This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
ishelpqs
Level 3
‎Jul 24, 2023 01:15 PM

InstallShield Digital Signing Tab/Options do not support new industry standard requirements for code signing certs

Jump to solution

The options to digitally sign within InstallShield discussed here https://docs.revenera.com/installshield22helplib/helplibrary/IHelpReleaseDigitalSignature.htm do not seem to support new industry requirements for code signing certificates discussed here https://knowledge.digicert.com/generalinformation/new-private-key-storage-requirement-for-standard-code-signing-certificates-november-2022.html

Option #1 (.pfx approach with password) will absolutely not work, this is the approach that is being deprecated by the industry.

Option #2 I have tried to setup a proof-of-concept with a new HSM certificate from digicertONE but this does not seem to work.

The uninstall .msi that is generated during installshield process is unable to be signed without these options or precompression events.

How are teams supposed to sign via InstallShield without having to use some workaround like precompression events?

Labels (1)
(1) Solution
DevOpsqsri
Level 3
In response to ishelpqs
‎Aug 08, 2023 06:42 PM

Jump to solution

I signed it with a brand new cert from Digicert(the one with private keys on HSM) using option 2. InstallShield reported the build as successful and then when I inspected the signed binaries, I can see that its signed with the right fingerprint of the new cert.

I used the digicert tool called smksp_cert_sync.exe to   sync the new certs into the local store.

When you say "Option 2 does not handle this case" with the new certs what sort of errors are you getting?

 

View solution in original post

(25) Replies
Dan_Galender
Level 10
‎Jul 30, 2023 11:49 AM

Jump to solution

Piling on!  Please add me to the list of those wanting to know on how to deal with the new requirements.

tdhintz
Level 6
In response to Dan_Galender
‎Sep 20, 2023 01:22 PM

Jump to solution

I agree.  The documentation is poor.

0 Kudos
old_developer
Level 3
‎Sep 22, 2023 03:18 AM

Jump to solution

If the HSM (Hardware Security Module) is an eToken (e.g. IDPrime eToken 5110 CC (940), that is a small USB-device, the following should work.

After installing the SafeNet Authentication Client (SAC) with the option "Minidriver", the SAC installs the certificate from the HSM in the Local User Certificate Store when the HSM will be attached. SAC removes the certificate form the local store if the HSM will be removed.

The certificate is marked as "ask an interface for signing" (in my words). The SAC had registered such an interface. If InstallShield or the Microsoft Signtool tries to use the certificate, Windows ask the interface, then maybe SAC ask the user for an token password (that is NOT the private key), routes the query to the HSM. The HSM processes the signing and returns to Windows, which returns to InstallShield or the Microsoft Signtool.

It works, if the machine there the user is initial logged on has the eToken attached or if the user is connected from such a machine via RDP to an build server where the signing process started (InstallShield or the Microsoft Signtool).

And exactly that brings me in a big trouble:

That means, it is not possible, to attach the eToken on a machine somewhere in the company, connect to such a machine via RDP and sign there.

Our problem is, that almost every developer is in home office, therefore sharing of the eToken isn’t really possible.

Does anybody know how to work around or which HSM can handle an environment for a few developers on a few build servers?

0 Kudos
jeroenvels
Level 3
In response to old_developer
‎Sep 22, 2023 03:43 AM

Jump to solution

We have a bit of the same situation, with our build machine being a virtual one so there is no way to stick the usb drive in it physically.

I followed the guide linked below, and put the usb token in one of our Synology's. Then using Virtualhere connected the usb to the machine. And, most important: do not use rdp, but vnc to connect to the machine, otherwise the usb token isn't recognized. This has something to do with smartcard authentication being disabled with rdp or something.

Hope this helps a bit.

Code Signing with USB Tokens: Meaning, Working, and Set up (signmycode.com)

0 Kudos
RWatson
Level 4
In response to old_developer
‎Sep 22, 2023 07:40 AM

Jump to solution

@old_developer we are working on integrating HSM code signing right now but Azure Key Vault would be a cloud HSM that you could use and call from multiple build machines.

0 Kudos