Signing with Certum Code Siging Certificates

[RKossow]

I switched my Code Signing provider (now certum.pl).
They provide a security USB token with the code signing certificate (even though it is no EV certificate).
Their card manager tool does not provide any information on the container name ... which I seem to need in order to use Installaware with USB token based certificates accordingt ot this link viewtopic.php?t=11578

Did anybody ever achieve to use a certum code signing certificate with Installaware?

Best regards,
Roland

[JohnGaver]

Providers have by now gone completely overboard with not only costs, but also custom implementations.

Ask them for a command line process to sign your binaries. We can then look at how to integrate that into your existing workflow, using maybe Build Events, or other processes.

[RKossow]

Hi John,
ok - I asked the providers support.
Thank you.

[Michael Gasser]

Same problem here.

RKossow did you find a way to sign with the Certum USB Stick?

I can easily sign an .exe with a command line like this:
"C:...\signtool.exe" sign /n "My Name" /t http://time.certum.pl/ /fd sha256 /v "C:\...my.exe"

but I still don't know how to do it with Installaware. I thought an upgrade from Installaware 15 to 17 might help. But the same with 17.

A "nice to have" would be, if I could enter in Installaware under "Design > Deployment > Authenticode Signature" this line of code:

"C:...\signtool.exe" sign /n "My Name" /t http://time.certum.pl/ /fd sha256 /v $filetosign$

and Installaware would then take this line to sign the file(s) $filetosign$.

several files:
signtool sign /n "Asseco Data Systems S.A." /t http://time.certum.pl/ /fd sha1 /v aplikacja1.exe aplikacja2.exe
aplikacja3.exe

[JohnGaver]

InstallAware X17 added Code Signing Hooks precisely for this reason.

Please use them to solve your problem, specifying your exact command line(s) just the way you need them in your Project Options dialog.

Enjoy!

[Michael Gasser]

Thank you very much, JohnGaver!

It would be great if Installaware could provide information or a link to "Project Settings > ...Hooks" under "Deployment > Authenticode Signature". Alternatively, it would be good if I read Installaware's instructions .

Hooks: My setup includes some files that need to be signed. It would be nice if there was a second parameter %2 in addition to %1, which could be used to address n files to be signed at once. Advantage: The PIN only needs to be entered once instead of n times.*

Example from above: signtool sign /n "Asseco Data Systems S.A." /t http://time.certum.pl/ /fd sha1 /v aplikacja1.exe aplikacja2.exe aplikacja3.exe

Of course, besides the updater from Installaware, I can also sign the files via batch before the setup build process.

(* Outside Installaware: I could use a CSP driver and thus activate PIN cache. But CSP does not work on my system out of the box - until now I didn't find a driver to address my card reader.)

Once again, thank you very much for your prompt support.

Regards
Michael

[JohnGaver]

You're very welcome, Michael!

Unfortunately, the Code Signing Hooks cannot be implemented to pass n number of arbitrary files (where your ideal goal is to have n = all files that would ever be signed as part of that build) to the code signing command line currently.

For several reasons, this is outright impossible - I'll give you just one to consider for now, certain outputs to sign (ex: your single file monolithic installer) depend on successful builds of earlier items (ex: your setup package), and these may be respectively nested several times based on your active code signing policy (ex: signing each previously non-signed binary going inside your setup.

Maybe in the future we would have parallelized code signing hooks that reduce your prompts to the least number theoretically possible?

[Michael Gasser]

Hello John,

Thank you for your response.

I completely understand that during the setup build process, files are created one after another and therefore need to be digitally signed sequentially rather than simultaneously.

However, I have, for example, six .exe files that need to be signed and installed. Installaware could sign all six files at once.

This way, I would only need to enter the PIN code once for these six files instead of six times.

But this wish is just a "nice to have". I can sign my files before Installaware and set in Installaware under "Deployment > Authenticode Signature" at the bottom of the window that already signed files are not signed again by Installaware.

Best regards and many thanks.

[JohnGaver]

Honestly, it seems to me like it may be time to change your certificate provider, if their process is so convoluted.

You may want to really look at Azure Trusted Signing, as the trust level is higher (EV-grade) and it does not break build automation.

Vendors who - obviously with good intentions - design security systems that break builds need to rethink their approach.

I realize switching vendors would be a one-time hassle for you, and I wanted to set realistic expectations for you in my preceding post about the implementation likelihood of the feature you had requested.

[Michael Gasser]

Hi John

no ,this (enter PIN on and on) is not at all a problem of my certificate provider.
This is THE standard with USB tokens. And I am most probably not the only Installaware customer with an USB token solution.

There are helpers like eSigner CKA (Cloud Key Adapter, for SSL customers only) or MGTEK SmartCard Tools. With these tools you can store/cache the PIN.

I now wrote a windows app with Delphi that enters the PIN code automatically. I can perfectly use it with the Installaware 17 hook feature.

I.e. : I don't need a second Insta hook parameter %2 that allows me to sign multiple files at once. You can discard my "feature request".

Thank you.

Regards, Michael

[JohnGaver]

That is awesome to hear, Michael!

Maybe you would care to share the tool for other users here as well?