I am building an installer and need to extract the .cer so that it can be added to trusted publisher, similar to this question/answer.
https://superuser.com/a/464233
I've managed to do that and everything works fine. Can the "Copy to file" from within Digital Signatures tab be automated using PowerShell or something similar ?
You can run Get-AuthenticodeSignature cmdlet to retrieve authenticode signing certificate from MSI.
Related
Scenario:
as development team member I create some .dll files and .ps1 files
I'm trusted that I produced correct code
I'm required to sign those files but security team is in charge of signing certificates
I could just send them all my binaries and wait for them to return signed
... but I produce quite huge .zip archive ...
So I'm thinking if there is a way to save us all this sending binaries back and forth.
Question:
Is that possible that I generate any SHA-1 / SHA-256 / MD5 / whatever hashes from all my files, then I send those to security team, they generate signatures, send them back and I attach them to original files.
I'm working on a pipeline migration from an old manually implemented ci/cd solution to Azure DevOps.
There are some prebuilt functions/processes that I'm still reusing.
For example. Like how they package all their solution as artifacts.
I'm trying to keep the code changes as minimal as possible.
The build pipeline creates a ClickOnce package .zip.
Then on the release stage, the myapp.exe.config in the Application Files gets transformed via XML-Document-Transform. Also the application manifest <ApplicationName>.application gets manually edited through Powershell. The <deploymentProvider codebase="http://1.1.1.1/samplefolder/myapp.application" /> gets changed on release depending on the environment/path it is going to be deployed to.
Application Manifest
<asmv1:assembly ...>
<deployment ...>
<subscription>
<update>
<beforeApplicationStartup />
</update>
</subscription>
<deploymentProvider codebase="http://1.1.1.1/samplefolder/myapp.application" />
</deployment>
</asmv1:assembly>
Now I understand that this method requires Re-Signing of the whole package. They have a custom .exe file to re-sign the whole package (it's not mage.exe). Unfortunately, I cant reuse the said executable to re-sign it.
All I have is their Certificate Thumbprint. But I don't know what to do with it.
Questions:
What are my other options to re-sign the package?
Is there a better way to do this? Do I have to make another build step for this solution?
I have managed to sign the ClickOnce Appmanifest (*.application) and *.exe.manifest files on release by using dotnet mage. I've done this by adding the certificate (.pfx or .p12) file in the Secure Files and the certificate password in the pipeline variables.
Use the .NET Core task specify to use version 5.x.
optional step Re-install via dotnet tool update --global microsoft.dotnet.mage --version 5.0.0
Run the following in powershell
## Signing the exe.manifest file
dotnet mage -update "<folder>/Application Files/<assembly folder name>/<assemblyname>.exe.manifest" -fd "<folder>/Application Files/<folder>" -CertFile "$(SignKey.secureFilePath)" -Password "$(SignKeyPassword)"
## Signing the .Application file
dotnet mage -update "<the .Application full path>" -pu "$publisherURL" -pub "$(PublisherDetails)" -appmanifest "Application Files/<assembly folder name>/<assemblyname>.exe.manifest" -CertFile "$(SignKey.secureFilePath)" -Password "$(SignKeyPassword)"
In sign tool I'm getting the error: bad executable.
I'm sure this has something to do with the application already being signed.
How do I remove the signature from the application.
I made it by unreal and I've heard unreal automatically signs the app on export.
I also heard if you change the extension to .zip, and then back to .exe or .appx, it will remove the certificate. But I tried that and had no luck.
By the way I don't use visual studio is there an straight forward way of doing this?
Thank you.
This will help. It is a utility called delcert with soure code on xdadevelopers. It removes digital signatures (Authenticode) from executable files.
Also check that you are running the correct version of the signing tool (32/64 bit) for the executable you need to sign.
I need to export a Symantec Code signing certificate for signing .xap as .pfx. The steps mentioned on official website state All Tasks>Export as .pfx but the option is grayed out. For pvk2pfx.exe we need a .pvk which is not provided. I have only a .cer file wwhich ii want to concert into a .pfx file with a password. Kindly suggest me the steps and suitable tool!
The .cer file was without the key. A small key icon appears next to the certificate name in microsoft certificate snap-in. Regenerating the certificates did the task!
I have a few Eclipse plugins that are part of a feature. We would like to apply code signing to these plugins when the update site is updated.
I can see the JAR Signing tab when exporting an individual plugin, but I can't see anything similar in my update site project settings.
Also, the tutorials that I have read are using self-signed certificates. Can anyone point me towards instructions for using Verisign certificates (i.e. *.pfx files)?
Can anyone help?
Thanks,
Alan
Edit: I have marked Kane's response as the answer because it is very similar to the steps that I took and was an inspiration. I actually followed these instructions to sign the jars because it was based on pfx files: https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=1072
Step 1: Run the following command to view details about the certificate (substituting the filename with your own):
keytool -list -v -storetype pkcs12 -keystore [Filename].pfx
Step 2: Scroll to the top of the output and take a note of the Alias name value.
Step 3: Sign each jar file using the following command (substituting the filenames and alias name for your own):
jarsigner -storetype pkcs12 -keystore [Filename].pfx [Filename].jar "[AliasName]"
I now need to come up with a way of managing / automating the process.
Update site project doesn't provide such capability to sign the jars. Signing jars is a pure java concept, you could use the signtool from JDK to do it.
If you want to sign you jars via using the certificate for Windows code signing, you could refer to this blog post.
In my successful experience, I convert pfx to JKS format certificate firstly, then call below command in ant,
<signjar sigfile="MyCompany" alias="${sign.alias}" keystore="${sign.keystore}" storepass="${sign.storepass}" keypass="${sign.keypass}" tsaurl="https://timestamp.geotrust.com/tsa" preservelastmodified="true">