Reply to Thread

Post a reply to the thread: EV code signing certificate

Your Message

Click here to log in

What's the name of our main installation product (in uppercase letters), directly followed by the current year?

 

You may choose an icon for your message from this list

Additional Options

  • Will turn www.example.com into [URL]http://www.example.com[/URL].

Topic Review (Newest First)

  • 02-09-2022, 08:03 AM
    linder

    Re: EV code signing certificate

    Colin,

    interesting! Thanks so much for the information and your kind words !!!

    Friedrich
  • 02-09-2022, 06:46 AM
    Colin

    Re: EV code signing certificate

    Hi Friedrich,
    Stand down. EV hardware code-signing is presently working here. The problem was actually with the time-stamping. SignTool seems not to be waiting long enough for the time-server. Fortunately we can live without time-stamps for now because our EV certificate still has a good 2 years left on the clock.
    Thank you very much for your support and for all of your good work on SeupBuilder.
    Regards,
    Colin Humphries
    VSPROWESS LTD
  • 12-27-2021, 09:11 AM
    linder

    Re: EV code signing certificate

    I'll setup a test machine where we have "VSProwess Ltd" as subject name to see if the space character makes a difference...

    Friedrich
  • 12-27-2021, 09:04 AM
    linder

    Re: EV code signing certificate

    BTW, in the soon coming SetupBuilder 2022 you can see the error messages (in a human readable form) returned from the signtool.exe. This is not possible in SetupBuilder 2019. signtool.exe only returns an error code value when called from a Windows API.

    Another idea: try to develop a small application that uses the ShellExecute Windows API to execute the signtool.exe and let it code-sign a test.exe (do NOT use the command line or a batch!). This is exactly what the SetupBuilder compiler is doing. It calls signtool.exe via ShellExecuteA and passes the required switches and parameters. IMO, this will also fail in your case (because SafeNet might not be correctly configured?!). From the calling program's point-of-view, there is no difference between signing with a PFX or an EV certificate.

    Friedrich
  • 12-27-2021, 08:51 AM
    linder

    Re: EV code signing certificate

    Hi Colin,

    you have to use the name that you see in the certificate store! It does not make a difference whether you export a PFX to the store or use a EV CS.

    Code-signing is completely handled through signtool.exe (and SafeNet for EV certificates). SetupBuilder itself just passes the required parameters to signtool, nothing more or less.

    Friedrich
  • 12-27-2021, 07:50 AM
    Colin

    Re: EV code signing certificate

    Quote Originally Posted by linder View Post
    Hi Colin,

    assuming, you have already installed SafeNet.

    A "macro" (EVCS = Extended Validation Code Signing) can be used in the "PFX File" entry field (Options -> Code Signing tab).

    For example: EVCS://subject name

    where subject name is the text listed under the "Issued to" field in Personal/Certificates. The compiler will then select the EV code-signing certificate.

    Leave the password blank because SafeNet handles it.

    Does this help?

    Friedrich
    I'm still struggling with this problem. I wonder if it might be simply because for the EVCS "subject name" I used my company's name, but this includes a space character? Would be useful if EVCS macro could include the signtool debug option please?
  • 11-02-2021, 10:56 AM
    Colin

    Re: EV code signing certificate

    Quote Originally Posted by linder View Post
    Hi Colin,

    I checked this with two SetupBuilder developers this morning. They are using Sectigo EV (hardware dongle!!) without any problem.

    https://www.churnite.com/knowledge/c...n/SO20695.html

    So the one million question is, what causes the issue on your environment...

    1. Open SafeNet Authentication Client Tools.
    Navigate to Start > Program Files > Safenet > Safenet Authentication Client Tools.
    2. Click the Advanced View icon (gold gear).
    3. In the menu tree in the left pane, select Client Settings.
    4. In the right pane, select the Advanced tab.
    5. On the Advanced tab, select the Enable single logon option.
    6. Click Save.
    7. To activate the single logon feature, log off from the computer and log on again.

    Friedrich
    Hi Friedrich,
    Thanks, it's good to know someone has gotten this to work. I enabled SafeNet single log-on but sadly still no joy. I'll persevere but FYI here is the error message:

    Processing Uninstall Code-Signing...
    Adding Digital Certificate to Uninstall...
    Resolve CSI...
    SIGNTOOL
    SVER: 10.0.19041.685
    EVCS: VSProwess Ltd [6]
    SHA2: 1
    Compiler error GEN1053: Code signing process failed. Error Code: 1

    signtool error code 1 just means that it didn't work. Perhaps include the debug flag in the next version to enable a more useful error message, and also log the expanded signtool command line. Anyway, thanks for looking at this. SetupBuilder is, by the way, an extremely useful tool, much appreciated here. This is the first snag I've hit in almost 10 years of using SB.

    Colin
  • 11-01-2021, 03:35 PM
    linder

    Re: EV code signing certificate

    Hi Colin,

    I checked this with two SetupBuilder developers this morning. They are using Sectigo EV (hardware dongle!!) without any problem.

    https://www.churnite.com/knowledge/c...n/SO20695.html

    So the one million question is, what causes the issue on your environment...

    1. Open SafeNet Authentication Client Tools.
    Navigate to Start > Program Files > Safenet > Safenet Authentication Client Tools.
    2. Click the Advanced View icon (gold gear).
    3. In the menu tree in the left pane, select Client Settings.
    4. In the right pane, select the Advanced tab.
    5. On the Advanced tab, select the Enable single logon option.
    6. Click Save.
    7. To activate the single logon feature, log off from the computer and log on again.

    Friedrich
  • 11-01-2021, 03:15 PM
    Colin

    Re: EV code signing certificate

    Hi Friedrich,
    Yes, the SafeNet app must be running for the EV dongle to work. It pops up a dialog for me to enter my password. I guess Sectigo did some deal.

    Here is my signtool command, latest version as installed with Visual Studio, run from Powershell in administrator mode because of the location of the certificate.

    signtool sign /debug /n "VSProwess Ltd" /tr http://timestamp.comodoca.com /td SHA256 /fd SHA256 "D:\vsSource\SetupBuilder\VSProwessX\VSProwessX_se tup_2X.X.exe".

    FYI: it is important to check the timestamp was correctly applied. signtool appears to fail silently if the timeserver is not available and eventually you'll discover that your exe unexpectedly has a shelf life.

    Thanks for looking at this.
  • 11-01-2021, 06:12 AM
    linder

    Re: EV code signing certificate

    Hi Collin,

    hmmm, as far as I know, only SafeNet can handle EV certificates?! I checked this with Sectigo support some time ago and they told me that only SafeNet can handle it.

    What exact command line switches are you using to code-sign with your EV certificate from signtool.exe (which version)?

    Thank you!

    Friedrich
This thread has more than 10 replies. Click here to review the whole thread.

Posting Permissions

  • You may post new threads
  • You may post replies
  • You may not post attachments
  • You may not edit your posts
  •