New Code Signing Certificate Recommendations

[Vincent Parrett 770]

I ended up purchasing an 3yr OV certificate (EV seems like a waste to me) from GoGetSSL.com which was substantially cheaper (USD$730 including $120 shipping - better come wrapped in a vault!) than anywhere else - turns out they are owned by digicert and once you order you they create an account for you on Digicert and the request process is done on the digicert site. 

 

 

[Vincent Parrett 770]

Received my new OV token from Digicert today - it is a SafeNet 5110+ FIPS token (thankfully) and I am able to automate signing with it 😅

I spent some time messing with a self signed certificate on a yubikey token over the last week, but cannot for the life of me figure out how to get it to sign without prompting for a password. This was just an experiment with the yubikey (which I already had for other purposes). 

[rdtsc 0]

Quote

FYI - Safenet good (can automate), YubiKey bad (password prompts cannot be avoided). 

I'm suprised to see this sentiment. My impressions go into the opposite direction. Stackoverflow posts about SafeNet tokens range from auto-typing the password into the GUI via AutoIt to undocumented parameters gained from reverse engineering the driver. Coupled with proprietary software not directly available from the vendor. All in all this sounds terrible.

 

On the other hand the YubiKey libraries are open-source and automated signing via PKCS#11/PIV is easy. I've recently implemented this via Windows' SignerSignEx3 -> Callback to sign the computed hash -> Sign via OpenSSL + PKCS#11 provider + PKCS#11 YubiKey library and the pin can be provided as a provider option. I did this with OpenSSL primarily so that I could move the actual signing (as opposed to Authenticode hash computation) to a different machine running Linux.

 

One disadvantage of the YubiKey is that it doesn't support RSA keys with >2048 bits; not enough for code signing anymore so you have to use ECDSA. There are certain signature schemes that don't support ECDSA (like NuGet).

[Patrick PREMARTIN 86]

On 12/27/2024 at 7:42 AM, Aayu said:

[deleted]

nice ad for an affiliate website promoting "partners" programs

[Vincent Parrett 770]

3 hours ago, Patrick PREMARTIN said:

nice ad for an affiliate website promoting "partners" programs

That site has form - they plagurised my blog about signing with USB tokens and when I called them on it they flat out refused to take it down. They have a ton of blog posts that to me look to be mined from the web and reworded - perhaps with AI - DO NOT USE THEM. 

 

PS. I did some research and their blog posts rank really high on google (#1 for my blog they stole, mine is #7 grrrr) - that suggests to me it's the work of an SEO team creating content purely for the purpose of getting their site ranking on google - I very much doubt there is any original content. 

Edited December 27, 2024 by Vincent Parrett
typo

[GabrielMoraru 3]

On 12/27/2024 at 10:25 AM, Vincent Parrett said:

USB tokens

Stay away from USB tokens. Use a seller that does not force you to use such device. For my token I only needed the "singtool.exe" from Microsoft, which also DOES NOT requires you to enter the password every time you want to sign an exe file.💪

Edited Saturday at 04:58 PM by GabrielMoraru

[Patrick PREMARTIN 86]

1 hour ago, GabrielMoraru said:

Stay away from USB tokens. Use a seller that does not force you to use such device. For my token I only needed the "singtool.exe" from Microsoft, which also DOES NOT requires you to enter the password every time you want to sign an exe file.💪

Hi Gabriel : In your blog post you give wrong prices for the certificates. Some provider don't multiply the price by the number of years...

[rvk 44]

1 hour ago, GabrielMoraru said:

Stay away from USB tokens. Use a seller that does not force you to use such device. For my token I only needed the "singtool.exe" from Microsoft, which also DOES NOT requires you to enter the password every time you want to sign an exe file.💪

So Sectigo is still selling certificates which can be used as .pfx directly with signtool.exe without providing a prompt ?

So why are they providing a USB stick then? This could just be done electronically via mail.

 

[Angus Robertson 577]

I've just ordered a Sectigo dongle via K Software, a renewal of my last certificate, so hopefully should not take too long.

 

My understanding is signtool has special parameters that bypass password requests, not tried them yet.

 

Angus

 

 

 

[Vincent Parrett 770]

7 hours ago, GabrielMoraru said:

Stay away from USB tokens.

You say that, but in your blog post you mention you bought one and then you show a signtool example using a pfx - which is it? You cannot buy a certificate where the private key is provided in a pfx file these days - it has to be provided on a usb token or installed onto a HSM, both of which make the private key non exportable.

 

I recently bought a 3 year OV certificate from SSL.com * for USD $328.95 - I specified no usb key as I already had a Yubikey 5 FIPS that I could use. I also have a certificate on a Safenet token - but wanted a certificate on a yubikey for testing purposes (and as a backup).

 

* They initially issued the certificate incorrectly - I had to contact their support and go through the whole attestation again - however it's still not working (signtool succeeds but windows says "no signature present in the subject") - waiting to hear back from their support again.

 

Edited Saturday at 11:50 PM by Vincent Parrett

[Vincent Parrett 770]

1 hour ago, Angus Robertson said:

My understanding is signtool has special parameters that bypass password requests, not tried them yet.

That works for Safenet tokens (which sectigo use), but not for Yubikey (which some other CA's use). 

[DelphiUdIT 192]

15 hours ago, Angus Robertson said:

My understanding is signtool has special parameters that bypass password requests, not tried them yet.

For Certum (ACS ACR40T), this doesn't work.

[Angus Robertson 577]

Not surprised it does not work for Certum, I used one of their dongles for a few years and it required special driver software, incompatible with the Windows Certificate Store.  Would not use them again.

 

Angus

 

[GabrielMoraru 3]

19 hours ago, rvk said:

So why are they providing a USB stick then? This could just be done electronically via mail.

 

Because they charge your $130 for that USB stick (so called "packing and handling fees"). They make more money from that USB than they make from the token itself.

[GabrielMoraru 3]

17 hours ago, Vincent Parrett said:

You say that, but in your blog post you mention you bought one and then you show a signtool example using a pfx - which is it?

 

Hi Vincent. Which is what?
The online article is for the general public. But below is a screenshot of the actual script. The pfx is in my computer. It works.

 

Quote

Hi Gabriel : In your blog post you give wrong prices for the certificates. Some provider don't multiply the price by the number of years...

Hi Patrick.
You can send me private message with the name of the seller.

I try to update that list every year. I did it also this year, but some only the top of the list.

The prices vary wildly from one year to another.

 

Smallest price

If you find a cheaper seller, please let me know! I will put it on top of my list right away!

 

Edited Sunday at 01:24 PM by GabrielMoraru

[DelphiUdIT 192]

50 minutes ago, Angus Robertson said:

Not surprised it does not work for Certum, I used one of their dongles for a few years and it required special driver software, incompatible with the Windows Certificate Store.  Would not use them again.

Angus

By now, like I write in another thread, I use Certum (since two days ) and they are compatible with the Windows certificate store. Of course they install they own drivers, but without calling them directly all applications view the certificate and can use it.

 

Edited Sunday at 01:23 PM by DelphiUdIT

[DelphiUdIT 192]

13 minutes ago, GabrielMoraru said:

Which is what?
Here is a screenshot of the actual script. The pfx is in my computer. It works.

 

I think we are taliking about certificate on hard token like new stardard impose. You cannot have a private key in any way in a file. The last example proposed in the link by Anugs try to use the private key on USB (using a undocumented feature) and a certificate on file (DER format).

 

This doesn't work on Certum. It will always ask for a PIN and if you use the /CSP parameter with undocumented features, it say "the token is not compatible with request operation, try another token".

[rvk 44]

39 minutes ago, GabrielMoraru said:

Because they charge your $130 for that USB stick (so called "packing and handling fees"). They make more money from that USB than they make from the token itself.

Luckily I should get a usb stick when my 3 years run out (including a certificate for another year) as part of the promo when they switched to the new form. 

 

But you said you have a pfx without a usb stick and don't need a password. How does that work? How did you get that from sectigo? If you only have a pfx this is portable to another computer/developer without the usb stick present. That shouldn't be possible anymore. How did you get the pfx? Mail of usb stick? And if you did get the usb key how did you extract the pfx from that?

 

Edit: I wonder if you are not just signing with an old certificate 

Edited Sunday at 01:53 PM by rvk

[GabrielMoraru 3]

2 hours ago, rvk said:

But you said you have a pfx without a usb stick and don't need a password. How does that work? How did you get that from sectigo? If you only have a pfx this is portable to another computer/developer without the usb stick present. That shouldn't be possible anymore. How did you get the pfx? Mail of usb stick? And if you did get the usb key how did you extract the pfx from that?

Sorry. I don't remember all the details. I have found the email from the very first certificate from Sectigo about 8 years ago. They sent a smart card / e-token, and a link to something, protected by a password.

But for the most recent one I purchased from KSoftware (in the end Sectigo) I don't remember anymore. I will search the emails from them. I have found only one email that links to a KB article which is down now "Service from our ticketing system will be restored shortly."

 

Update:

I have found this email:

 

 

Dear Gabriel Moraru,

Thank you for placing your order. The necessary background checks have been successfully completed and we are pleased to announce that your Code Signing Certificate has been issued.

To collect your Code Signing Certificate, please click [here].

Your Collection Code is: xxxxxxxxxxxx

Please use Microsoft Internet Explorer 8+ on Windows and Firefox ESR on Mac to collect your certificate.
Code Signing Certificate cannot currently be obtained using Google Chrome, Apple Safari or Microsoft Edge.

 

Support Page

bla bla bla

 

_____________

 

I think the PFX came attached to that email.

My current certificate is still valid but it will expire this spring 😞

 

Edited Sunday at 04:27 PM by GabrielMoraru

[rvk 44]

15 minutes ago, GabrielMoraru said:

I think the PFX came attached to that email.

My current certificate is still valid but it will expire this spring 😞

Can you check the actually signed exe file? Did it really contain the new certificate. I still have a feeling you are working with old files because the new method shouldn't allow token-less certificates anymore. So the old pfx isn't allowed anymore after it expires.

 

https://knowledge.digicert.com/general-information/new-private-key-storage-requirement-for-standard-code-signing-certificates-november-2022

 

That mail is from the old way of doing things before 2023. So if you used the pfx from there... Then that's not going to work anymore after the certification expires in a few months.

 

Edited Sunday at 04:34 PM by rvk

[GabrielMoraru 3]

Just now, rvk said:

Can you check the actually signed exe file? Did it really contain the new certificate. I still have a feeling you are working with old files because the new method shouldn't allow token-less certificates anymore. So the old pfx isn't allowed anymore after it expires.

I used SignTool\signtool.exe verify /pa Test.exe and I get:

 

Quote

File: Test.exe
Index  Algorithm  Timestamp
========================================
0      sha256     None

Successfully verified: Test.exe
Press any key to continue . . .

 

[rvk 44]

Just now, GabrielMoraru said:

used SignTool\signtool.exe verify /pa Test.exe and I get

No, you need to right click the file and go to properties. Choose the certificate tab and see if it had the new certificate.

 

That command just shows you still have a valid verificatie but that could still be the certificate which you can't use anymore after the spring to sign new files after that.

 

Edited Sunday at 04:38 PM by rvk

[GabrielMoraru 3]

1 minute ago, rvk said:

No, you need to right click the file and go to properties. Choose the certificate tab and see if it had the new certificate.

 

Yes. I right-click the exe file and I see the "digital signature" tab. It says that it is signed under my name (digest algorithm sha 256) but the timestamp is "Not available".

 

PS:
VirusTotal.com says that the file has a valid signature.

Edited Sunday at 04:43 PM by GabrielMoraru

[rvk 44]

Just now, GabrielMoraru said:

Yes. I right-click the exe file and I see the "digital signature" tab. It says that it is signed under my name (digest algorithm sha 256) but the timestamp is "Not available".

O wow, then you didn't even signed with a timeserver with timestamp (which means the signed exe will complain when the certificate expires). Normally you sign with the timeserver so the exe will be usable also after your certificate expires. You just can't sign new exe anymore with an expired certificate.

 

Because you didn't, and don't seem to be able to go to the real certificate, it leads me te believe you didn't even check things.

 

Now do the same as before (right click exe, properties, certificate tab) but now click a SHA256 and click Details.

Then click View certificate.

There you have "Issued to", "Issued by" but also "Valid from/to".

What are the dates there?

 

[GabrielMoraru 3]

5 minutes ago, rvk said:

There you have "Issued to", "Issued by" but also "Valid from/to".

What are the dates there?

 

As I said, until spring.

It says:

 

Issued by sectigo public code CA R36

Valid from: 2022-04-01 to 2025-04-01

Edited Sunday at 04:56 PM by GabrielMoraru