Signotaur action with label support

FinalBuilder Discussion
1

Is there a way to use the new –label option supported in the FinalBuilder Signotaur action?

If not, can you add that, please?

2

Let me extend that to SHA1 support.

3

… and Unsupported File Types

4

Thanks for the reminder - will get that sorted in the next few days.

5

Meanwhile I make use of ExtraCmdLineParamsAtEnd.

6

Hi Uwe

This build adds support for Label, SHA1 (Dual signing) and Unsupported file types. We did have to re-organise the ui on the signing action somewhat to make room for the new options.

https://downloads.finalbuilder.com/downloads/finalbuilder/850/FB850_3600.exe

An official update will be a few weeks, we are working on re-implementing the sftp actions with a different client library which will take some time to test (basic testing is done, we are testing backwards compatibility at the moment).

7

Thanks Vincent for the quick reaction. Here are my findings:

  1. While the Signing Options page correctly says “One of Thumbprint or Subject or Label is required”, I wasn’t able to find an edit control to specify a Label.
  2. Dual-Sign gives an error (see attached FB log excerpt).

DualSignError.txt (3.7 KB)

8

Hi Uwe

Looking into it.

9

Hi Uwe

For dual signing, I believe you need to enabled the Apend Signature option. I’ll make sure we change the action to do that automatically.

10

Hi Uwe,

The error is caused by combining --sha1 with your ECDSA certificate. Windows refuses to nest a SHA-256 signature on top of an ECDSA+SHA-1 primary signature, which is the E_INVALIDARG you’re seeing in the log.

Windows XP / Vista / Windows 7 (pre-SP1) only understand RSA code signing - they have no support for ECDSA certificates at all. So a SHA-1 signature made with your ECC cert can’t be validated on the old Windows versions it’s meant for. You’ll need to use an RSA code-signing certificate or remove --sha1 and sign with SHA-256 only.

11

Thanks Dave,

I think I’d better drop SHA-1 completely then. It would be nice to have it for a handful of DLLs used on Windows XP, but I can live without them being signed properly. If someone doesn’t trust my binaries for these legacy systems, they can as well trash the while thing completely. It feels like I am the only one still providing support for that anyway.

Sorry for bothering you.

Best regards
Uwe

12

Hi Uwe,

No bother at all - it was a genuinely useful report.

The error message was misleading (“Failed to append primary signature” when it’s actually the secondary one that failed), so I’ve tweaked the wording for the next build and added an up-front warning. That way anyone combining --sha1 with an ECDSA certificate will be informed straight away.

Dropping --sha1 is the right approach for your cert type. And realistically, you’re not losing anything - Windows XP is long gone, Microsoft stopped trusting SHA-1 Authenticode root certificates back in 2020, and even those still using XP have mostly accepted that code signing for those systems isn’t really viable anymore.

13

Hi Uwe

This build has the fix for the missing Label field

https://downloads.finalbuilder.com/downloads/finalbuilder/850/FB850_3608.exe