Posts 1 - 10 of 12
First | Prev. | 1 2 | Next | Last
|
|
|
|
Frank Horenberg
Posts: 20
Joined: 2022-08-03
|
Hi Andrei,
Code signing certificates can only be delivered as a USB token or in HSM (i.e.: Azure Key Vault). This change has taken place to mitigate issues caused by subpar security and to comply with FIPS 140 Level 2 or Common Criteria EAL 4+.
See: https://cabforum.org/2022/04/06/ballot-csc-13-update-to-subscriber-key-protection-requirements/
Currently we are releasing a web installer as part of our release process, for which we used a file certificate to sign the artifacts (setup executable, msi installer and version_info.xml), via the certificateFile and certificatePassword keys in the adxpublisher.config configuration.
This tool cannot be used anymore going forward for our next releases, due to this limitation. We plan on moving to using an EV code signing certificate in HSM.
What is your plan to tackle this limitation? Will you be releasing an update that will support HSM or USB tokens, and if yes, when will that happen?
Looking forward to your reply!
Kind regards,
Frank |
|
|
Posted 18 Jan, 2024 10:23:08
|
|
Top
|
|
|
Andrei Smolin
Add-in Express team
Posts: 18833
Joined: 2006-05-11
|
Hello Frank,
The current Add-in Express version does support EV certificates. There's a limitation though: it doesn't support sha384 currently.
Regards from Poland (GMT+1),
Andrei Smolin
Add-in Express Team Leader |
|
|
Posted 18 Jan, 2024 14:13:04
|
|
Top
|
|
|
Frank Horenberg
Posts: 20
Joined: 2022-08-03
|
Hi Andrei,
Could you please elaborate more, or point me to the documentation on how to configure adxpublisher to sign with a hardware USB token EV certificate? I was under the impression that it does not support it, since the only configuration options I have found, like I mentioned, are the certificateFile and certificatePassword keys in adxpublisher.config.
What about signing with a certificate in a vault? Does it also support this and where can I find the related documentation?
Thank you for your help with this.
Kind regards,
Frank |
|
|
Posted 19 Jan, 2024 21:15:09
|
|
Top
|
|
|
Andrei Smolin
Add-in Express team
Posts: 18833
Joined: 2006-05-11
|
Hello Frank,
In my case inserting a hardware USB token allows me to sign something with an EV certificate. As far as I remember the certificate name appears in the list of available certificates and I only need to provide a password when performing the sign. This works in .BAT files that we use (the certificate name is stored in the .BAT file itself); I assume the publisher will work in the same way.
Regards from Poland (GMT+1),
Andrei Smolin
Add-in Express Team Leader |
|
|
Posted 22 Jan, 2024 10:23:26
|
|
Top
|
|
|
Frank Horenberg
Posts: 20
Joined: 2022-08-03
|
Hi Andrei,
Fyi, you can have both an EV and a non-EV certificate in hardware USB token form.
I assume when you say "the certificate appears in the list", you mean the list of Personal certificates in the Windows certificate Store. This is how we also use Microsoft's signtool to sign the MSI installer we release to customers, where we just provide the password when prompted. We also use scripts for this process.
This though has nothing to do with adxpublisher's signing process. The only configuration I know of for that tool to sign its artifacts are the two aforementioned properties.
Could you please investigate and definitively let me know if there is any way that the adxpublisher tool supports anything else but a file certificate and how? And also if there is a plan to support a Vault and by when?
We really need to know, since if it is not working according to the new key protection requirements, we can never use it again and might need to consider other solutions.
Looking forward to your reply!
Kind regards,
Frank |
|
|
Posted 22 Jan, 2024 16:46:07
|
|
Top
|
|
|
Andrei Smolin
Add-in Express team
Posts: 18833
Joined: 2006-05-11
|
Hello Frank,
<!-- Optional. The name of the subject of the signing certificate. Specifies the name of the subject of the signing certificate, e.g. "My Company" -->
<add key="certificateSubjectName" value=""/>
<!-- Optional. The thumbprint of the signing certificate, e.g. "29a58354111398d2c290a8a875bd025490421195" -->
<add key="certificateThumbprint" value=""/>
Regards from Poland (GMT+1),
Andrei Smolin
Add-in Express Team Leader |
|
|
Posted 23 Jan, 2024 11:29:17
|
|
Top
|
|
|
Frank Horenberg
Posts: 20
Joined: 2022-08-03
|
Hi Andrei,
Thank you for your reply.
I tried to create a signed new web installer and it seems to work!!
I assumed that these two settings are used for adxpublisher to sign with a certificate in the Windows Certificate Store. I assumed that for the certificateSubjectName we need to use the value of the CN in the Details of the certificate we want to be used for code signing. The certificateThumbprint is easy since there is a Thumbprint value in the Details of the certificate in the Store.
Did I use the correct values?
Our certificate is an EV certificate on a hardware USB token. We had asked in the past via this https://www.add-in-express.com/forum/read.php?FID=5&TID=15976 and we were told that EV certificates are not supported!
Was it a wrong answer back then or were EV certificates supported after a specific version, which was released after that question?
Is there a risk if we use the EV certificate to create a web installer and deploy it to production, for the update process to fail with users getting an error when trying to download the new MSI via the EXE?
Looking forward to your answer!
Thank you again for helping me out!
Kind regards,
Frank |
|
|
Posted 24 Jan, 2024 15:01:22
|
|
Top
|
|
|
Andrei Smolin
Add-in Express team
Posts: 18833
Joined: 2006-05-11
|
Hello Frank,
Great news!
Frank Horenberg writes:
Was it a wrong answer back then or were EV certificates supported after a specific version, which was released after that question?
It was a correct answer at that moment. Add-in Express supports EV certificates (except for sha384) in version 10.2.
Frank Horenberg writes:
Is there a risk if we use the EV certificate to create a web installer and deploy it to production, for the update process to fail with users getting an error when trying to download the new MSI via the EXE?
I don't understand the question. The web installer, do you mean ClickTwice? I can imagine this scenario: you create a ClickTwice installer and it works, and updates do work but later on the web server requests that TLS 1.0 must not be used.
Regards from Poland (GMT+1),
Andrei Smolin
Add-in Express Team Leader |
|
|
Posted 24 Jan, 2024 15:18:48
|
|
Top
|
|
|
Frank Horenberg
Posts: 20
Joined: 2022-08-03
|
Hi Andrei,
I see the support was recently added with 10.2. I found the https://www.add-in-express.com/add-in-net/history.php in your site 👍
To your question, what I mean with "web-installer", are the exe and msi files that are the artifacts of adxpublisher (ClickTwice).
And my question is, could it be that those files are signed and published without issues, but when placed (along with the signed version_info.xml) in a production environment, so that users can download the next version, there is a problem, for example an error thrown?
So in short, can there be a problem if we switch from using the certificateFile/certificatePassword to using the certificateSubjectName/certificateThumbprint for code signing? Can an old version that was signed with the old certificate, be updated to a new version that is signed with the EV certificate from the Windows Store?
I hope I explained the scenario in my question in enough detail.
Kind regards,
Frank |
|
|
Posted 25 Jan, 2024 12:09:50
|
|
Top
|
|
|
Andrei Smolin
Add-in Express team
Posts: 18833
Joined: 2006-05-11
|
Hello Frank,
Frank Horenberg writes:
can there be a problem if we switch from using the certificateFile/certificatePassword to using the certificateSubjectName/certificateThumbprint for code signing?
I don't expect any issue at this point.
Frank Horenberg writes:
Can an old version that was signed with the old certificate, be updated to a new version that is signed with the EV certificate from the Windows Store?
Yes!
Regards from Poland (GMT+1),
Andrei Smolin
Add-in Express Team Leader |
|
|
Posted 26 Jan, 2024 14:52:49
|
|
Top
|
|
|
Posts 1 - 10 of 12
First | Prev. | 1 2 | Next | Last
|
Forums
Topics
Search
Help
Login
Register