#7 EV Certificate Signing

v1.0_(example)
open
nobody
5
2014-03-28
2014-03-11
ybdjkfd
No

For Windows 8 SmartScreen reputation filtering there is a EV Code Signing certificate which relies on a USB token device. These certificates allow for the newer generation of code signing.

Is there a way I can automate code signing using this newer type of certificate or even use the newer EV Certificate with osslsigncode? We have the ability to convert a DigiCert code signing certificate to the correct formats for osslsigncode, but the newer EV Certificate may be more of a hassle to get its USB token.

Note How-to: http://www.digicert.com/code-signing/ev-authenticode-certificates.htm
Note: http://www.digicert.com/code-signing/ev-code-signing.htm

Discussion

  • Per Allansson
    Per Allansson
    2014-03-12

    I don't think the certificate itself poses any problem - the problem is that it's private key resides on an external device - in this case a USB token. The obvious solution to this is to add support in osslsigncode for signing with certificates accessed through PKCS#11 - assuming that the token(s) used by digicert provides the necessary PKCS#11 libraries - but I assume they do.

    This is a rather nice and generic feature which I will put on my TODO list. :)

    However, depending on the external token, automating signing might not fully achievable depending on how you need to authenticate against the token - it can use some sort of 2-factor authentication (this is mentioned in the second link above) which will require interaction and/or physical access to the token every time you sign something.

     
    • ybdjkfd
      ybdjkfd
      2014-03-21

      I have scripted everything previously without the EV Certificate, so I have hope we can lend osslsigncode some help to make use of PKCS#11. I have almost got it, but I can't get around some final issues of connecting things together.

      Lets start with how I can sign things previously:

      osslsigncode -ac ${CROSS_CERTIFICATE} -spc ${SPC_FILE} -key ${DER_KEY_FILE} -n '${signed_name}' -i http://www.eyetechds.com -t http://timestamp.digicert.com -in '${file_not_signed}' -out '${file_is_signed}'
      

      I then went to Tommy Skaug's repo for Debian (although I used Ubuntu 13.10), to install tools that read the DigiCert token, which is rather a SafeNet (Alladin) product with limited support and a lack of command line access so far (at least on Windows). Here is the installation of a Linux ".so" module for the pkcs11-tool binary: https://secdiary.com/forensics/the-ubuntu-forensics-repo-is-live/ (Yes his Web certificate seems self-signed on my browser with the warning).

      Once installed, I was able to run all of the following commands on Linux: https://secdiary.com/creative-work-2/getting-the-aladdin-etoken-pro-working-on-ubuntu/

      Note however, I did not need to create and run any of those commands. I had the eToken device already setup with DigiCert's certificates and tools on Windows. I am just showing you his module with pkcs11-tool on Linux. The SafeNet drivers started as well requesting the necessary passwords on Linux. I hope we can bypass those for a full command-line experience.

      A better example is SafeNet's paper on using it with SSH, which may help us get further with osslsigncode: https://kb.safenet-inc.com/resources/sites/SAFENET/content/live/TECH_NOTES/1000/TE1299/en_US/HowTo_use_eToken_with_openSSH_v1.0.pdf

      This is easy now on Linux and so on (replace the lib64 with lib in case you are on 32-bit):

      pkcs11-tool --module /usr/lib64/libeToken.so --login --list-objects
      
       
      Last edit: ybdjkfd 2014-03-21
      • ybdjkfd
        ybdjkfd
        2014-03-21

        Also, with the above comment, I can export everything except for the private key using pkcs11-tool. So would there be any way to script things together for osslsigncode to work out more quickly?

         
        • Per Allansson
          Per Allansson
          2014-03-28

          One way to do this would be to add support in osslsigncode to pass the signing to an external script/program. Basically osslsigncode would generate a file containing a data blob that the external script/program will sign and return as a PKCS#7 signature, including the needed certificates - and then osslsigncode can add this to the executable.

           
  • Per Allansson
    Per Allansson
    2014-03-28

    Ticket moved from /p/osslsigncode/support-requests/3/