Window code signing certificate source recommendations

matthias_livecode_150811 at m-r-d.de matthias_livecode_150811 at m-r-d.de
Tue Oct 10 08:53:37 EDT 2023


Hello Paul,

unfortunately this is the "new" standard. Since 1st June 2023 private keys has to be stored on a Token.
https://www.sslpoint.com/new-private-key-storage-requirement-for-standard-code-signing-certificates/

There is no way anymore to export a certificate for example to .pfx.
And much more of a pain, it is not possible anymore to code sign Windows app under macOS or at least i was not able to so so far.

I have a "cloud" certificate from Certum which i purchased from SSL Point (https://www.sslpoint.com <https://www.sslpoint.com/>)

With this type of certificate the private key is not stored on a USB token. This "cloud" certifcate  works similar to a usb token. I also have to install some software. This software allow me to login to the "cloud" and after successful login i can use that certificate
with Microsoft's signtool and JARsigner.
https://www.files.certum.eu/documents/manual_en/Code-Signing-signing-the-code-using-tools-like-Singtool-and-Jarsigner_v2.3.pdf

So to automate your signing, you just have to keep a Windows PC running and make sure that you are logged in to the "Cloud". As long as the software is logged in you have access to the certificate.
I don't know if this is also the case with the USB Token. Could not test it, because i do not have a usb token. ;)


Regards,
Matthias




> Am 10.10.2023 um 12:39 schrieb Paul Dupuis via use-livecode <use-livecode at lists.runrev.com>:
> 
> To any with a recommendation:
> 
> I have been getting my Windows Code Signing Certificates from Comodo. I have been able to get certs in file formats like .pfx or .p12 that allows me to code sign using a single command line with the password as part of the command. This lets me script code signing as part of the "on standaloneSaved" message using the "shell()" function, so the code signing is part of saving the Standalone.
> 
> My current Windows cert expires in November, so I click the renew link and renewed. The new Cert came on a "USB token" - a small USB memory stick that is specially encoded. To sign, I HAVE to use  a desktop GUI app called SafeNet Authentication Client Tools. After a bunch of back and forth with Sertgo - Comodo's fullfillment branch - I got the following message:
> 
> -----------------
> 
> We apologize for the delayed response and any inconvenience it may have caused. We understand that you need a Code Signing certificate in PFX format to automate the signing process. As per the CA/B forum's new regulation, the private key should be generated, stored, and used on a suitable FIPS-compliant hardware token. This change from the CA/B Forum aims to improve security and help reduce the risk of compromise.
> 
> The Code Signing token is a hardware device with a certificate/key inbuilt and they cannot create/export PFX files. Since the private key is stored on the hardware token, for security it cannot be copied or exported. The concept of the token-based code signing certificate is to plug the USB into the system where you want to sign the software. We appreciate your understanding in this matter.
> 
> -----------------
> 
> So, apparently Comodo/Sertgo does NOT issue ANY cert that can be used in a sign command line PER the CA/B Forums (whatever they are).
> 
> 
> Does anyone know if this is an industry wide change? Or can anyone recommend a Window Code Signing Certificate provider that can provide a cert in a format that support a command line signing, such as:
> 
> "C:\Program Files (x86)\Windows Kits\10\App Certification Kit\signtool.exe" sign /fd certHash /debug /f "C:\Users\Paul\Desktop\Code Signing\RWCodeSigningCert4.pfx" /t http://timestamp.comodoca.com/authenticode /v /p <PASSWORD> "<PATH_TO_STANDALONE>"
> 
> 
> I really do not want to return to have to manually signing standalones!
> 
> 
> _______________________________________________
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode



More information about the use-livecode mailing list