I'm seeking some clarification.
I recently purchased a digital cert for code signing from one of the recognised certification authorities.
The approach I've taken is to make a batch file where I use the batch file to digitally sign each .exe file.
The batch file looks like this (password has been modified):
signtool sign /f "C:\DigitalSignaturesAndCerts\ServerCertificate.pfx" /p "PasswordGoesHere" /tr http://timestamp.sectigo.com /td SHA256 /fd SHA256 "C:\SpecificApp\ActualFile.exe"
This is working without issue.
I am not an expert in digital signing and I have two queries:
Am I right in saying what I am doing is sufficient and I don't need to import the cert to visual studio and sign the files when compiling from visual studio.
Am I right in saying the this signed exe file will continue to work after cert has expired based on batch file described above.
Any clarification is appreciated.
This is more of a general query so problem replication description is not relevant.
Related
So this is my first time having this problem last time my code signing certificate was installed correct and without problems this time however the private key flag is missing from my certificate and after searching for about an hour I found certutil -repairstore my "CertSerialNumber"
This is working if the certificate is installed to the local machine but then signtool is unable to find the certificate, by default it installed to CurrentUser so how do I run certutil -repairstore on a certificate on current user, i have tried adding -sr currentuser and -user and it complains they are invalid parameters (WIN32: 87 ERROR_INVALID_PARAMETER).
Finally fount the answer typical it's within mins of posting this question so for anyone else,
make sure the param's are ordered correctly, the certutil is a little bit of a pain with order of parameters,
certutil -user -repairstore my "CertSerialNumber"
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
Yet another works-fine-locally-but-looses-its-mind-in-a-remote-session problem.
I have a PS script that runs standard Windows command line ftp.exe to get a file. Works a treat when ran directly, however when ran remotely via Invoke-Command it suddenly leaves the files with the encrypted bit set.
If I then, in the same PS session (in the same script), run cipher /d on the file, I get Access Denied. However if I log onto the remote machine using the same account, I can decrypt it.
So, question the first, is this a "feature" of ftp.exe? I can't find anything suggesting as such, but no other method of creating a file seems to result in it being encrypted, so I'm left thinking it is an intentional act by the application, like it checks the logon type and encrypts if it a network logon.
Second, why can I not immediately decrypt it? Same account, same session.
The essential bits of the script in question:
#the ftp script is just open, user, binary, get, quit
& ftp -n -v -s:"$script"
& cipher /d "$file_path"
I realize this is probably a pretty obscure edge case, but I'll leave an answer just in case anyone runs into anything similar.
As usual, ProcMon has all the answers...
At my company %HOMESHARE% is set to a network file server (by some GPO I believe).
As ftp.exe is retrieving a file, it writes to a temp file and then once finished, copies it over to the specified location. Even after knowing this, one might expect %TEMP% to be used for such a purpose, but no.
I'm not quite sure exactly how ftp.exe goes about determining the temp file location, but when I'm in a PSsession, it chooses my Documents folder (%USERPROFILE% I suppose), but when I'm in an RDP session it uses %HOMEPATH%. So of course my Documents folder is set to encrypt new files and so the temp file is encrypted and gets copied over, but the file share is not so it copies over clean.
Also, while I have found nothing official stating this, it does seem that cipher.exe is completely ineffective for a network logon. If after entering a PSSession I create a new file with Set-Content and attempt to encrypt using cipher /e <file> it gives the same access denied. Same account over RDP encrypts no problem;
i am a unity game developer. i am trying to get .pem file from keystore through command prompt in order to enable app signing and commmand is
C:\Users\admin19>java -jar C:\Users\admin19\Desktop\pepk.jar --keystore= F:\Key
Store\abc.keystore --alias=abc --output=C:\Users\admin
19\Desktop\output\key.pem --encryptionkey=eb10fe8f7c7c94656756df715022017b00c6471f8ba8170b13049a11e6c0
9ffe3056a104a3bbe4ac5a955f4ba4fe93fc8fghhjkcef2kk7558a3eb9d2a529a2092761fb833b656cd48b9d
e6a
i press enter after typing this to cmd.
it ask for keystore passward !!! i enter.... then it ask for alias passward !! i enter which is same as keystore passward.. but it is giving error : no key for alias : [aliasname]..what should i do.. plz help
You may follow the suggestions in this thread.
To get the Key Alias: I copied the keytool.exe and my keystore file into C:\Program Files\Java\jdk1.7.0_71\bin folder. Then from command prompt I wrote: keytool -list -v -keystore <name>.keystore It will also ask for keystore password then. Then it will show you the key alias and Certificate fingerprints and other info.
It was also mentioned that if you have the keystore password, keytool might be able to list the aliases.
When I try to sign my exe using a p12 keystore I get the following error:
codesigning.p12 does not contain the complete certificate chain
However, I can sign it without problem using the windows signTool.exe by executing:
signtool sign /f codesigning.p12 /p $keyStorePassword myprogram.exe
Any ideas how to get this working in install4j?
signtool can access intermediate certificates in the Windows keystore, something that install4j does not do.
Other than creating a self-contained certificate (see Adding an intermediate certificates to a pkcs12 file), you can use the "Executable processing" step of the media wizard and call
C:\Path\To\signtool sign /f codesigning.p12 /p $keyStorePassword $EXECUTABLE
to perform external signing of all executables.
Does anybody know if it's possible to issue several certificates from a CSV like this:
CN=TestCertificate1, DNS=testServer1
CN=TestCertificate2, DNS=testServer2
CN=TestCertificate3, DNS=testServer3
Using a given template and getting a pfx as output?
Thank you
This should be doable, although not by simply uploading a .CSV file and downloading the output. The easiest way would be to use some of the PKI Client Cmdlets in Windows PowerShell. These are PowerShell commands that let you interact with a Microsoft CA from a script or the command line.
The first step, would be to generate a certificate request using the DN information you find in the .CSV file. A great tutorial on generating the CSR can be found here. Once the certificates have been approved on the CA, you can export them using the relevant PKI Client Cmdlet, Export-PfxCertificate via your PowerShell script.
Hope this helps!