2019, 01:48 AM

This is SUF... where is "Run after Build" exactly?

**Ulrich** · 07-18-2019, 02:44 AM

Pre_Post Build

https://www.indigorose.com/webhelp/suf9/Program_Reference/Build_Settings/Pre_Post_Build.htm

Ulrich

**Ulrich** · 10-10-2019, 01:57 PM

Here is another approach for using a token for the code signing procedure. Create a batch file named codesign-helper.bat with this content:

Code:

@ECHO OFF
D:\proper-path-to\signtool.exe sign %1 %2 %3 %4 %5 %6 %7

where D:\proper-path-to\ is the actual path to the folder where signtool.exe is stored. Assuming that you saved this file in the same folder as the project file, you can use these settings in Setup Factory:

The batch file will be called during the build process, and starts signtool.exe with the arguments passed by Setup Factory, such as

/a /t [SHA-1 timestaming url] [full path of *.tmp file]
/a /tr [SHA-256 timestaming url] /td sha256 [full path of *.tmp file]

In both cases, as long as the token is recognized as the default certificate via the /a parameter, you should be prompted for the token access password, and the process should continue. You will be prompted a few times for the password, as the installer runtime, the uninstaller, and the self-extractor are all signed in the same way.

Ulrich

Announcement

Code signing from Token

Code signing from Token

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment