Changes between Version 1 and Version 2 of windows-signing


Ignore:
Timestamp:
Oct 9, 2025, 4:35:39 PM (9 days ago)
Author:
Greg Couch
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • windows-signing

    v1 v2  
    33This is how we do automated code signing of Windows binaries using a !YubiKey.  We started with:
    44
    5 * Enterprise Contract with Sectigo, https://www.sectigo.com
     5* Enterprise Contract with [https://www.sectigo.com Secitgo]
    66* !YubiKey 5 FIPS
    7 * !YubiKey Smart Card Minidriver (Windows) from https://www.yubico.com/support/download/smart-card-drivers-tools/
    8 * yubio-piv-tool from https://developers.yubico.com/yubico-piv-tool/
     7* [https://www.yubico.com/support/download/smart-card-drivers-tools/ YubiKey Smart Card Minidriver (Windows)]
     8* [https://developers.yubico.com/yubico-piv-tool/ yubio-piv-tool]
     9* !YubiKey Authenticator application from Windows Store
    910* signtool from Microsoft Visual Studio
    10 * scsigntool from https://www.mgtek.com/smartcard
     11* MGTEK's [https://www.mgtek.com/smartcard scsigntool]
    1112
    12 Outline:
     13Protocol:
    1314
    14 * Used !YubiKey Authenticator application from Windows Store to set PIN, PUK, and Management Key
     15* Use !YubiKey Authenticator application to set PIN, PUK, and Management Key (could use yubio-piv-tool instead)
    1516* Install !YubiKey Smart Card Minidriver
     17  * [https://support.yubico.com/hc/en-us/articles/360015654560-Deploying-the-YubiKey-Smart-Card-Minidriver-to-workstations-and-servers installation notes]
    1618* Install yubio-piv-tool
    1719* Get email invitation to submit code signing CSR to Sectigo initiated by corporate IT
     
    6668`yubico-piv-tool --action=import-certificate --slot=$SLOT --key --pin-policy=once --touch-policy=never --input=$CERT_BASE_cert.cer`
    6769
    68 == Install intermediate certificates onto !YubiKey
     70=== Install intermediate certificates onto !YubiKey
    6971
    7072Use "Root/Intermediate(s) only, PEM encoded" certificates.  Downloads as `CERT_BASE_interm.cer`.
     
    9092== Sign Code
    9193
    92 Microsoft's `signtool` doesn't have a way to provide the PIN needed use the private key.  So use MGTEK's `scsigntool` to wrap signtool.  In our case:
     94Microsoft's `signtool` doesn't have a way to provide the PIN needed utilize the private key.  So use MGTEK's `scsigntool` to wrap signtool.  `ScSignTool.exe` and `ScSignTool.dll` are placed in the directory where `signtool` is used.
     95
     96For example:
    9397{{{
    9498scsigntool.exe -pin CODESIGN sign /v /a /sha1 CERT_SHA /fd sha256 /t http://timestamp.sectigo.com/authenticode /d "Application Name" app-installer.exe