+ Reply to Thread
Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Cannot use codesigning with in cloud certificate

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. #1
    Join Date
    Nov 2007
    Location
    Malone, NY
    Posts
    73

    Unhappy Cannot use codesigning with in cloud certificate

    Hello,
    Is there any way that SB could use the thumbprint of the certificate rather than the PFX and password?
    Signtool works perfectly using the /SHA1 tag and the certificate thumbprint. Everything else is the same. I always thought that it shells out or calls signtool to codesign itself.
    Right now I have it working by turning off the Add a Digital Signature, Installer Integrity Check and Verify Code-Signed At Startup.
    FYI - I have the same problem in anything that auto-codesigns during/after a compile.
    Is there another work around for this?

    Thanks
    coffee.cup not found. Programmer halted.

  2. #2
    Join Date
    Mar 2004
    Posts
    4,317

    Default Re: Cannot use codesigning with in cloud certificate

    Hello,

    yes, we have completely rewritten the code-signing stuff in the new version. We are using the thumbprint now. BTW, we are waiting for our new Microsoft Thrusted Signing access. After that, we'll finish development of the code-signing module. We have an EV code-signing and an EV in the cloud certificate now and it's working fine!

    I'll keep you posted. It would great, if you could test it when available.

    Friedrich

  3. #3
    Join Date
    Nov 2007
    Location
    Malone, NY
    Posts
    73

    Default Re: Cannot use codesigning with in cloud certificate

    That's sounds great!
    I don't have an EV certificate, it's a standard one, but it still has the keys in the cloud.

    Let me know whenever you're ready.
    coffee.cup not found. Programmer halted.

  4. #4
    Join Date
    Mar 2004
    Posts
    4,317

    Default Re: Cannot use codesigning with in cloud certificate

    I think a standard (cloud) certificate should work fine, too. Just the identity background check for EV is different.

    I'll come back to you when I am ready with the new code-signing module.

    Thank you for your help!

    Friedrich

  5. #5
    Geoff Thomson Guest

    Default Re: Cannot use codesigning with in cloud certificate

    We're purchasing a yubikey with our next certificate. Does SB require the HSM model for signing, or is it possible to use a yubikey for certificate authentication?
    If not, we'll be using the yubikey just to sign the exes and dlls (using ECDSA, which I understand signtool supports) within the install, and then then install itself via HSM. I presume that having signed the exes and dlls with the yubikey won't affect the signing of the install using HSM (RSA). Is that correct?

  6. #6
    Join Date
    Mar 2004
    Posts
    4,317

    Default Re: Cannot use codesigning with in cloud certificate

    Hi Geoff,

    We can use our EV certificate (valid until August 2027) powered by a HSM in the current SetupBuilder version. When you have received yours, please let me know and we can configure it.

    BTW, the upcoming SetupBuilder 2025 supports Cloud based (EV) code-signing certificates and Microsoft Trusted Signing...

    Friedrich

  7. #7
    Geoff Thomson Guest

    Default Re: Cannot use codesigning with in cloud certificate

    OK. Thanks.

    So if I understand correctly, you're not planning on implementing ECDSA signing with a yubikey?

  8. #8
    Join Date
    Mar 2004
    Posts
    4,317

    Default Re: Cannot use codesigning with in cloud certificate

    Hi Geoff,

    as I understand it, ECDSA certificates work with signtool. So I think, we can implement it (if it does not already work). Yubikey is just hardware authentication device, so IMO it should work fine.

    When you have received the certificate with the hardware, please let me know and we can work on it (or test what we already have implemented in SB 2025).

    What do you think?

    Friedrich

  9. #9
    Unregistered Guest

    Default Re: Cannot use codesigning with in cloud certificate

    OK. Thanks.

  10. #10
    Unregistered Guest

    Default Re: Cannot use codesigning with in cloud certificate

    Hi Friedrich
    I have received the yubikey and certificate. Apparently they do not make the .key files downloadable anymore. How do I set this up in my install script, as I have the crt, pem, p7b and der files. I have created an spc file, but cannot create a pvk and pfx file without the .key file. I tried entering in just the spc file in the credentials file (and leaving the pvk and pfx files and the password field blank), but I get:
    Compiler error GEN1053: Code signing process failed. Error Code: 1
    I can successfully sign the exes and dlls using signtool - or scsigntool with the pin for the yubikey as a parameter. So I'm comfortable that the signing works. I'm not sure what to do with Setupbuilder though.

+ Reply to Thread

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may post new threads
  • You may post replies
  • You may not post attachments
  • You may not edit your posts
  •