This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
wiggers
Level 7
‎Apr 16, 2013 04:58 AM

Signing - password pasted into Firefox!

During a release build just now I opened Firefox and just as I started to type a search query the password for signing modules appeared in the search box! It seems it would be very easy for some malware to trap the password.
Labels (1)
Labels
0 Kudos
(4) Replies
DebbieL
Level 17
‎Apr 16, 2013 08:22 AM

Are you using .spc and .pvk files to sign your installations? If so, you may want to switch to a .pfx file. For more information, see Digital Signing and Security.
0 Kudos
wiggers
Level 7
‎Apr 16, 2013 08:37 AM

'Digital Signing and Security' help topic does not say that using .spc and .pvk is not permitted. As it is a valid option it needs to be secure.
0 Kudos
DebbieL
Level 17
‎Apr 16, 2013 09:03 AM

As described in the article, using a .pfx file is preferred over the other file types. Microsoft SignTool.exe (the tool that InstallShield uses when you specify a .pfx file for your release) accepts a command-line parameter for the password, so you would not run into the behavior that you encountered if you switched to this for signing.

Microsoft Signcode.exe, which is called if you specify .spc and .pvk files to sign, does not accept command-line parameters for the password. So, the build has to pass the password to Signcode.exe when prompted for it, as you encountered.
0 Kudos
wiggers
Level 7
‎Apr 17, 2013 05:11 AM

DebbieL wrote:
So, the build has to pass the password to Signcode.exe when prompted for it, as you encountered.


No, what I encountered was InstallShield passing the password to Firefox.
0 Kudos