- Revenera Community
- :
- InstallShield
- :
- InstallShield Forum
- :
- Re: InstallShield Digital Signing Tab/Options do not support new industry standard requirements for ...
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
The options to digitally sign within InstallShield discussed here https://docs.revenera.com/installshield22helplib/helplibrary/IHelpReleaseDigitalSignature.htm do not seem to support new industry requirements for code signing certificates discussed here https://knowledge.digicert.com/generalinformation/new-private-key-storage-requirement-for-standard-code-signing-certificates-november-2022.html
Option #1 (.pfx approach with password) will absolutely not work, this is the approach that is being deprecated by the industry.
Option #2 I have tried to setup a proof-of-concept with a new HSM certificate from digicertONE but this does not seem to work.
The uninstall .msi that is generated during installshield process is unable to be signed without these options or precompression events.
How are teams supposed to sign via InstallShield without having to use some workaround like precompression events?
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
I signed it with a brand new cert from Digicert(the one with private keys on HSM) using option 2. InstallShield reported the build as successful and then when I inspected the signed binaries, I can see that its signed with the right fingerprint of the new cert.
I used the digicert tool called smksp_cert_sync.exe to sync the new certs into the local store.
When you say "Option 2 does not handle this case" with the new certs what sort of errors are you getting?
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Piling on! Please add me to the list of those wanting to know on how to deal with the new requirements.
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
I agree. The documentation is poor.
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
If the HSM (Hardware Security Module) is an eToken (e.g. IDPrime eToken 5110 CC (940), that is a small USB-device, the following should work.
After installing the SafeNet Authentication Client (SAC) with the option "Minidriver", the SAC installs the certificate from the HSM in the Local User Certificate Store when the HSM will be attached. SAC removes the certificate form the local store if the HSM will be removed.
The certificate is marked as "ask an interface for signing" (in my words). The SAC had registered such an interface. If InstallShield or the Microsoft Signtool tries to use the certificate, Windows ask the interface, then maybe SAC ask the user for an token password (that is NOT the private key), routes the query to the HSM. The HSM processes the signing and returns to Windows, which returns to InstallShield or the Microsoft Signtool.
It works, if the machine there the user is initial logged on has the eToken attached or if the user is connected from such a machine via RDP to an build server where the signing process started (InstallShield or the Microsoft Signtool).
And exactly that brings me in a big trouble:
That means, it is not possible, to attach the eToken on a machine somewhere in the company, connect to such a machine via RDP and sign there.
Our problem is, that almost every developer is in home office, therefore sharing of the eToken isn’t really possible.
Does anybody know how to work around or which HSM can handle an environment for a few developers on a few build servers?
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
We have a bit of the same situation, with our build machine being a virtual one so there is no way to stick the usb drive in it physically.
I followed the guide linked below, and put the usb token in one of our Synology's. Then using Virtualhere connected the usb to the machine. And, most important: do not use rdp, but vnc to connect to the machine, otherwise the usb token isn't recognized. This has something to do with smartcard authentication being disabled with rdp or something.
Hope this helps a bit.
Code Signing with USB Tokens: Meaning, Working, and Set up (signmycode.com)
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
@old_developer we are working on integrating HSM code signing right now but Azure Key Vault would be a cloud HSM that you could use and call from multiple build machines.