Window code signing certificate source recommendations

Paul Dupuis paul at researchware.com
Tue Oct 10 06:39:28 EDT 2023 

To any with a recommendation:

I have been getting my Windows Code Signing Certificates from Comodo. I 
have been able to get certs in file formats like .pfx or .p12 that 
allows me to code sign using a single command line with the password as 
part of the command. This lets me script code signing as part of the "on 
standaloneSaved" message using the "shell()" function, so the code 
signing is part of saving the Standalone.

My current Windows cert expires in November, so I click the renew link 
and renewed. The new Cert came on a "USB token" - a small USB memory 
stick that is specially encoded. To sign, I HAVE to use  a desktop GUI 
app called SafeNet Authentication Client Tools. After a bunch of back 
and forth with Sertgo - Comodo's fullfillment branch - I got the 
following message:

-----------------

We apologize for the delayed response and any inconvenience it may have 
caused. We understand that you need a Code Signing certificate in PFX 
format to automate the signing process. As per the CA/B forum's new 
regulation, the private key should be generated, stored, and used on a 
suitable FIPS-compliant hardware token. This change from the CA/B Forum 
aims to improve security and help reduce the risk of compromise.

The Code Signing token is a hardware device with a certificate/key 
inbuilt and they cannot create/export PFX files. Since the private key 
is stored on the hardware token, for security it cannot be copied or 
exported. The concept of the token-based code signing certificate is to 
plug the USB into the system where you want to sign the software. We 
appreciate your understanding in this matter.

-----------------

So, apparently Comodo/Sertgo does NOT issue ANY cert that can be used in 
a sign command line PER the CA/B Forums (whatever they are).


Does anyone know if this is an industry wide change? Or can anyone 
recommend a Window Code Signing Certificate provider that can provide a 
cert in a format that support a command line signing, such as:

"C:\Program Files (x86)\Windows Kits\10\App Certification 
Kit\signtool.exe" sign /fd certHash /debug /f 
"C:\Users\Paul\Desktop\Code Signing\RWCodeSigningCert4.pfx" /t 
http://timestamp.comodoca.com/authenticode /v /p <PASSWORD> 
"<PATH_TO_STANDALONE>"


I really do not want to return to have to manually signing standalones!

More information about the use-livecode mailing list