adxpublisher.exe and EV certificate support

Add-in Express™ Support Service
That's what is more important than anything else

adxpublisher.exe and EV certificate support
How can we use ClickTwice publishing with an EV certificate? 
Vasilis Prantzos




Posts: 7
Joined: 2020-08-30
Hello,

We are having some problems with ClickTwice publishing.
We used to sign the setup executable, the MSI installer and the version_info.xml using a pfx file we were using for signing our DLL files.
Recently though we updated our certificate to an EV certificate and we are facing an issue with not being able to use that EV certificate USB key to publish the wix installer with adxpublisher.exe.
We would like to pose the following questions:

- Is there a way to use such a certificate with adxpublisher.exe or adxpatch.exe and how might we go about doing this?
- If this is not supported, then is it a valid practice to use a self-signed certificate for asxpublisher.exe and after publishing is complete, sign setup.exe with the EV certificate using Microsoft's signtool?
- If the above is not a valid approach, is there something we can do to make the certificate non required by adxpublisher.exe? In both adxpublisher and adxpatch help message boxes there was no information to indicate that.
- If there is no way to bypass the certificateFile parameter, would it be possible from your side to make any changes so the adxpublisher.exe could support an EV certificate as well?

If there is any other solution that we are unaware of, please advise accordingly.
Thank you very much in advance!
Posted 30 Aug, 2020 07:04:38 Top
Sergey Grischenko


Add-in Express team


Posts: 7228
Joined: 2004-07-05
Hi Vasilis,

adxpublisher.exe allows you to sign your project using the certificate installed in Trusted Root Certification Authorities Certificate Store of Windows (via certmgr.msc). Are you able to install your certificate to Trusted Root? If so, you will need to use the 'certificateThumbprint' attribute to specify the certificate in the 'adxpublisher.exe.config' file.

E.g.
<add key="certificateThumbprint" value="29A58354111398D2C290A8A875BD025490421195" />
Posted 31 Aug, 2020 12:28:48 Top
Vasilis Prantzos




Posts: 7
Joined: 2020-08-30
Hi Sergey,

Thank you so much of your very swift answer!

I do not think there is a way to export the certificate from the USB token it is installed, so that it can be installed on the Windows Trusted Root Certification Authorities Certificate Store. I believe this is one of its security features, that it can only be accessed via the token. There is an extra option to install the certificate on AWS HSM or Azure key vault, but as far as I understand this is not supported either by adxpublisher.exe and we do not have it installed in the cloud anyway. (see: https://shop.globalsign.com/en/code-signing)

The most important question here I think is what is the signing of the files for? Does it have to be with an official certificate or can it be a self-signed one? If it is to verify the source of the MSI when using the web setup, I suppose a non-official certificate can be used?

And if not an EV, nor a self-signed certificate can be used, then can we make the certificateFile parameter non-required?

Looking forward to your thoughts.

Best,
Vasily
Posted 01 Sep, 2020 03:27:03 Top
Sergey Grischenko


Add-in Express team


Posts: 7228
Joined: 2004-07-05
Hi Vasily,

If the target PC has a antivirus software installed, the unsigned ClickTwice installer will be blocked. Also, Microsoft Defender SmartScreen may block the ClickTwice downloader from running on the user's PC. That is why the ClickTwice installer requires the valid digital signature.

Please try to convert the SSL certificate to the .pfx format using Open SSL.
https://wp.sjkp.dk/creating-self-signed-pfx-and-cer-certificates-with-openssl/

Let me know if the issue still exists.
Posted 01 Sep, 2020 11:17:38 Top
Vasilis Prantzos




Posts: 7
Joined: 2020-08-30
Hi Sergey,

If I understand correctly you are saying that the parameter "certificateFile" in adxpublisher.exe is required to avoid antivirus issues. We are already signing the MSI file with the EV certificate using Microsoft's signtool as a previous step in our release pipeline (something we do with all DLL files)

Besides signing the MSI and EXE to avoid antivirus blocking, can you please explain why version_info.xml is signed as well? To my understanding there is some verification performed to match the signatures between setup.exe on the client and version_info.xml file on the server. Am I correct to assume that?

If the sole reason for signing the files via adxpublisher is the antivirus blocking issue, then having a required parameter is a problem for us, since we do already have a more secure EV certificate that gives us immediate reputation for windows smartscreen (compared to a non-EV one) and we cannot use it to publish the web installer!

I am unclear what you are suggesting to try in the end. You are suggesting to convert the current certificate to pfx format, but the URL you have provided is about how to create a self-signed certificate using openssl. I have already generated self-signed certificates for other purposes using Powershell's "New-SelfSignedCertificate" and "Export-PfxCertificate" which I believe do the same. Might I rephrase myself and say that the EV certificate cannot be exported and thus converted.

Maybe I did not understand what you are trying to say. Are you saying that I CAN indeed use a self-signed certificate for the "certificateFile" parameter of adxpublisher.exe? Will the published web installer work?

I hope I made myself a bit clearer by being more precise.

Looking forward to your answer!
Vasily
Posted 01 Sep, 2020 12:06:09 Top
Sergey Grischenko


Add-in Express team


Posts: 7228
Joined: 2004-07-05
Hi Vasily,

Vasilis Prantzos writes:
If I understand correctly you are saying that the parameter "certificateFile" in adxpublisher.exe is required to avoid antivirus issues.

Yes, right.

Vasilis Prantzos writes:
Besides signing the MSI and EXE to avoid antivirus blocking, can you please explain why version_info.xml is signed as well?

version_info.xml is signed to protect and validate files before installation. We use the hash attribute for files to protect the installer from changing files.

Vasilis Prantzos writes:
You are suggesting to convert the current certificate to pfx format, but the URL you have provided is about how to create a self-signed certificate using openssl.

You metioned that you already have the self-signed certificate and I supposed that you just needed to convert it to .pfx. I meant that you needed the second command line in this article.

Vasilis Prantzos writes:
Are you saying that I CAN indeed use a self-signed certificate for the "certificateFile" parameter of adxpublisher.exe?

Yes, you can use it. However, this certificate should be installed to the Windows Certificate Store on the target PC.
Currently, ClickTwice does not support EV Code Signing Certificates. We will consider either to implement this feature in future builds of Add-in Express for Office and .NET or just disable the validation of the digital signature during the installation process. Now please use a certificate in .pfx format or just consider to change the deployment tool.
Posted 02 Sep, 2020 05:15:22 Top
Vasilis Prantzos




Posts: 7
Joined: 2020-08-30
Hi Sergey,

Thank you for your replies to my questions, now I think I have all I need to make a decision on what to test and how to proceed.

Have a nice day!

Best regards,
Vasily
Posted 02 Sep, 2020 16:43:42 Top