Announcement

Collapse
No announcement yet.

Code signing from Token

Collapse
This is a sticky topic.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • artistscope
    replied
    Using the StevenS example I was getting an error... /d option requires a parameter. Yet I do have Description and Description URL set.

    The problem was too many parameters. So for SHA-256 I used...

    /a /as /v

    But I had to input the password twice, even though I didn't nominate SHA1... when I did do that I had to input password 4 times!
    Last edited by artistscope; 12-18-2020, 08:47 PM.

    Leave a comment:


  • artistscope
    replied
    Originally posted by StevenS View Post
    had to make the helper batch file as follows:
    Can you please post the complete .bat file?

    Leave a comment:


  • artistscope
    replied
    I have only just now got to catch up here.

    /a /t [SHA-1 timestaming url] [full path of *.tmp file]
    /
    a /tr [SHA-256 timestaming url] /td sha256 [full path of *.tmp file]

    Shouldn't that be "timestamping"?

    Leave a comment:


  • StevenS
    replied
    FYI, for others coming here. If you need more parameters on your signtool command, you will have to modify this helper batch file.

    For my use, previously, I signed files with:
    Code:
    signtool.exe sign /a /s my /t http://timestamp.verisign.com/scripts/timstamp.dll /v %1
    signtool.exe sign /a /s my /fd SHA256 /tr http://sha256timestamp.ws.symantec.com/sha256/timestamp /td sha256 /as /v %1
    to get this to work using SUF, I had to make the helper batch file as follows:

    Code:
    @ECHO OFF
    set adtl_args=%1 %2 %3 %4 %5
    shift
    shift
    shift
    shift
    shift
    /path/to/signtool.exe sign %adtl_args% %1 %2 %3 %4 %5 %6 %7
    This was because on the SHA-256 signing, each of my additional arguments setup below got passed as separate parameters to the batch file which pushed it over the max of 9 arguments without using the shift command.

    My SHA-1 additional arguments setup in SUF as:
    Code:
    /a /s my /v
    and my SHA-256 additional arguments setup in SUF as:
    Code:
    /a /s my /as /v /fd SHA256
    This re-orders the parameters being sent to signtool but it did still work.

    Leave a comment:


  • Ulrich
    replied
    Here is another approach for using a token for the code signing procedure. Create a batch file named codesign-helper.bat with this content:

    Code:
    @ECHO OFF
    D:\proper-path-to\signtool.exe sign %1 %2 %3 %4 %5 %6 %7
    where D:\proper-path-to\ is the actual path to the folder where signtool.exe is stored. Assuming that you saved this file in the same folder as the project file, you can use these settings in Setup Factory: Click image for larger version

Name:	SCRN-2019-10-10-01.png
Views:	453
Size:	35.8 KB
ID:	304024


    The batch file will be called during the build process, and starts signtool.exe with the arguments passed by Setup Factory, such as

    /a /t [SHA-1 timestaming url] [full path of *.tmp file]
    /
    a /tr [SHA-256 timestaming url] /td sha256 [full path of *.tmp file]

    In both cases, as long as the token is recognized as the default certificate via the /a parameter, you should be prompted for the token access password, and the process should continue. You will be prompted a few times for the password, as the installer runtime, the uninstaller, and the self-extractor are all signed in the same way.

    Ulrich
    Last edited by Ulrich; 12-11-2019, 02:58 PM.

    Leave a comment:


  • Ulrich
    replied


    Click image for larger version

Name:	SCRN-2019-07-18-01.png
Views:	345
Size:	22.5 KB
ID:	303578

    Ulrich

    Leave a comment:


  • artistscope
    replied
    This is SUF... where is "Run after Build" exactly?

    Leave a comment:


  • Ulrich
    replied
    It can, as I pointed out in my first reply: Use the Run After Build project setting to invoke the program or batch file.

    Ulrich

    Leave a comment:


  • artistscope
    replied
    Why can't the code-signing be done from SUF at the end of the build process?

    Leave a comment:


  • artistscope
    replied
    As you can see in the video above, code-signing using a SafeNet Token is easy. In fact I have an easier method than depicted in the video... instead of using SignTool, I use SignCode which does the job in a few clicks. No need to locate the the signing exes as I use a dedicated folder at C:\Signcode and copied the EXEs to that folder (they are portable). Using Signcode.exe, it opens as a GUI where you can select the file, the cert and the timestamp URL... much quicker.

    But none of this or the above solves the problem that I originally posted!

    Why can't the code-signing be done from SUF at the end of the build process???

    Leave a comment:


  • artistscope
    replied
    I think that you guys are missing my point that I am NOT using a PFX and therefore cannot sign my application from SUF.

    These days I have to use a USB Smart Card (token) because to sign Windows drivers for Windows 10 that is the minimum requirement.

    Leave a comment:


  • Darryl
    replied
    Assuming you're using a version of SUF that supports SHA-256 signing, you should still be able to sign within SUF using SignTool (or another third party tool) instead of separately even without a certificate file. So in that case you would just leave it blank and specify the arguments you want to pass to SignTool in the "Additional arguments" field. You can find further information in SUF's help topic for the dialog:



    You can also find SignTool's supported arguments at the following page:

    SignTool is a command-line tool that digitally signs files, verifies the signatures in files, and timestamps files.


    When building you can see the full command passed to SignTool in the setup's build log for debugging purposes. So if it isn't working, perhaps you can provide further information about what you are using and what's occurring.

    Leave a comment:


  • artistscope
    replied
    This video show SignTool using the Token cert. As you can see it finds and loads the default cert no problem. Surely the SUF codesign option can be modified to do this... after all PFX certs are now obsolete. Also, a good reason for everyone to have to upgrade SUF to the latest version :-)



    If you don't have a Token cert and that is the reason for not being able to write/test a new script, I am willing to make my desktop available via TeamViewer to help.

    Leave a comment:


  • artistscope
    replied
    I am looking forward to a followup and solution for this problem. Having to use Signtool separately after each SUF compile is a RPIA.

    More and more developers must now be forced to use Cert Tokens because PFX certs are no longer issued. Now all of must use Tokens as our certs get renewed.

    Most developers like myself will only have one cert and after installing the token software, that cert will be installed as the default code-signing cert. I'll upload a short video soon showing how easy it is to locate.

    Leave a comment:


  • artistscope
    replied
    The SafeNet Authentication Client that you see in the video is merely the USB Driver prompting for password when required.

    The command-line used would be like:
    Code:
    cd C:\Program Files (x86)\Windows Kits\8.1\bin\x86\
    signtool sign /a /tr http://rfc3161timestamp.globalsign.com/advanced /td SHA256 MyApp.exe

    Leave a comment:

Working...
X