SignTool with EV Certificate Fails

Thanks Vincent.

This is already turning into a huge time-suck, so trying to figure out how to compile a .Net app is not ideal. (What the heck is NuGet anyway :smiley:)

I’ve been able to get codesigning working via running a batch file in FB – I say “working” but it’s no longer an hands-free process :frowning:

It’s be great if you could look into showing these prompts and even some UI Automation ?

Thanks

PS - I’m pretty pi**ed at GlobalSign as the change to an EV token wasn’t announced, it feels like it was forced on us with no pre disclosure. Apparently they ditched file-based certificates on Feb 1st this year & didn’t think it important to tell me. #grrr

The problem with capturing prompts is it’s hard! We have tried before, but some where in the redirecting of stdout and stdin we end up with a deadlock.

FWIW, we use ksoftware for our code signing certificate, and they are pretty reasonable and clearly state what it is you are getting - https://www.ksoftware.net/code-signing-certificates

FWIW, code signing in FinalBuilder with normal certificates is pretty easy

https://www.finalbuilder.com/resources/blogs/code-signing-changes-for-2016

Hi

Thanks for the link to ksoftware. I’ve also heard good things about Thawte. I’ve got 3 years to decide, but I guess the EV certificate does have some benefits over normal certs.

I’ve been happily using codesigning in FB & Inno up til now.

Anyway, I’m using two .bat files; 1 to sign all the executables and 1 to sign all the installers. I’m still having to enter the pwd twice during a build though.

I’d be interested to hear how anyone with EV Certificates automates their build process though.

Thanks :slight_smile:

I spent some time reading about this today, I’m kinda suprised I had not heard about the move to ev certificates, it’s very hard to find any info that isn’t self serving (ie from certificate sellers). The best I could find was the requirement for ev certificates for windows 10 drivers.

Our certificate isn’t due for renewal till next year, however I get the feeling I’m going to have to buy an EV certificate sooner just to test this out. The more I read about it though, the more I am horrified and what a poor solution it is. The whole manual intervention (typing a password, on the physical machine) and the physical requirement (usb key) makes a mockery of the established practice of automation software delivery.

I did find this


which looks to be able to get around the password prompt, however you still need access to the usb key, and that raises issues in a virtualised environment. We use hyper-v (2012R2 and 2016) and usb-passthrough is problematic at best, for some usb key’s it just doesn’t work.

So it looks like we are going back to the bad old days of a workstation in the corner that we physically have to walk up to to finish running a build :roll_eyes:

Wow, I just looked at the cost of EV code signing certificates, > $250 per year (more if you buy for less than 2 yrs!) - just when letsencrypt freed us from the SSL certificate tyranny!

Hi Vincent

(apologies, been away from the keyboard for a while)

Thanks for the link, it looks promising, but yes, I can’t understand the logic behind EV certificates. It does seem completely contrary to automated build processes.

My build env is in a VMWare machine and I was initially concerned, but USB Passthru is solid in VMWare & works fine. I put the SafeNet Authentication client on both host and VM. Then I went through the download & Token setup procedure in the host. I can then used USB passthru to access it on the VM.

The cost of renewing through GlobalSign was only marginally more expensive than the old file based certificate. £438 GBP for 3 years which is only £100 more expensive than I was paying in previous years. Hence I initially just thought it was a price hike, so I was surprised when the Token arrived in the post :smiley:

Thanks again,

PS - the “Enable single signon” option has worked really well for me. I can insert & login to the token through the SafeNet Authentication Client and then fire up my automated build process which no longer requires a password entry. That’s a big win for me as the actual build process is now hands-off & I don’t have to wait until halfway through the process for a password prompt :smiley:

1 Like

Single signon won’t work for unattended (ie CI) builds though, someone has to be logged into the machine. We run all of our builds on Continua CI (which calls FBCMD), the Continua CI agent runs as a windows service, so there is no opportunity for user interaction.

1 Like

I have just got an EV Token, I really could do with this working in FB.

Any progress?

Dave

Hi Dave

Unfortunately not. There are so many issues with EV the more I look into it. There are lots of people asking but it seems the whole point of EV is you have to enter the password. Unfortunately you cannot just RDP in to enter the password as many EV auth clients don’t support it. Still investigating but I don’t have an answer yet, not do I have an EV certificate to play with.

Check out here to get a certificate

I know where to buy one, I just don’t want to when our existing certificate still has a year left on it. Considering the cost of them, I don’t want to buy something I’m not sure I can use - might seem trivial but when you multiply this by all the other tools etc we spend money on every year it all adds up.

I bought one for a year for $105 from this link!

Regards the password prompt, there is a setting where you can set the system to only need the password once per user login.

Got it working with batch files :slight_smile:

I need it to work without a user logging in, because in a scheduled or CI environment the last thing you want is to login to make your builds work.

I have ordered an EV cert, will experiment when it arrives.

Hi Everyboy,

I just struggeling with the same problems while using a EV Certificate. The Token Password is a nightmare. I’m usinge FinalBuilder 8.0.0.2701 with maintenance.

Is there anything new since last year?

regards Michael

Hi All

I have been playing with this today (I had to find our EV usb after we closed the office).

I managed to get signing working without a password prompt, using a DigiCert issued certificate - they use SafeNet usb tokens - if your provider uses different hardware/software then this may or may not work.

In the safenet client tools, click on the Advanced View toolbar button and under “User certificates” select the certificate and then on the Export certificate button, save the .cer file somewhere you can access from FinalBuilder.

In that same view, there are two important fields

Cryptographic Provider: eToken Base Cryptographic Provider
and
Container name: p11#xxxxxxxxxxxxxxxx

In the Signtool sign action, on the Signing options copy the Cryptographic Provider value to the provider field in the dialog, and in the Private key container field

[{{tokenPassword}}]=containerName

Replace tokenPassword and containerName with the values from your token.

You do need to have signed into the token in the client tools once. In the Safenet client tools, under client settings, advanced tab, make sure Automatic Logoff is set to never.

With this setup I was able to sign from a scheduled task whether logged into the machine or not (I rebooted and waited 5 min past the scheduled time to be sure).

You do still need the physical usb token plugged into the machine for this to work.

I will post on our blogs with more detailed step by step instructions later today or tomorrow.

1 Like