Posts 1 - 10 of 11
First | Prev. | 1 2 | Next | Last
|
|
|
|
mocola
Posts: 9
Joined: 2014-03-08
|
Hello Andrei,
this is a follow up of https://www.add-in-express.com/forum/read.php?a&FID=5&TID=16204
I just want to let you know, that Visual Studio 2022 and Add-in Express v10.0.4700 still not able to code sign with an EV certificate out of the box when using Visual Studio Installer. As it seems it fails due to the SHA-256 on the manifest.xml file. Adxloader exits with Error Code 0x8009210d. The only difference in comparision with Visual Studio 2017, where everything works perfectly, is that the manifest.xml in VS2017 gets signed with SHA-1. Can't you make the adxloader be able to handle SHA-256 signatures in the manifest.xml file instead of returning 0x8009210d?
The workaround for VS2019 and VS2022:
1) Disable code signing in Addin-Express
2) Add PreBuild Event and use adxpatch.exe to sign <project>\Loader\adxloader.dll and adxloader64.dll
However, with this workaround I do not get signatures on the <project>.dll and also no signatures in the manifest.xml. Is this an issue in any scenario regarding the trustworthiness of the add-in or is it enough to only have both loaders signed?
Regards,
Sebastian |
|
|
Posted 26 Jan, 2022 22:11:53
|
|
Top
|
|
|
mocola
Posts: 9
Joined: 2014-03-08
|
Hello Andrei,
is it fine to only sign the loaders and not the <project>.dll and manifest.xml?
Regards,
Sebastian |
|
|
Posted 31 Jan, 2022 03:39:53
|
|
Top
|
|
|
Andrei Smolin
Add-in Express team
Posts: 18848
Joined: 2006-05-11
|
Hello Sebastian,
You can use signtool.exe to sign all DLLs.
Regards from Poland (CET),
Andrei Smolin
Add-in Express Team Leader |
|
|
Posted 31 Jan, 2022 09:55:05
|
|
Top
|
|
|
mocola
Posts: 9
Joined: 2014-03-08
|
Hello Andrei,
I do not see any differences between signtool.exe and adxpatch.exe regarding the signing process.
However, I just figured out, that for packaging the files as MSI the folder <project>\obj\Release is used and that I am able to sign the <project>.dll using the PreBuild event.
So the only file which does not hold any signatures now is adxloader.dll.manifest.
Can I skip the signature on this file?
Regards,
Sebastian |
|
|
Posted 01 Feb, 2022 12:10:51
|
|
Top
|
|
|
Andrei Smolin
Add-in Express team
Posts: 18848
Joined: 2006-05-11
|
Hello Sebastian,
Yes, you can try to leave the manifest unsigned.
Regards from Poland (CET),
Andrei Smolin
Add-in Express Team Leader |
|
|
Posted 02 Feb, 2022 13:05:29
|
|
Top
|
|
|
bobcalco
Posts: 66
Joined: 2019-03-20
|
|
Sebastian - I will shortly have to add signing with our EV cert to my build process - can you post a short summary of the steps that got it working for you? |
|
|
Posted 02 Feb, 2022 20:44:18
|
|
Top
|
|
|
mocola
Posts: 9
Joined: 2014-03-08
|
Hi bobcalco,
yes, sure. These steps are:
1) Disable the Code Signing of Addin Express
2) In the Prebuild Event of your Visual Studio Installer project add a command calling adxpatch.exe or signtool.exe with the required parameters to sign adxloader.dll and adxloader64, for example like this:
"C:Program Files (x86)\Add-in Express\Add-in Express for .NET\Bin\adxpatch.exe" /CertificateSubjectName="<CertIdentifier>" /TimestampSHA256Url=http://timestamp.server.url /SHA256=true /TimestampUrl=http://timestamp.server.url /SHA1=true /Sign="<projectpath>\Loader\adxloader.dll"
3) In the Prebuild Event also add a command to sign <project>\obj\Release\<project.dll> like in step 2, as this file will be included in your final output.
4) Add a Postbuild Event to sign the project output (.msi, .exe) like in step 2.
In this scenario the adxloader.dll.manifest stays unsigned, which does not seem to be an issue.
This is the only solution I figured out to sign code with an extended validation (EV) code sign certificate in Visual Studio 2019 and 2022.
Alternatives are:
- Use Visual Studio 2017, works out of the box with the Code Signing Feature of Addin Express
- Use WiX installer or something other than Visual Studio installer. I only read about this, I did not test it myself and cannot confirm it.
Regards
Sebastian
@Andrei: Btw, when running adxnet-v1000-b4700-vs-std.exe I also get a blue SmartScreen Warning that this file might harms the computer. Maybe you should also think about EV codesigning and try to fix this issue.
PS: Would be nice to increase the auto sign out of the forum, I had to type this post twice... |
|
|
Posted 03 Feb, 2022 11:21:08
|
|
Top
|
|
|
Andrei Smolin
Add-in Express team
Posts: 18848
Joined: 2006-05-11
|
Hello guys,
We've got an instruction of our own; it's targeting using an EV certificate in ClickTwice deployment:
About signtool.exe:
- https://docs.microsoft.com/en-us/windows/win32/seccrypto/signtool
About adxpatch.exe:
- {Add-in Express installation folder}\Bin\adxpatch.exe
- run adxpatch.exe /? to get description of parameters
About adxpublisher.exe:
- Check section 'Publishing from command prompt'; see the PDF file in the folder {Add-in Express}\Docs on your development PC.
Pre-build events of a setup project:
---
"c:\Program Files (x86)\Windows Kits\8.1\bin\x86\signtool.exe" sign /a /n "Add-in Express" /t "http://timestamp.comodoca.com" "d:\Temp\MyAddin89\MyAddin89\bin\Debug\adxloader.dll"
"c:\Program Files (x86)\Windows Kits\8.1\bin\x86\signtool.exe" sign /a /n "Add-in Express" /t "http://timestamp.comodoca.com" "d:\Temp\MyAddin89\MyAddin89\bin\Debug\adxloader64.dll"
"c:\Program Files (x86)\Windows Kits\8.1\bin\x86\signtool.exe" sign /a /n "Add-in Express" /t "http://timestamp.comodoca.com" "d:\Temp\MyAddin89\MyAddin89\bin\Debug\MyAddin89.dll"
copy "d:\Temp\MyAddin89\MyAddin89\bin\Debug\adxloader.dll" "d:\Temp\MyAddin89\MyAddin89\Loader\adxloader.dll"
copy "d:\Temp\MyAddin89\MyAddin89\bin\Debug\adxloader64.dll" "d:\Temp\MyAddin89\MyAddin89\Loader\adxloader64.dll"
---
Prepare a .BAT file which includes these commands:
---
"C:\Program Files (x86)\Add-in Express\Add-in Express for .NET\Bin\adxpublisher.exe" /OutputType=ClickTwice /WorkingDirectory="D:\Temp\MyAddin89\MyAddin89\Configs\ClickTwice\1033\1.0.0" /ConfigFile="adxpublisher.exe.config"
"c:\Program Files (x86)\Windows Kits\8.1\bin\x86\signtool.exe" sign /a /n "Add-in Express" /t "http://timestamp.comodoca.com" "d:\Temp\MyAddin89\MyAddin89\MSIPublish\1033\1.0.0\myaddin89.exe"
"c:\Program Files (x86)\Windows Kits\8.1\bin\x86\signtool.exe" sign /a /n "Add-in Express" /t "http://timestamp.comodoca.com" "d:\Temp\MyAddin89\MyAddin89\MSIPublish\1033\1.0.0\MyAddin89Setup(1.0.0).msi"
---
NOTE. Make sure the 'Enable hash checking' checkbox is cleared; see {Publish dialog} | ClickTwice | Preferences | Deployment | Common. See also the first screenshot in section 'Preferences' under section 'ClickTwice. Publishing'; see the PDF file in the folder {Add-in Express}\Docs on your development PC.
Now:
Build the setup project.
Run the .BAT file.
UPDATE 26-Mar-2022: Make sure the 'Sign project output, loader and manifest' check box is cleared; select the add-in project and see menu File | Project | Sign Project.
Regards from Poland (CET),
Andrei Smolin
Add-in Express Team Leader |
|
|
Posted 04 Feb, 2022 04:56:54
|
|
Top
|
|
|
Andrei Smolin
Add-in Express team
Posts: 18848
Joined: 2006-05-11
|
Hello Sebastian,
Both setup.exe and adxnet-v1000-b4700-vs-std.msi are signed with an Add-in Express certificate. I suppose you can bypass this issue if, before unzipping the archive, you right-click it and click Unblock in the Properties window.
mocola writes:
Would be nice to increase the auto sign out of the forum, I had to type this post twice...
We will do this in the next version of the web site. Supposedly, this will occur the next week.
Regards from Poland (CET),
Andrei Smolin
Add-in Express Team Leader |
|
|
Posted 04 Feb, 2022 05:21:54
|
|
Top
|
|
|
mocola
Posts: 9
Joined: 2014-03-08
|
Hello Andrei,
thank you for sharing your steps to sign with an EV certificate. I should really take a look into adxpublisher.
Regarding the SmartScreen Warning: Not to unzip first could be the reason for it, thank you for the advise, I will try next time.
Regards,
Sebastian |
|
|
Posted 08 Feb, 2022 15:16:00
|
|
Top
|
|
|
Posts 1 - 10 of 11
First | Prev. | 1 2 | Next | Last
|
Forums
Topics
Search
Help
Login
Register