+ Reply to Thread
Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: EV code signing certificate

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. #1

    Question EV code signing certificate

    After spending all day struggling with this I finally managed to code sign from the command line with my new Sectigo EV dongle. What eventually worked for me was to install the certificate while logged in as administrator and under the local machine store: Trusted Packaged App Installation Authorities. But so far I've been unable to make hardware code signing work from within SetupBuilder. I really miss the convenience of this so does anyone happen to have a magic incantation please?

  2. #2
    Join Date
    Mar 2004
    Posts
    4,241

    Default Re: EV code signing certificate

    Hi Colin,

    assuming, you have already installed SafeNet.

    A "macro" (EVCS = Extended Validation Code Signing) can be used in the "PFX File" entry field (Options -> Code Signing tab).

    For example: EVCS://subject name

    where subject name is the text listed under the "Issued to" field in Personal/Certificates. The compiler will then select the EV code-signing certificate.

    Leave the password blank because SafeNet handles it.

    Does this help?

    Friedrich

  3. #3

    Unhappy Re: EV code signing certificate

    Quote Originally Posted by linder View Post
    Hi Colin,

    assuming, you have already installed SafeNet.

    A "macro" (EVCS = Extended Validation Code Signing) can be used in the "PFX File" entry field (Options -> Code Signing tab).

    For example: EVCS://subject name

    where subject name is the text listed under the "Issued to" field in Personal/Certificates. The compiler will then select the EV code-signing certificate.

    Leave the password blank because SafeNet handles it.

    Does this help?

    Friedrich
    Hi Friedrich. No, unfortunately the EVCS macro doesn't work for me. For the Sectigo hardware dongle to work I had to install the certificate while logged in as administrator and under the local machine store: Trusted Packaged App Installation Authorities. In the next release would it be possible to directly setup the signtool command line please?
    Thanks.
    PS. Sorry about the delay in my reply. Broken by my recent Sectigo experience (3 weeks, customers more irate by the day), I took time off to build a greenhouse.

  4. #4
    Join Date
    Mar 2004
    Posts
    4,241

    Default Re: EV code signing certificate

    Hi Collin,

    hmmm, as far as I know, only SafeNet can handle EV certificates?! I checked this with Sectigo support some time ago and they told me that only SafeNet can handle it.

    What exact command line switches are you using to code-sign with your EV certificate from signtool.exe (which version)?

    Thank you!

    Friedrich

  5. #5

    Default Re: EV code signing certificate

    Hi Friedrich,
    Yes, the SafeNet app must be running for the EV dongle to work. It pops up a dialog for me to enter my password. I guess Sectigo did some deal.

    Here is my signtool command, latest version as installed with Visual Studio, run from Powershell in administrator mode because of the location of the certificate.

    signtool sign /debug /n "VSProwess Ltd" /tr http://timestamp.comodoca.com /td SHA256 /fd SHA256 "D:\vsSource\SetupBuilder\VSProwessX\VSProwessX_se tup_2X.X.exe".

    FYI: it is important to check the timestamp was correctly applied. signtool appears to fail silently if the timeserver is not available and eventually you'll discover that your exe unexpectedly has a shelf life.

    Thanks for looking at this.

  6. #6
    Join Date
    Mar 2004
    Posts
    4,241

    Default Re: EV code signing certificate

    Hi Colin,

    I checked this with two SetupBuilder developers this morning. They are using Sectigo EV (hardware dongle!!) without any problem.

    https://www.churnite.com/knowledge/c...n/SO20695.html

    So the one million question is, what causes the issue on your environment...

    1. Open SafeNet Authentication Client Tools.
    Navigate to Start > Program Files > Safenet > Safenet Authentication Client Tools.
    2. Click the Advanced View icon (gold gear).
    3. In the menu tree in the left pane, select Client Settings.
    4. In the right pane, select the Advanced tab.
    5. On the Advanced tab, select the Enable single logon option.
    6. Click Save.
    7. To activate the single logon feature, log off from the computer and log on again.

    Friedrich

  7. #7

    Unhappy Re: EV code signing certificate

    Quote Originally Posted by linder View Post
    Hi Colin,

    I checked this with two SetupBuilder developers this morning. They are using Sectigo EV (hardware dongle!!) without any problem.

    https://www.churnite.com/knowledge/c...n/SO20695.html

    So the one million question is, what causes the issue on your environment...

    1. Open SafeNet Authentication Client Tools.
    Navigate to Start > Program Files > Safenet > Safenet Authentication Client Tools.
    2. Click the Advanced View icon (gold gear).
    3. In the menu tree in the left pane, select Client Settings.
    4. In the right pane, select the Advanced tab.
    5. On the Advanced tab, select the Enable single logon option.
    6. Click Save.
    7. To activate the single logon feature, log off from the computer and log on again.

    Friedrich
    Hi Friedrich,
    Thanks, it's good to know someone has gotten this to work. I enabled SafeNet single log-on but sadly still no joy. I'll persevere but FYI here is the error message:

    Processing Uninstall Code-Signing...
    Adding Digital Certificate to Uninstall...
    Resolve CSI...
    SIGNTOOL
    SVER: 10.0.19041.685
    EVCS: VSProwess Ltd [6]
    SHA2: 1
    Compiler error GEN1053: Code signing process failed. Error Code: 1

    signtool error code 1 just means that it didn't work. Perhaps include the debug flag in the next version to enable a more useful error message, and also log the expanded signtool command line. Anyway, thanks for looking at this. SetupBuilder is, by the way, an extremely useful tool, much appreciated here. This is the first snag I've hit in almost 10 years of using SB.

    Colin

  8. #8

    Default Re: EV code signing certificate

    Quote Originally Posted by linder View Post
    Hi Colin,

    assuming, you have already installed SafeNet.

    A "macro" (EVCS = Extended Validation Code Signing) can be used in the "PFX File" entry field (Options -> Code Signing tab).

    For example: EVCS://subject name

    where subject name is the text listed under the "Issued to" field in Personal/Certificates. The compiler will then select the EV code-signing certificate.

    Leave the password blank because SafeNet handles it.

    Does this help?

    Friedrich
    I'm still struggling with this problem. I wonder if it might be simply because for the EVCS "subject name" I used my company's name, but this includes a space character? Would be useful if EVCS macro could include the signtool debug option please?

  9. #9
    Join Date
    Mar 2004
    Posts
    4,241

    Default Re: EV code signing certificate

    Hi Colin,

    you have to use the name that you see in the certificate store! It does not make a difference whether you export a PFX to the store or use a EV CS.

    Code-signing is completely handled through signtool.exe (and SafeNet for EV certificates). SetupBuilder itself just passes the required parameters to signtool, nothing more or less.

    Friedrich

  10. #10
    Join Date
    Mar 2004
    Posts
    4,241

    Default Re: EV code signing certificate

    BTW, in the soon coming SetupBuilder 2022 you can see the error messages (in a human readable form) returned from the signtool.exe. This is not possible in SetupBuilder 2019. signtool.exe only returns an error code value when called from a Windows API.

    Another idea: try to develop a small application that uses the ShellExecute Windows API to execute the signtool.exe and let it code-sign a test.exe (do NOT use the command line or a batch!). This is exactly what the SetupBuilder compiler is doing. It calls signtool.exe via ShellExecuteA and passes the required switches and parameters. IMO, this will also fail in your case (because SafeNet might not be correctly configured?!). From the calling program's point-of-view, there is no difference between signing with a PFX or an EV certificate.

    Friedrich

+ Reply to Thread

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may post new threads
  • You may post replies
  • You may not post attachments
  • You may not edit your posts
  •