Vincent Parrett 754 Posted October 25 (edited) Hi All We have developed a client/server product to handle code signing. This makes it simple to code sign from any machine and avoid the dreaded token password prompts. It also supports file based certificates for those who still have valid ones! The client is a single exe (with a similar command line interface to signtool.exe) - 64 bit windows 10/Server 2016 or later (may run on earlier versions but not tested). The server is supported on Windows 10/Server 2016 or later (may run on earlier versions but not tested). Linux support for the server is planned (we have it building but have not tested yet). The server has a web interface for configuring it (adding certificates, managing users etc). We have tested with Safenet tokens (with our own cert) and with Yubikey tokens (with self signed cert). It should work with any token that provides a 64bit pkcs#11 2.4 library dll. We are especially interested in hearing from people with Yubikey tokens (since we have only tested with self signed cert). The token needs to be available to the server machine, either plugged in directly or via usb passthrough for vms, or via virtualhere. We’re still working on docs but it’s pretty simple to get up and running with it, we’ll provide some instructions with the download info etc. If you are interested in testing this product email support @ finalbuilder.com - let us know what kind of token you have. Edited October 25 by Vincent Parrett fixed images 10 Share this post Link to post
Mark- 29 Posted November 10 > We are especially interested in hearing from people with Yubikey tokens Which Yubikey series would you support? And would code signing be able to be automated with your "client/server product"? Share this post Link to post
Vincent Parrett 754 Posted November 10 18 minutes ago, Mark- said: Which Yubikey series would you support? Any yubikey capable of containing a code signing certificate and supported by the yubikey pkcs#11 driver (installed with their PIV tool). We have tested with a 5C and a 5 Nano. 28 minutes ago, Mark- said: And would code signing be able to be automated with your "client/server product"? Yes, that's the main reason we developed the product (for our own use initially) - once you have configured the token/certificate on the server (via the web interface) then signing is done using the client with an api key - no password prompts. PM me if you are interested in testing - we're currently working on documentation and the website with a view to releasing as soon as they are done ( we have had some great feedback already). Also if anyone has a certificate issued by Certum and wants to test Signotuar please message me - I have a certum token/smartcard - but they didn't provide the puk so I can install certs on it for testing. 1 Share this post Link to post
Vincent Parrett 754 Posted November 18 Hi All Signotaur Code Signing Server - Release Candidate 1 is available https://www.finalbuilder.com/downloads/signotaur To get a license key, once installed and logged in, go to the Admin\Licenses page and click on the "Request a 14-day trial license" button - the server will contact our website and download an install a trial key automatically. Docs are here https://docs.finalbuilder.com/sn/1.0/ Note - only tested with Safenet and Yubikey tokens, pfx files and certificate stores so far. 1 Share this post Link to post
Anders Melander 1795 Posted November 18 4 hours ago, Vincent Parrett said: Signotaur Code Signing Server - Release Candidate 1 is available Well, aren't I the lucky one? I've just been tasked with finding a code signing solution for our build pipeline. So far the realistic candidates are: Use Bob's test-server PC in the closet and do it manually (Bob's not too thrilled). Use the certificate providers cloud solution and pay per transaction (not gonna happen). Some clever tool that seems to be designed just for our needs. So do you have any idea about what the price will be on this thing? 2 Share this post Link to post
Mark- 29 Posted November 18 15 minutes ago, Anders Melander said: Use the certificate providers cloud solution and pay per transaction (not gonna happen). So do you have any idea about what the price will be on this thing? Yes our previous cloud solution went to the per transaction model and our cost would have gone up over 1000%. Not going to happen. Yes, #2, the pricing page had no data. Funny, before adding code signing, many years ago, not one customer asked for it or made a comment about it. We have wondered if we removed it, would it have any negative effects. 2 Share this post Link to post
Vincent Parrett 754 Posted November 18 3 hours ago, Anders Melander said: So do you have any idea about what the price will be on this thing? Obviously we have to take into account the competition (cloud), the fact that potential customers have already dropped $$$ on certificates, the cost of supporting it and of course we need to make a profit to make this all worthwhile (10 monthss of R&D). USD$199 is our current thinking. 1 2 Share this post Link to post
Vincent Parrett 754 Posted November 18 2 hours ago, Mark- said: Funny, before adding code signing, many years ago, not one customer asked for it or made a comment about it. We have wondered if we removed it, would it have any negative effects. They will get smartscreen popup's about how dangerous it is to use your product. Share this post Link to post
Vincent Parrett 754 Posted November 18 2 hours ago, Mark- said: Yes, #2, the pricing page had no data. We're still fleshing out the web pages (and working on a new website at the same time). Share this post Link to post
Anders Melander 1795 Posted November 18 7 minutes ago, Vincent Parrett said: USD$199 is our current thinking. Seems reasonable; I'll go ahead with that. Even if it ends up a bit higher I wouldn't see a problem with that (for us anyway) but don't let that influence you 🙂 Thanks. 8 minutes ago, Vincent Parrett said: They will get smartscreen popup's about how dangerous it is to use your product. Which is also the only reason we need it. Well, to be perfectly honest, although FUDscreen is annoying, I suppose it does guard against the binaries getting tampered with (e.g. infected) after install. They could have solved that another way though but we all gotta have something to do. Who said you can't survive on cutting each others hair (is that even a saying in English?). 13 minutes ago, Vincent Parrett said: We're still fleshing out the web pages You misspelled TBD, if that was what it was supposed to say. Share this post Link to post
Vincent Parrett 754 Posted November 18 4 minutes ago, Anders Melander said: Seems reasonable; I'll go ahead with that. Even if it ends up a bit higher I wouldn't see a problem with that (for us anyway) but don't let that influence you 🙂 Of course I'd love to be charging more, but the market probably wouldn't agree. I have been agonising over this for months - naming and pricing - both difficult aspects of turning projects into products. 7 minutes ago, Anders Melander said: Which is also the only reason we need it. Well, to be perfectly honest, although FUDscreen is annoying, I suppose it does guard against the binaries getting tampered with (e.g. infected) after install. They could have solved that another way though but we all gotta have something to do. It's all about the provenance of the executable - does it come from who it says it does. Codesigning is ok, smartscreen isn't so smart - I see popups even with EV signed exe's just because not msany people have downloaded a file. 13 minutes ago, Anders Melander said: Who said you can't survive on cutting each others hair (is that even a saying in English?). Can't say I have heard of it but I like it! Share this post Link to post
Mark- 29 Posted November 18 33 minutes ago, Vincent Parrett said: They will get smartscreen popup's about how dangerous it is to use your product. True. Is that issue a negative for customers. Don't know. Share this post Link to post
Uwe Raabe 2060 Posted November 18 1 hour ago, Mark- said: Is that issue a negative for customers. When you sell to larger companies? Definitely! Most likely they will never make it to be your customers. 1 Share this post Link to post
Brandon Staggs 278 Posted November 18 1 hour ago, Vincent Parrett said: I see popups even with EV signed exe's just because not msany people have downloaded a file. One of the supposed benefits to an EV cert is that it comes with instant SmartScreen rep. My own experience was than the first time I signed with my EV cert nobody saw any SmartScreen warnings, which was never the case when I first used cheaper certs in the past. Do different browsers use their own screening systems? Windows + Edge should be consistent, but maybe other browsers don't care what SmartScreen thinks? Share this post Link to post
Vincent Parrett 754 Posted November 18 It's more about the first time you launch the exe - I have seen warnings even with apps signed with EV certs - possibly it because it was a new update of an app - I was surprised - so I checked that the exe was signed just in case - it was - launched it again and no popup 💁♂️ Share this post Link to post
JonRobertson 72 Posted November 18 If your customers use an Endpoint Protection and Response product, code signing is critical. The one we use sometimes complains even when the executable is signed with a valid certificate. It is a pain in the rear. But it is essential due to the number and sophistication of cyber threats today. Two-factor or multi-factor authentication is also a pain that I have to put up with daily. I can't do my job without my phone. The Internet is a tremendous resource. But there are days that I miss the simplicity of 8-bit computing. 2 Share this post Link to post
mvanrijnen 123 Posted November 19 16 hours ago, JonRobertson said: If your customers use an Endpoint Protection and Response product, code signing is critical. The one we use sometimes complains even when the executable is signed with a valid certificate. It is a pain in the rear. But it is essential due to the number and sophistication of cyber threats today. Two-factor or multi-factor authentication is also a pain that I have to put up with daily. I can't do my job without my phone. The Internet is a tremendous resource. But there are days that I miss the simplicity of 8-bit computing. So we create only software for internal use, using (at the moment) , do we benefit from code signing ? Share this post Link to post
JonRobertson 72 Posted November 19 11 minutes ago, mvanrijnen said: So we create only software for internal use, using (at the moment) , do we benefit from code signing ? Are your computers connected to the Internet? Any application can be hijacked by an intrusion from the outside, even applications developed internally. Share this post Link to post
mvanrijnen 123 Posted November 19 (edited) 9 minutes ago, JonRobertson said: Are your computers connected to the Internet? Any application can be hijacked by an intrusion from the outside, even applications developed internally. Yes. my question was more, (a discussion i had on this forum a few years ago also), do we benefit for preventing false positives using signing (makes it easier turning the mgmt in positive direction, so they don't only see it as a cost) ? (we are going to implement signing anyway). Edited November 19 by mvanrijnen Share this post Link to post
JonRobertson 72 Posted November 19 9 minutes ago, mvanrijnen said: do we benefit for preventing false positives using signing I suspect that depends on the software scanning for virus and malware. My suspicion is that scanners don't care whether applications are signed, because there is nothing that prevents me from applying a security certificate to malicious code. Especially if the certificate cannot be traced back to me. Share this post Link to post
DelphiUdIT 178 Posted November 19 6 hours ago, JonRobertson said: I suspect that depends on the software scanning for virus and malware. My suspicion is that scanners don't care whether applications are signed, because there is nothing that prevents me from applying a security certificate to malicious code. Especially if the certificate cannot be traced back to me. A public signature is subject to revocation, which I can imagine would happen very quickly if a malware signature is verified. Also, the signature would be easily identifiable and the malware could therefore be blocked in virtually "zero time". 1 Share this post Link to post
Angus Robertson 574 Posted November 20 The concept of certificate revocation is changing due to the slow down it causes and the massive databases needed. OCSP seems to be dead with browsers no longer using it (CRL instead), Let's Encrypt is stopping it's OSCP servers service soon. The industry wants certificate life to be shorter so they are replaced regularly (monthly) rather than being revoked. But this is not really relevant to code signing, since expired certificates are usually trusted provided they are time stamped signed, Azure issues code signing certificates that expire within two days or something. You can only revoke unexpired certificates, and our signed applications need to run for years or decades, thus the time stamp. In theory, the OS or scanners could try and check old signing certificates being revoked, but it would not be easy. Angus Share this post Link to post
DelphiUdIT 178 Posted November 20 A digital signature remains valid until it or the issuing certificate (chain trust) is revoked. When it expires in time, it is still considered valid. You cannot use a certificateto for signing purpose that has already expired, obviously. As for OSCP and CRL, in any case the possibility of invalidating a signature (or a certificate) must be guaranteed ... it is the basis of the concept of public signature. I don't know for how long it will still be possible to use "file" certificates like those of LET'S Encrypt for uses other than simple SSL ... the legislation (for example the Italian one) considers the digital signature valid ONLY and EXCLUSIVELY if produced by HARDWARE devices (specific), and it seems to me that the rest of the world follows this. So certificates with a validity of less than 1 year are not feasible if combined with classic USB TOKENS for example. Bye Share this post Link to post
chillefeld 1 Posted November 27 Is support for signing powershell scripts planned for the release version? The RC does not support it but unfortunately we need it. Share this post Link to post
Vincent Parrett 754 Posted November 27 19 minutes ago, chillefeld said: Is support for signing powershell scripts planned for the release version? The RC does not support it but unfortunately we need it. Yes, it works in our testing here with the RC (v1.0.0.319) - what happens when you try it? C:\Temp>SignotaurTool.exe sign -a MYAPIKEY -s https://ciagent005:91 --allow-untrusted --fd=SHA256 -t 56DFCD0B0C37DD1B9AB75FFCAB6627745E6E93B6 -d="A Test" test.ps1 +----------------------------------------------------------------------------------------------------------------------+ | SignotaurClient | | Version : 1.0.0.324 | | © 2024 VSoft Technologies Pty Ltd | | | +----------------------------------------------------------------------------------------------------------------------+ 20:01:30 The following certificate was selected: Issued to: CN=VSoft Technologies Pty Ltd, O=VSoft Technologies Pty Ltd, L=Canberra, S=Australian Capital Territory, C=AU Issued by: CN=GoGetSSL G4 CS RSA4096 SHA256 2022 CA-1, O=EnVers Group SIA, C=LV Expires: 09/05/2026 09:59:59 20:01:30 Signing 1 files. 20:01:30 Sending sign request to server for file C:\Temp\test.ps1 (size: 47 B) ... 20:01:32 C:\Temp\test.ps1 signed successfully. Exit code: 0 20:01:32 Execution time: 00:00:02.2759870 And when I test running the script PS C:\temp> Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy allsigned PS C:\temp> .\test.ps1 Do you want to run software from this untrusted publisher? File C:\temp\test.ps1 is published by CN=VSoft Technologies Pty Ltd, O=VSoft Technologies Pty Ltd, L=Canberra, S=Australian Capital Territory, C=AU and is not trusted on your system. Only run scripts from trusted publishers. [V] Never run [D] Do not run [R] Run once [A] Always run [?] Help (default is "D"): a I am signed thanks to Signotaur! PS C:\temp> Share this post Link to post