![[ChimeraX Issue Tracking System]](/trac/ChimeraX/chrome/site/ChimeraX-icon.svg){kind=icon}
| Version 1 (modified by , 11 days ago) ( diff ) |
|---|
Windows Code Signing
This is how we do automated code signing of Windows binaries using a YubiKey. We started with:
- Enterprise Contract with Sectigo, https://www.sectigo.com
- YubiKey 5 FIPS
- YubiKey Smart Card Minidriver (Windows) from https://www.yubico.com/support/download/smart-card-drivers-tools/
- yubio-piv-tool from https://developers.yubico.com/yubico-piv-tool/
- signtool from Microsoft Visual Studio
- scsigntool from https://www.mgtek.com/smartcard
Outline:
- Used YubiKey Authenticator application from Windows Store to set PIN, PUK, and Management Key
- Install YubiKey Smart Card Minidriver
- Install yubio-piv-tool
- Get email invitation to submit code signing CSR to Sectigo initiated by corporate IT
- Submit CSR and YubiKey attestation
- Get email from Sectigo with link to certificate
- Install certificate on YubiKey
- Sign code
Submit CSR
The code signing slot is the Authentication slot 9A.
Create key in slot
yubico-piv-tool --slot=$SLOT --action=generate --touch-policy=never --algorithm=$ALGORITHM --key --output=public.key
Use public key to create CSR
yubico-piv-tool --slot=$SLOT --action=verify-pin --action=request-certificate --subject='/CN=Sectigo/' --input=public.key --output=csr.txt
Upload csr.txt for the CSR
YubiKey attestation
Get attestation
yubico-piv-tool --slot=$SLOT --action=attest --output=attest.crt
Get YubiKey's intermediate certificates
yubico-piv-tool --action=read-certificate --slot=f9 --output=intermediateCA.crt
Combine and encode in base64
cat attest.crt intermediateCA.crt > attestation.pem base64 < attestation.pem > attestation.pem.b64
Attestation is in attestation.pem.b64. Copy the contents and paste in the Key Attestation field. Make sure YubiKey is the HSM type.
Install Certificate
Use "Certificate only, PEM encoded" certificate. Downloads as $CERT_BASE_cert.cer.
Install in Windows User Certificate manager
Open $CERT_BASE_cert.cer in file explorer, then click on Install Certificate.... Choose Current User. Place in Personal Certificate Store.
Install on YubiKey
yubico-piv-tool --action=import-certificate --slot=$SLOT --key --pin-policy=once --touch-policy=never --input=$CERT_BASE_cert.cer
Install intermediate certificates onto YubiKey
Use "Root/Intermediate(s) only, PEM encoded" certificates. Downloads as CERT_BASE_interm.cer.
interm=$CERT_BASE_interm.cer
let slot=$((0x82))
let max_slot=$((0x95))
while openssl x509 -out cert.pem
do
if [ $slot -ge $max_slot ]
then
echo "too many intermediate certificates"
exit 1
fi
hex_slot=$(printf "%x" $slot)
echo "Import slot $hex_slot: $(openssl x509 -in cert.pem -noout -subject | sed 's/.*CN = //')"
yubico-piv-tool --action=import-certificate --slot=$hex_slot --key --input=cert.pem
slot=$((slot + 1))
done < $interm
Sign Code
Microsoft's signtool doesn't have a way to provide the PIN needed use the private key. So use MGTEK's scsigntool to wrap signtool. In our case:
scsigntool.exe -pin CODESIGN sign /v /a /sha1 CERT_SHA /fd sha256 /t http://timestamp.sectigo.com/authenticode /d "Application Name" app-installer.exe
