-
Code signing
I think that in order to make the end user more comfortable downloading
and installing a unknown application it is now necessary to have a code
signing certificate.
That said, the process is a real PIA and I am stuck getting the .spc and
..pvk out of a comodo certificate I purchased through SetupBuilder (good
Value)
SO,
Does anyone Know of a utility to extract those files from the
Certificate, why the mystery after you have been verified as legitimate?
Bill
-
Re: Code signing
I feel your pain. <G>
Gave up on that approach but I ended up using SignTool. It must be
downloaded as part of the Windows SDK Much easier when things work. From an
earlier post:
Here's what I learned!
~~~~~~~~~~~~~~~~~~
1. The Group is awesome. Couldn't have done it without your help.
Especially Friedrich, David Troxell and John Grffith. Thanks a million
guys.
2. When downloading the SDK to Win 7 64 the download will/could fail if you
have recent versions of C++ installed. Thanks Friedrich for pointing this
out. I deleted the newer versions and all went well.
3. The default folder that MS installs signtool.exe in is the 64 bit
program folder. If you access it there from SB it did not work (for me).
But copying signtool.exe to C:\Program Files (x86)\Lindersoft\SetupBuilder 8
Developer\Lib\signtool.exe solved the problem. Thanks David for filling in
that piece of the puzzle.!
There is just one signtool.exe but it has to be in the right spot.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Much easier than the other way.
Lynn Howard
-
Re: Code signing
How to purchase and use Code Signing Certificate
1. Ensure that you are using the same browser and computer for
purchasing and also subsequently retrieving (after identity validation
by Comodo, they will inform that certificate is ready for collection.
2. If using FireFox, after collection, Firefox will register your
Certificate in its Certificate Manager (Internet Explorer as the browser
of choice for ordering your certificate). To get to the Certificate
Manager, open Firefox, select Tools in the menu and then select Options.
3. Click to view all the available certificates.
4. Click on to backup your Code Signing Certificated collected. Save
file as aapr4.p12.
5. The browser security will prompt for Backup password. Ensure to
write down the backup password entered.
6. If Firefox browser is being used, you will not get a credentials
(.spc) or a private key file (.pvk). With the aapr4.p12 file, you will
have to convert the .p12 into .spc and .pvk files.
7. Your only option is to Backup the certificate. This will create a PFX
file; however, firefox saves the file as a *.p12 file. If a PFX file is
required, you may rename the *.p12 into PFX extension. But for
Lindersoft SetupBuilder tow work, you will have to create the .spc and
..pvk files. Note: The password you use for the backup is the password
you will use for the certificate in all of the following steps and in
SetupBuilder.
8. Once you have your backup file you need to use some other tools to
produce your credentials file and private key file. To export your
private key and software publishing certificate from the .pfx file you
need the OpenSSL tools (Win32OpenSSL_Light-1_0_1e.EXE). You can download
a ready compiled Windows binary package from Shining Light Productions.
The 'light' package is all you need.
9. The OpenSSL utility will export the private key to an OpenSSL .pem
format file. The .pvk private key format required by the code signing
tools is a Microsoft proprietary format which OpenSSL does not support.
Dr. Stephen N Henson, an OpenSSL consultant in the UK, has
reverse-engineered the .pvk file format and developed a conversion
utility which you can download here. In case you should have trouble
accessing the server it is also mirrored here. The utility is contained
in a Zip archive and you simply need to extract it to the same folder as
the OpenSSL tools.
10. Exporting the files
Having downloaded and installed the conversion tools, you are ready to
export your code signing certificate and private key file from the .pfx
(.p12) file. The commands given below assume that the location of the
conversion tools has been added to the PATH environment variable.
Otherwise you should type the full path to each program.
In the examples we will also assume that the .pfx (.p12) file name is
mycert.pfx (mycert.p12) and that the desired output filenames are
mykey.pvk and mycert.spc. You may, of course, substitute other names if
you so wish, and specify a full path if the files are located in a
different folder. Remember to quote the paths to the files if they
contain spaces.
11. Exporting the private key
First export the private key to an OpenSSL .pem format file.
openssl.exe pkcs12 -in mycert.p12 -nocerts -nodes -out mykey.pem
You will be asked for the password of the private key file, if you
specified one.
Now you use Dr. Henson's conversion utility to convert the .pem file
into the proprietary Microsoft .pvk format.
pvk.exe -in mykey.pem -topvk -strong -out mykey.pvk
That takes care of the private key file.
12. Exporting the software publishing certificate
Converting your code signing certificate into a software publishing
certificate .spc file is also a two stage process. First, the
certificate is exported to an OpenSSL .pem format file, and then this is
converted to the final .spc format.
openssl.exe pkcs12 -in mycert.p12 -nokeys -out mycert.pem
openssl.exe crl2pkcs7 -nocrl -certfile mycert.pem -outform DER -out
mycert.spc
Again, you will be asked for the password of the private key file if you
specified one.
13. You now have a .pvk and .spc pair which you can use to digitally
sign executables using signcode.exe. The intermediate .pem files created
during the conversion are no longer needed, and may be deleted.
Kelvin Chua
-
Re: Code signing
Or if you want to access my site directly...
http://www.aapr4.com/howtocodesign.htm
Thanks.
Kelvin Chua
SINGAPORE
-
Re: Code signing
Kelvin,
Just a quick comment ;-)
The following is not correct:
> But for Lindersoft SetupBuilder tow work, you will have to create the
> .spc and .pvk files. Note: The password you use for the backup is the
> password you will use for the certificate in all of the following steps
> and in SetupBuilder.
Of course, SetupBuilder supports certificates in form of .PFX and .PVK/.SPC
;-)
http://www.lindersoft.com/CodeSign.pdf
http://www.lindersoft.com/forums/showthread.php?t=36060
http://www.lindersoft.com/forums/sho...9545#post69545
There is no need to convert the .PFX into the .PVK/.SPC format.
Friedrich
-
2 Attachment(s)
Re: Code signing
Dear Mr. Morris,
> That said, the process is a real PIA and I am stuck getting the .spc and
> ..pvk out of a comodo certificate I purchased through SetupBuilder (good
> Value)
You already *have* the certificate in form of the .PVK. You forgot to
switch your Authenticode code-signing process to SignTool.exe.
In my last support email I wrote:
---
>> Okay, here is your "problem". You have a "billwithprivatekey.pfx" but
>> you
>> are using SignCode.exe to code-sign. You need SignTool.exe to use
>> certificates in the .pfx format.
>>
>> So you only have to change (see screenshot you sent) the "SignCode.exe or
>> SignTool.exe Location" entry field to the SignTool.exe location (at the
>> moment you still have set it to SignCode.exe) and you are done ;-) This
>> will then switch Microsoft Authenticode to the .PFX format.
>>
>> Does this help?
---
> Does anyone Know of a utility to extract those files from the
> Certificate, why the mystery after you have been verified as legitimate?
Why 'extract'? The .PFX *is* your certificate!
1. Add "billwithprivatekey.pfx" to the "PFX File" entry (see attached
screenshot "Bill1.PNG" taken from one of your support emails).
2. Add the fully qualified path to your SignTool.exe utility in "Tools" |
"Options..." | File Locations tab. See attached "Bill2.PNG".
That's it. Compile and you are done.
Best Regards,
:-( :-( :-( :-(
--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910
--Helping You Build Better Installations
--SetupBuilder "point. click. ship"
--Create Windows 8 ready installations in minutes
--Official COMODO Code Signing and SSL Certificate Partner
-
Re: Code signing
Sir.
Use the Code Signing Utility from Intel Corp.
No need to use the PFX, it will use the installed certificate.
It makes everything as easy as drag and drop.
http://software.intel.com/en-us/arti...-tool-download
Jesus Cortes
-
Re: Code signing
Jesus,
> Use the Code Signing Utility from Intel Corp.
>
> No need to use the PFX, it will use the installed certificate.
>
> It makes everything as easy as drag and drop.
>
> http://software.intel.com/en-us/arti...-tool-download
No, that is not correct. It's *not* possible to use the Code Signing
Utility from Intel in this scenario.
Friedrich
--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910
--Helping You Build Better Installations
--SetupBuilder "point. click. ship"
--Create Windows 8 ready installations in minutes
--Official COMODO Code Signing and SSL Certificate Partner
-
Re: Code signing
Of course, it should read: "...You already *have* the certificate in form of
the .PFX..."
Sorry for that.
Friedrich
-
Re: Code signing
Sir. you are right, I use a different installer. The Code Signing
Utility from Intel is able to use a PFX certificate or to use the
installed Certificate. I use Wininstall and I just drag and drop the
installer and it gets signed. I also sign the original exe file.
Sometimes I need a program to run as Administrator and this is the only
way a user will trust such elevation.
Jesus Cortes