Jump to content
A.M. Hoornweg

Code signing in a remotely working team?

Recommended Posts

6 hours ago, Kas Ob. said:

this means any singing developer can have a glance

YMMD: I just imagined the developers singing while running the signing process.

  • Haha 3

Share this post


Link to post
On 10/1/2024 at 2:08 AM, Vincent Parrett said:

No, that would be terribly wasteful - we calculate the digest on the client and send that to the server to be signed. 

I am curious how this will work with timestamp signing.

Will the server have to perform all the timestamp requests or can this be done client side too?

Share this post


Link to post
30 minutes ago, chillefeld said:

I am curious how this will work with timestamp signing.

Will the server have to perform all the timestamp requests or can this be done client side too?

Timestamping happens on the client - just like with signtool, you specify the timestamp server url and digest algorithm - we caclulate the file digest, send that to the server, get back the signed digest/signature etc, apply that the the file and then perform the timestamp operation (simplified - quite a bit to it in reality). 

This is the command line interface (subject to change)
image.thumb.png.7371c3d75906f15b3f7c01afb0edc173.png

 

We are using Signotaur to sign itself, here's an extract from the build log - running the sign command

"C:\Program Files\VSoft Technologies\Signotaur\ClientTool\SignotaurTool.exe" sign --apikey ********** --thumbprint 56DFCD0B0C37DD1B9AB75FFCAB6627745E6E93B6 --signServer https://ciagent005:91 --file-digest SHA384 --tr http://timestamp.digicert.com --td SHA256 --allow-untrusted  E:\CI_AWS\Ws\18154\Output\**\*.exe"

and the output (logging needs some tuning). 

 

SignotaurClient
Version : 1.0.0.182
© 2024 VSoft Technologies Pty Ltd
12:19:33 Fetching public key
12:19:33 Sending sign request to server...
12:19:36 Server responded : "Digest Signed OK"
12:19:36 "E:\CI_AWS\Ws\18154\Output\Client\win-x64\SignotaurTool.exe" signed.
12:19:36 Sending sign request to server...
12:19:38 Server responded : "Digest Signed OK"
12:19:39 "E:\CI_AWS\Ws\18154\Output\Server\win-x64\VSoft.Signotaur.Server.exe" signed.
12:19:39 Sending sign request to server...
12:19:41 Server responded : "Digest Signed OK"
12:19:41 "E:\CI_AWS\Ws\18154\Output\Server\win-x64\VSoft.SSLCertificate.Tool.exe" signed.
12:19:41 Returning result code: 0.
12:19:41 Result from Windows signing API "Operation successful."
Exit code: 0

So signing and timestamping takes around 1-3 seconds per file (depends on file size etc).  

Edited by Vincent Parrett
  • Like 2

Share this post


Link to post
On 9/30/2024 at 3:27 PM, Anders Melander said:

...once they have signed in with an USB token.

I don't think you can get around the requirement for the signer to have some kind of physical identification device.

That's not what I read:

 

"DigiCert KeyLocker is a cloud-based service that helps you generate and store the private key without a physical HSM (Hardware Security Module). It was developed to reduce certificate administrators’ efforts and strengthen private key security."

 

 

 

(https://signmycode.com/blog/what-is-digicert-keylocker-everything-to-know-about)

Edited by A.M. Hoornweg

Share this post


Link to post
39 minutes ago, Vincent Parrett said:

This is the command line interface (subject to change)
image.thumb.png.7371c3d75906f15b3f7c01afb0edc173.png

Nice ! 

 

Few thoughts :

1) Albeit there is no mention for Remove/Delete a signature in Microsoft documentation in three different places for SignTool

https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/signtool

https://learn.microsoft.com/en-us/dotnet/framework/tools/signtool-exe

https://learn.microsoft.com/en-us/windows/win32/seccrypto/signtool

The command "remove" is useful and pretty needed, sometimes it is essential, example, you want to switch form internal debugging/testing signature to release, and don't want to ship with your organization internally issued signatures and its certificate, so remove/delete is needed, and it is there within SignTool.exe, i remember have seen in the documentation in the past !

image.thumb.png.938a167ae34d3f688d02d9d166953fd1.png

 

2) With SignTool there is "/ac" option for the Sign command, this one can be crucial for new CA certificates, as best practice dictate to include the chain of trust path excluding the root, root must not be included as it will be considered waste and manipulation (root should be presented and trusted by different source like OS store or any higher/adequate administrative authority), but CAs between end point and root can be the line between verification and failure, including the chain of trust is essential for old systems and/or new CAs, so you might need to consider to add it.

 

3) Identifying or choose the certificate by thumbprint is OK, but i would suggest to use similar method like SignTool and IIS, by adding "IssuedTo/SubjectName", this will minimize the hustle of update thumbprint on client/terminal side when more than 1 certificate do exist, as they will exist, like generally you order new certificate while the soon to expired still there, if you look at IIS, it always select the newer certificate after filtering the available certificates with Subject Alternative Name match the domain name, same for sign tool does the same by "/n" option and looking for the SubjectName, so adding this also make sense.

 

Well, this comes to mind and thank you again !

Share this post


Link to post

On side note:

I never saw "/ph" and "/nph" being used, and honestly don't know what exactly they do, only can imagine or assume,

 

If you have any resources on this, i would appreciate sharing !

Share this post


Link to post
1 hour ago, A.M. Hoornweg said:

That's not what I read

No, I can't see it from the sigmycode site either.

I'm positive that I read somewhere on the digicert site that you had to use 2-factor-authentication using a USB token but I could very well have misunderstood the context.

Share this post


Link to post
2 hours ago, A.M. Hoornweg said:

DigiCert KeyLocker is a cloud-based service

Be aware that most of those cloud based services either charge per signing or impose monthly limits on the number of signings. 

Share this post


Link to post
2 hours ago, Kas Ob. said:

1) The command "remove" is useful and pretty needed, sometimes it is essential, example, you want to switch form internal debugging/testing signature to release, and don't want to ship with your organization internally issued signatures and its certificate, so remove/delete is needed, and it is there within SignTool.exe, i remember have seen in the documentation in the past !

We'll look at this. I haven't seen any api's to make this easy, so will likely have to resort to manipulating the PE file.  That said, if you sign without using the -as option I think it will replace the existing certificate - I will have to test that. We are planning on adding a timestamp command but that is not yet implemented (mostly because we haven't gotten to it yet). 

 

2 hours ago, Kas Ob. said:

2) With SignTool there is "/ac" option for the Sign command

Should be simple to add - I had it in there originally but couldn't figure out why it would be needed - signtool doco doesn't say much

 

2 hours ago, Kas Ob. said:

3) Identifying or choose the certificate by thumbprint is OK, but i would suggest to use similar method like SignTool and IIS, by adding "IssuedTo/SubjectName"

We went around in circles with this, we needed something unique to identify the certificate - IssuedTo/SubjectName is not unique if more than one token is enabled (ie old cert and new cert).   I'll talk to the lead dev about this when he is back from vacation next week - I did the initial r&d and then handed the project off to another dev to make it into a product and this is one of the areas he worked on.  

Thanks for the feedback. 
 

  • Like 1

Share this post


Link to post
2 hours ago, Kas Ob. said:

On side note:

I never saw "/ph" and "/nph" being used, and honestly don't know what exactly they do, only can imagine or assume,

 

If you have any resources on this, i would appreciate sharing !

I have never seen it used and couldn't really find any doco on it either, but since they were easy to implement we added it anyway 🤷‍♂️

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×