gcamley
Posts: 18
Joined: Thu Jul 02, 2015 10:58 am

Extended Validation Certificates and remote building

Tue Sep 08, 2020 11:19 am

We build our installers nightly on a remote server and we are looking to use an Extended Validation certificate.

From reading various discussions on the internet it looks to me like we have to have a USB device plugged in during the build and somebody has to enter the token password at least one.

I would imagine many companies operate this way but how can we possibly plug in a device in a remote server and have somebody on-hand to enter a password?

There must be a way to sign code with an EV certificate without user intervention or this is a step back to the stone age.

Catalin
Posts: 6537
Joined: Wed Jun 13, 2018 7:49 am

Re: Extended Validation Certificates and remote building

Tue Sep 08, 2020 3:58 pm

Hello,

I'm not an expert whatsoever in what regards Digital Signing, but I have done some research and you are partially right.

The source of research: GlobalSign Code Signing FAQ

In the above article, it states that:
Are there different types of Code Signing Certificates?
Yes. GlobalSign offers both Standard and Extended Validation Code Signing Certificates.
What is the difference between Standard and EV Code Signing?
Standard Code Signing Certificates undergo standard organization validation. EV Code Signing Certificates undergo strict Extended Validation vetting requirements set by the CA/B Forum.

EV Code Signing Certificates have an added benefit of providing instant reputation with Microsoft Smart Screen. Standard Code Signing Certificates must build up reputation with the Smart Screen program before Smart Screen warnings disappear.

EV Code Signing Certificates are also required to access the Windows Hardware Developer Center Dashboard Portal through which all kernel-mode drivers targeting Windows 10 (Build 1607 and later) must be signed.
Can I sign a file remotely?
Both the Standard Code Signing Certificates and EV Code Signing Certificates cannot be accessed through Remote Desktop (RDP). The USB token must be plugged in to the local computer.

A local USB token can be used to sign a file on a remote machine but a remote USB Token cannot be used for signing at all.
Here, they state that a local USB token can be used to sign a file on a remote machine.

Now, the other problem you have encountered here is the fact that someone had to enter the password.

We might be able to help in this matter. Recently, we have added support for using a custom signing tool at your disposal. This basically means that you can use your own command line for signing ==> you can pass the password through the command line.

For instance, if you go to "Digital Signature" page --> "Enable Signing" --> "Custom" --> select your SignTool.exe tool, you will be able to provide your own command line that the tool should use:

customsign.png
customsign.png (28.01KiB)Viewed 5086 times

As you may know, the SignTool.exe tool accepts the following parameter:

Code: Select all

/p <Password>
The above specifies the password to use when opening a PFX file.

sign Command Options

Another interesting thing that they mention in the article is:
Are there different ordering options for Standard and EV Code Signing Certificates?
Yes. Both, the Standard Code Signing Certificates and the EV Code Signing Certificates have 3 ordering options and can be delivered to SafeNet tokens, HSMs as well deployed with Azure Key Vault. Please refer to the 'Key Storage Options' on the table comparison here
Once again, recently (the last release), we have implemented support for signing your package using Azure Key Vault as it was requested by our users.

In the "What is a Code Signing Certificate" article, they mention that:
GlobalSign allows standard and EV Code Signing Certificates to be installed on customer HSMs or in Azure Key Vault. Contact us for more information about these deployment options.

Note: USB token not included in HSM or Key Vault deployments.
To be fully honest with you, I believe you should contact their support team and ask for more information about that.

Hope this information helps somehow.

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

Return to “Building Installers”