This is already turning into a huge time-suck, so trying to figure out how to compile a .Net app is not ideal. (What the heck is NuGet anyway )
I’ve been able to get codesigning working via running a batch file in FB – I say “working” but it’s no longer an hands-free process
It’s be great if you could look into showing these prompts and even some UI Automation ?
Thanks
PS - I’m pretty pi**ed at GlobalSign as the change to an EV token wasn’t announced, it feels like it was forced on us with no pre disclosure. Apparently they ditched file-based certificates on Feb 1st this year & didn’t think it important to tell me. #grrr
The problem with capturing prompts is it’s hard! We have tried before, but some where in the redirecting of stdout and stdin we end up with a deadlock.
Thanks for the link to ksoftware. I’ve also heard good things about Thawte. I’ve got 3 years to decide, but I guess the EV certificate does have some benefits over normal certs.
I’ve been happily using codesigning in FB & Inno up til now.
Anyway, I’m using two .bat files; 1 to sign all the executables and 1 to sign all the installers. I’m still having to enter the pwd twice during a build though.
I’d be interested to hear how anyone with EV Certificates automates their build process though.
I spent some time reading about this today, I’m kinda suprised I had not heard about the move to ev certificates, it’s very hard to find any info that isn’t self serving (ie from certificate sellers). The best I could find was the requirement for ev certificates for windows 10 drivers.
Our certificate isn’t due for renewal till next year, however I get the feeling I’m going to have to buy an EV certificate sooner just to test this out. The more I read about it though, the more I am horrified and what a poor solution it is. The whole manual intervention (typing a password, on the physical machine) and the physical requirement (usb key) makes a mockery of the established practice of automation software delivery.
I did find this
which looks to be able to get around the password prompt, however you still need access to the usb key, and that raises issues in a virtualised environment. We use hyper-v (2012R2 and 2016) and usb-passthrough is problematic at best, for some usb key’s it just doesn’t work.
So it looks like we are going back to the bad old days of a workstation in the corner that we physically have to walk up to to finish running a build
Wow, I just looked at the cost of EV code signing certificates, > $250 per year (more if you buy for less than 2 yrs!) - just when letsencrypt freed us from the SSL certificate tyranny!
(apologies, been away from the keyboard for a while)
Thanks for the link, it looks promising, but yes, I can’t understand the logic behind EV certificates. It does seem completely contrary to automated build processes.
My build env is in a VMWare machine and I was initially concerned, but USB Passthru is solid in VMWare & works fine. I put the SafeNet Authentication client on both host and VM. Then I went through the download & Token setup procedure in the host. I can then used USB passthru to access it on the VM.
The cost of renewing through GlobalSign was only marginally more expensive than the old file based certificate. £438 GBP for 3 years which is only £100 more expensive than I was paying in previous years. Hence I initially just thought it was a price hike, so I was surprised when the Token arrived in the post
PS - the “Enable single signon” option has worked really well for me. I can insert & login to the token through the SafeNet Authentication Client and then fire up my automated build process which no longer requires a password entry. That’s a big win for me as the actual build process is now hands-off & I don’t have to wait until halfway through the process for a password prompt
Single signon won’t work for unattended (ie CI) builds though, someone has to be logged into the machine. We run all of our builds on Continua CI (which calls FBCMD), the Continua CI agent runs as a windows service, so there is no opportunity for user interaction.
Unfortunately not. There are so many issues with EV the more I look into it. There are lots of people asking but it seems the whole point of EV is you have to enter the password. Unfortunately you cannot just RDP in to enter the password as many EV auth clients don’t support it. Still investigating but I don’t have an answer yet, not do I have an EV certificate to play with.
I know where to buy one, I just don’t want to when our existing certificate still has a year left on it. Considering the cost of them, I don’t want to buy something I’m not sure I can use - might seem trivial but when you multiply this by all the other tools etc we spend money on every year it all adds up.
I just struggeling with the same problems while using a EV Certificate. The Token Password is a nightmare. I’m usinge FinalBuilder 8.0.0.2701 with maintenance.
I have been playing with this today (I had to find our EV usb after we closed the office).
I managed to get signing working without a password prompt, using a DigiCert issued certificate - they use SafeNet usb tokens - if your provider uses different hardware/software then this may or may not work.
In the safenet client tools, click on the Advanced View toolbar button and under “User certificates” select the certificate and then on the Export certificate button, save the .cer file somewhere you can access from FinalBuilder.
In that same view, there are two important fields
Cryptographic Provider: eToken Base Cryptographic Provider
and Container name: p11#xxxxxxxxxxxxxxxx
In the Signtool sign action, on the Signing options copy the Cryptographic Provider value to the provider field in the dialog, and in the Private key container field
[{{tokenPassword}}]=containerName
Replace tokenPassword and containerName with the values from your token.
You do need to have signed into the token in the client tools once. In the Safenet client tools, under client settings, advanced tab, make sure Automatic Logoff is set to never.
With this setup I was able to sign from a scheduled task whether logged into the machine or not (I rebooted and waited 5 min past the scheduled time to be sure).
You do still need the physical usb token plugged into the machine for this to work.
I will post on our blogs with more detailed step by step instructions later today or tomorrow.