SignTool with EV Certificate Fails

stuartclennett · August 2, 2019, 10:04am

Hi,

I have renewed my codesign certificate, and (unfortunately & unbeknown to me) our supplier is only providing EV certificates. I now have the certificate on a USB Token & don’t have a PFX file.

The command line signtool appears to work okay - but I have to enter the password via a password prompt.

I’m trying to figure out how to integrate this into my FinalBuilder workflow & I’ve replicated the command line options in your Signtool action properties.

I do not get a password prompt and the signtool operation fails:

Command Line: signtool.exe sign /a /tr http://rfc3161timestamp.globalsign.com/advanced /td SHA256 d:\projects\test.exe
Done Adding Additional Store
Error information: "Error: SignerSign() failed." (-2147023673/0x800704c7)
SignTool Error: An unexpected internal error has occurred.

The command line that works:

D:\DeploymentShared\#CodeSign>signtool sign /a /tr http://rfc3161timestamp.globalsign.com/advanced /td SHA256 d:\projects\test.exe

The two look identical - I’m guessing that I’m not seeing the password prompt?

a) How do I get the password prompt to appear? and
b) Is there anyway I can auto-fill or provide the password? (Using the /p option appears to require the /f option & I don’t have files anymore)

Thanks in advance

Stuart

Vincent · August 2, 2019, 10:11am

From my limited knowledge of EV certificates, there doesn’t appear to be any way to avoid the token prompt, and finalbuilder does not support prompting from command line tools.

You might have better luck with this tool

stuartclennett · August 2, 2019, 10:23am

Thanks Vincent.

This is already turning into a huge time-suck, so trying to figure out how to compile a .Net app is not ideal. (What the heck is NuGet anyway )

I’ve been able to get codesigning working via running a batch file in FB – I say “working” but it’s no longer an hands-free process

It’s be great if you could look into showing these prompts and even some UI Automation ?

Thanks

PS - I’m pretty pi**ed at GlobalSign as the change to an EV token wasn’t announced, it feels like it was forced on us with no pre disclosure. Apparently they ditched file-based certificates on Feb 1st this year & didn’t think it important to tell me. #grrr

Vincent · August 2, 2019, 12:51pm

The problem with capturing prompts is it’s hard! We have tried before, but some where in the redirecting of stdout and stdin we end up with a deadlock.

FWIW, we use ksoftware for our code signing certificate, and they are pretty reasonable and clearly state what it is you are getting - https://www.ksoftware.net/code-signing-certificates

Vincent · August 2, 2019, 12:52pm

FWIW, code signing in FinalBuilder with normal certificates is pretty easy

https://www.finalbuilder.com/resources/blogs/code-signing-changes-for-2016

stuartclennett · August 2, 2019, 1:00pm

Hi

Thanks for the link to ksoftware. I’ve also heard good things about Thawte. I’ve got 3 years to decide, but I guess the EV certificate does have some benefits over normal certs.

I’ve been happily using codesigning in FB & Inno up til now.

Anyway, I’m using two .bat files; 1 to sign all the executables and 1 to sign all the installers. I’m still having to enter the pwd twice during a build though.

I’d be interested to hear how anyone with EV Certificates automates their build process though.

Thanks

Vincent · August 3, 2019, 1:11am

I spent some time reading about this today, I’m kinda suprised I had not heard about the move to ev certificates, it’s very hard to find any info that isn’t self serving (ie from certificate sellers). The best I could find was the requirement for ev certificates for windows 10 drivers.

Our certificate isn’t due for renewal till next year, however I get the feeling I’m going to have to buy an EV certificate sooner just to test this out. The more I read about it though, the more I am horrified and what a poor solution it is. The whole manual intervention (typing a password, on the physical machine) and the physical requirement (usb key) makes a mockery of the established practice of automation software delivery.

I did find this

which looks to be able to get around the password prompt, however you still need access to the usb key, and that raises issues in a virtualised environment. We use hyper-v (2012R2 and 2016) and usb-passthrough is problematic at best, for some usb key’s it just doesn’t work.

So it looks like we are going back to the bad old days of a workstation in the corner that we physically have to walk up to to finish running a build

Vincent · August 3, 2019, 1:17am

Wow, I just looked at the cost of EV code signing certificates, > $250 per year (more if you buy for less than 2 yrs!) - just when letsencrypt freed us from the SSL certificate tyranny!

stuartclennett · August 6, 2019, 10:59am

Hi Vincent

(apologies, been away from the keyboard for a while)

Thanks for the link, it looks promising, but yes, I can’t understand the logic behind EV certificates. It does seem completely contrary to automated build processes.

My build env is in a VMWare machine and I was initially concerned, but USB Passthru is solid in VMWare & works fine. I put the SafeNet Authentication client on both host and VM. Then I went through the download & Token setup procedure in the host. I can then used USB passthru to access it on the VM.

The cost of renewing through GlobalSign was only marginally more expensive than the old file based certificate. £438 GBP for 3 years which is only £100 more expensive than I was paying in previous years. Hence I initially just thought it was a price hike, so I was surprised when the Token arrived in the post

Thanks again,

stuartclennett · August 6, 2019, 12:56pm

PS - the “Enable single signon” option has worked really well for me. I can insert & login to the token through the SafeNet Authentication Client and then fire up my automated build process which no longer requires a password entry. That’s a big win for me as the actual build process is now hands-off & I don’t have to wait until halfway through the process for a password prompt

Vincent · August 6, 2019, 12:31pm

Single signon won’t work for unattended (ie CI) builds though, someone has to be logged into the machine. We run all of our builds on Continua CI (which calls FBCMD), the Continua CI agent runs as a windows service, so there is no opportunity for user interaction.

dcraggs · October 4, 2019, 2:07pm

I have just got an EV Token, I really could do with this working in FB.

Any progress?

Dave

Vincent · October 5, 2019, 1:29am

Hi Dave

Unfortunately not. There are so many issues with EV the more I look into it. There are lots of people asking but it seems the whole point of EV is you have to enter the password. Unfortunately you cannot just RDP in to enter the password as many EV auth clients don’t support it. Still investigating but I don’t have an answer yet, not do I have an EV certificate to play with.

dcraggs · October 7, 2019, 8:55am

Check out here to get a certificate

Vincent · October 7, 2019, 9:55am

I know where to buy one, I just don’t want to when our existing certificate still has a year left on it. Considering the cost of them, I don’t want to buy something I’m not sure I can use - might seem trivial but when you multiply this by all the other tools etc we spend money on every year it all adds up.

dcraggs · October 7, 2019, 2:26pm

I bought one for a year for $105 from this link!

dcraggs · October 7, 2019, 2:27pm

Regards the password prompt, there is a setting where you can set the system to only need the password once per user login.

dcraggs · October 7, 2019, 2:55pm

Got it working with batch files

Vincent · October 7, 2019, 8:56pm

I need it to work without a user logging in, because in a scheduled or CI environment the last thing you want is to login to make your builds work.

Vincent · October 7, 2019, 9:22pm

I have ordered an EV cert, will experiment when it arrives.