Window code signing certificate source recommendations

Brian Milby brian at milby7.com
Tue Oct 10 08:38:42 EDT 2023 

While not directly applicable, you may be able script it similar to using a CAC.

DOD uses Smart Cards for authentication and you can have command line tools use the card for authentication (runas /smartcard program).  What happens is that you get a pop up from the system to choose cert and enter PIN.  A similar process may be possible.

Brian Milby
brian at milby7.com

> On Oct 10, 2023, at 6:40 AM, Paul Dupuis via use-livecode <use-livecode at lists.runrev.com> wrote:
> 
> To any with a recommendation:
> 
> I have been getting my Windows Code Signing Certificates from Comodo. I have been able to get certs in file formats like .pfx or .p12 that allows me to code sign using a single command line with the password as part of the command. This lets me script code signing as part of the "on standaloneSaved" message using the "shell()" function, so the code signing is part of saving the Standalone.
> 
> My current Windows cert expires in November, so I click the renew link and renewed. The new Cert came on a "USB token" - a small USB memory stick that is specially encoded. To sign, I HAVE to use  a desktop GUI app called SafeNet Authentication Client Tools. After a bunch of back and forth with Sertgo - Comodo's fullfillment branch - I got the following message:
> 
> -----------------
> 
> We apologize for the delayed response and any inconvenience it may have caused. We understand that you need a Code Signing certificate in PFX format to automate the signing process. As per the CA/B forum's new regulation, the private key should be generated, stored, and used on a suitable FIPS-compliant hardware token. This change from the CA/B Forum aims to improve security and help reduce the risk of compromise.
> 
> The Code Signing token is a hardware device with a certificate/key inbuilt and they cannot create/export PFX files. Since the private key is stored on the hardware token, for security it cannot be copied or exported. The concept of the token-based code signing certificate is to plug the USB into the system where you want to sign the software. We appreciate your understanding in this matter.
> 
> -----------------
> 
> So, apparently Comodo/Sertgo does NOT issue ANY cert that can be used in a sign command line PER the CA/B Forums (whatever they are).
> 
> 
> Does anyone know if this is an industry wide change? Or can anyone recommend a Window Code Signing Certificate provider that can provide a cert in a format that support a command line signing, such as:
> 
> "C:\Program Files (x86)\Windows Kits\10\App Certification Kit\signtool.exe" sign /fd certHash /debug /f "C:\Users\Paul\Desktop\Code Signing\RWCodeSigningCert4.pfx" /t http://timestamp.comodoca.com/authenticode /v /p <PASSWORD> "<PATH_TO_STANDALONE>"
> 
> 
> I really do not want to return to have to manually signing standalones!
> 
> 
> _______________________________________________
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode

More information about the use-livecode mailing list