新的CA/B论坛代码签名证书规则将如何影响UWP签名流程?

huangapple go评论54阅读模式
英文:

How will new rules of CA/B Forum's Code Signing Certificates affect UWP Signing process?

问题

抱歉,我只能翻译代码部分,以下是您提供的代码的翻译:

# 使用以下PowerShell命令进行签名
.\signtool.exe sign /fd sha256 /t http://timestamp.digicert.com /n "935B2960-B127-4AAC-8CEF-12B537I6737D" "C:\Users\%username%\source\myrepo\MyUwpTestApp\MyUwpTestApp\AppPackages\MyUwpTestApp_1.0.1.0_Debug_Test\MyUwpTestApp_1.0.1.0_x64_Debug.msixbundle"

请注意,我将命令中的HTML实体"翻译成了引号".

英文:

We have a UWP that we use to sign with a certificate installed in a CI/CD Pipeline Machine. We use this PowerShell command to get it signed

.\signtool.exe sign /fd sha256 /t http://timestamp.digicert.com /n "935B2960-B127-4AAC-8CEF-12B537I6737D" "C:\Users\%username%\source\myrepo\MyUwpTestApp\MyUwpTestApp\AppPackages\MyUwpTestApp_1.0.1.0_Debug_Test\MyUwpTestApp_1.0.1.0_x64_Debug.msixbundle"

The signing certificate is an OV Certificate from Digicert. But apparently, the OV Certificates are going to get overhauled to be stored in a hardware key https://www.thesslstore.com/blog/code-signing-price-changes-as-cas-align-with-new-industry-standards/

> Starting June 1, 2023, code signing certificate keys must be stored on a hardware security module or token that’s certified as FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent. This is intended to fight against an increasingly common problem—stolen code signing keys being used to sign and distribute malware.

I have been trying to find documentation about how this could be implemented in the signing command posted before, but haven't find anything. As I understand the certificate and everything is stored in a hardware key, so it never leaves the USB Key.

  1. How should we inject the binary through the USB using a PowerShell command?
  2. Do we need to add some kind of command to the PowerShell to force it to use the hardware key?
  3. Any way to avoid human interaction during the signing process? Would be nice to have the CI/CD pipeline independent as it is now.

Thanks.

答案1

得分: 2

持有私钥的USB令牌很可能是SafeNet eToken或YubiKey,具体取决于颁发证书的CA。SafeNet eToken配备了自己的客户端软件,可与Windows集成,signtool语法大多相同。例如,请参阅DigiCert文档中有关EV代码签名的说明,OV证书的程序将相同。我不确定是否可以避免交互式提示以解锁密钥,这可能可以从SafeNet身份验证客户端进行配置。

对于基于YubiKey的证书,还需要安装客户端软件(YubiKey智能卡迷你驱动程序),同样,signtool语法几乎相同(请参阅Yubikey文档以获取更多详细信息)。可以在命令行中指定密钥密码,但根据YubiKey槽位的情况,可能需要进行物理接触以执行签名操作(默认情况下,用于数字签名的槽9c需要,但CA通常在身份验证槽9a上发布证书,不需要物理交互)。

英文:

The USB token holding the private key will most likely be a SafeNet eToken or a Yubikey depending on the CA issuing the certificate. The SafeNet eToken comes with its own client software which integrates with Windows, the signtool syntax is mostly the same. See for example the DigiCert documentation on EV code signing, the procedure for OV certificates will be the same. I'm not sure if the interactive prompt to unlock the key can be avoided, it's likely to be configurable from the SafeNet Authentication client.

For Yubikey backed certificates, there is also a client software to install (YubiKey Smart Card Minidriver) and again the signtool syntax is pretty much the same (see the Yubikey documentation for more details). The key password can be specified on the command line, but depending on the Yubikey slot holding the key, it may be necessary to physically touch the Yubikey to perform the signing operation (the slot 9c used for digital signature requires it by default, but CAs often issue the certificate on the authentication slot 9a which doesn't require a physical interaction).

huangapple
  • 本文由 发表于 2023年4月4日 16:29:47
  • 转载请务必保留本文链接:https://go.coder-hub.com/75927152.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定