dummzeuch 1467 Posted Tuesday at 04:29 PM 6 hours ago, Kas Ob. said: this means any singing developer can have a glance YMMD: I just imagined the developers singing while running the signing process. 3 Share this post Link to post
chillefeld 0 Posted Wednesday at 06:02 AM On 10/1/2024 at 2:08 AM, Vincent Parrett said: No, that would be terribly wasteful - we calculate the digest on the client and send that to the server to be signed. I am curious how this will work with timestamp signing. Will the server have to perform all the timestamp requests or can this be done client side too? Share this post Link to post
Vincent Parrett 732 Posted Wednesday at 06:31 AM (edited) 30 minutes ago, chillefeld said: I am curious how this will work with timestamp signing. Will the server have to perform all the timestamp requests or can this be done client side too? Timestamping happens on the client - just like with signtool, you specify the timestamp server url and digest algorithm - we caclulate the file digest, send that to the server, get back the signed digest/signature etc, apply that the the file and then perform the timestamp operation (simplified - quite a bit to it in reality). This is the command line interface (subject to change) We are using Signotaur to sign itself, here's an extract from the build log - running the sign command "C:\Program Files\VSoft Technologies\Signotaur\ClientTool\SignotaurTool.exe" sign --apikey ********** --thumbprint 56DFCD0B0C37DD1B9AB75FFCAB6627745E6E93B6 --signServer https://ciagent005:91 --file-digest SHA384 --tr http://timestamp.digicert.com --td SHA256 --allow-untrusted E:\CI_AWS\Ws\18154\Output\**\*.exe" and the output (logging needs some tuning). SignotaurClient Version : 1.0.0.182 © 2024 VSoft Technologies Pty Ltd 12:19:33 Fetching public key 12:19:33 Sending sign request to server... 12:19:36 Server responded : "Digest Signed OK" 12:19:36 "E:\CI_AWS\Ws\18154\Output\Client\win-x64\SignotaurTool.exe" signed. 12:19:36 Sending sign request to server... 12:19:38 Server responded : "Digest Signed OK" 12:19:39 "E:\CI_AWS\Ws\18154\Output\Server\win-x64\VSoft.Signotaur.Server.exe" signed. 12:19:39 Sending sign request to server... 12:19:41 Server responded : "Digest Signed OK" 12:19:41 "E:\CI_AWS\Ws\18154\Output\Server\win-x64\VSoft.SSLCertificate.Tool.exe" signed. 12:19:41 Returning result code: 0. 12:19:41 Result from Windows signing API "Operation successful." Exit code: 0 So signing and timestamping takes around 1-3 seconds per file (depends on file size etc). Edited Wednesday at 06:33 AM by Vincent Parrett 2 Share this post Link to post
chillefeld 0 Posted Wednesday at 06:36 AM Looks awesome. We need to renew our certificate in a couple of months so i hope it will be usable by then Share this post Link to post
A.M. Hoornweg 144 Posted Wednesday at 07:03 AM (edited) On 9/30/2024 at 3:27 PM, Anders Melander said: ...once they have signed in with an USB token. I don't think you can get around the requirement for the signer to have some kind of physical identification device. That's not what I read: "DigiCert KeyLocker is a cloud-based service that helps you generate and store the private key without a physical HSM (Hardware Security Module). It was developed to reduce certificate administrators’ efforts and strengthen private key security." (https://signmycode.com/blog/what-is-digicert-keylocker-everything-to-know-about) Edited Wednesday at 07:07 AM by A.M. Hoornweg Share this post Link to post
Kas Ob. 117 Posted Wednesday at 07:38 AM 39 minutes ago, Vincent Parrett said: This is the command line interface (subject to change) Nice ! Few thoughts : 1) Albeit there is no mention for Remove/Delete a signature in Microsoft documentation in three different places for SignTool https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/signtool https://learn.microsoft.com/en-us/dotnet/framework/tools/signtool-exe https://learn.microsoft.com/en-us/windows/win32/seccrypto/signtool The command "remove" is useful and pretty needed, sometimes it is essential, example, you want to switch form internal debugging/testing signature to release, and don't want to ship with your organization internally issued signatures and its certificate, so remove/delete is needed, and it is there within SignTool.exe, i remember have seen in the documentation in the past ! 2) With SignTool there is "/ac" option for the Sign command, this one can be crucial for new CA certificates, as best practice dictate to include the chain of trust path excluding the root, root must not be included as it will be considered waste and manipulation (root should be presented and trusted by different source like OS store or any higher/adequate administrative authority), but CAs between end point and root can be the line between verification and failure, including the chain of trust is essential for old systems and/or new CAs, so you might need to consider to add it. 3) Identifying or choose the certificate by thumbprint is OK, but i would suggest to use similar method like SignTool and IIS, by adding "IssuedTo/SubjectName", this will minimize the hustle of update thumbprint on client/terminal side when more than 1 certificate do exist, as they will exist, like generally you order new certificate while the soon to expired still there, if you look at IIS, it always select the newer certificate after filtering the available certificates with Subject Alternative Name match the domain name, same for sign tool does the same by "/n" option and looking for the SubjectName, so adding this also make sense. Well, this comes to mind and thank you again ! Share this post Link to post
Kas Ob. 117 Posted Wednesday at 07:47 AM On side note: I never saw "/ph" and "/nph" being used, and honestly don't know what exactly they do, only can imagine or assume, If you have any resources on this, i would appreciate sharing ! Share this post Link to post
Anders Melander 1746 Posted Wednesday at 08:40 AM 1 hour ago, A.M. Hoornweg said: That's not what I read No, I can't see it from the sigmycode site either. I'm positive that I read somewhere on the digicert site that you had to use 2-factor-authentication using a USB token but I could very well have misunderstood the context. Share this post Link to post
Vincent Parrett 732 Posted Wednesday at 09:32 AM 2 hours ago, A.M. Hoornweg said: DigiCert KeyLocker is a cloud-based service Be aware that most of those cloud based services either charge per signing or impose monthly limits on the number of signings. Share this post Link to post
Vincent Parrett 732 Posted Wednesday at 09:53 AM 2 hours ago, Kas Ob. said: 1) The command "remove" is useful and pretty needed, sometimes it is essential, example, you want to switch form internal debugging/testing signature to release, and don't want to ship with your organization internally issued signatures and its certificate, so remove/delete is needed, and it is there within SignTool.exe, i remember have seen in the documentation in the past ! We'll look at this. I haven't seen any api's to make this easy, so will likely have to resort to manipulating the PE file. That said, if you sign without using the -as option I think it will replace the existing certificate - I will have to test that. We are planning on adding a timestamp command but that is not yet implemented (mostly because we haven't gotten to it yet). 2 hours ago, Kas Ob. said: 2) With SignTool there is "/ac" option for the Sign command Should be simple to add - I had it in there originally but couldn't figure out why it would be needed - signtool doco doesn't say much 2 hours ago, Kas Ob. said: 3) Identifying or choose the certificate by thumbprint is OK, but i would suggest to use similar method like SignTool and IIS, by adding "IssuedTo/SubjectName" We went around in circles with this, we needed something unique to identify the certificate - IssuedTo/SubjectName is not unique if more than one token is enabled (ie old cert and new cert). I'll talk to the lead dev about this when he is back from vacation next week - I did the initial r&d and then handed the project off to another dev to make it into a product and this is one of the areas he worked on. Thanks for the feedback. 1 Share this post Link to post
Vincent Parrett 732 Posted Wednesday at 09:56 AM 2 hours ago, Kas Ob. said: On side note: I never saw "/ph" and "/nph" being used, and honestly don't know what exactly they do, only can imagine or assume, If you have any resources on this, i would appreciate sharing ! I have never seen it used and couldn't really find any doco on it either, but since they were easy to implement we added it anyway 🤷♂️ Share this post Link to post