search

GlitchedPolygons / SigntoolGUI

Qt GUI that wraps signtool.exe with an easy drag & drop approach for signing binaries on Windows.
GNU General Public License v3.0
30 stars 3 forks source link

[FEATURE] Add the ability to use the Windows Certificate Store and/or hardware devices/smartcards #2

Closed ARGYROU-MINAS closed 7 months ago

ARGYROU-MINAS commented 1 year ago

Is your feature request related to a problem? Please describe. Only uses PKCS12/pfx files. New Code Signing certificates will only be issued on hardware devices/smartcards.

Describe the solution you'd like SignTool.exe already is capable of using the Windows Certificate Store. Add the ability to Signtool GUI wrapper to pass to SignTool.exe a certificate to use from the Windows Certificate Store, which will, in turn, request the PIN for the hardware device/smartcard.

Describe alternatives you've considered None.

Additional context The new CA/B Forum guidelines will require the use of hardware devices/smartcards for ALL Code Signing certificates that are publicly trusted.

GlitchedPolygons commented 1 year ago

Is your feature request related to a problem? Please describe. Only uses PKCS12/pfx files. New Code Signing certificates will only be issued on hardware devices/smartcards.

Describe the solution you'd like SignTool.exe already is capable of using the Windows Certificate Store. Add the ability to Signtool GUI wrapper to pass to SignTool.exe a certificate to use from the Windows Certificate Store, which will, in turn, request the PIN for the hardware device/smartcard.

Describe alternatives you've considered None.

Additional context The new CA/B Forum guidelines will require the use of hardware devices/smartcards for ALL Code Signing certificates that are publicly trusted.

@ARGYROU-MINAS Hi there, thanks for pointing this out! Would this essentially be +1 file extension that I'd have to add to the allowlist of the drag & drop field, or does this require a modification of the CLI invokation's parameters? I know nothing about modern code signing cert standards, I still have my crusty old pfx files until they expire ;D

ARGYROU-MINAS commented 1 year ago

@GlitchedPolygons The latter option; I believe you would have to change the CLI invocation's parameters. SignTool.exe has an option "/sha1", which takes as a parameter the fingerprint/thumbprint of the certificate used for signing. So, I presume, you could add a field on the GUI, in which the user inputs the fingerprint/thumbprint, which will then be passed to SignTool.exe.

GlitchedPolygons commented 1 year ago

Thanks for clarifying! I'll look into this as soon as I have time 😃

PCAssistSoftware commented 1 year ago

Hi, just found your tool whilst looking for a GUI for signtool. Have used pfx files for years, but just renewed my certificate and as per @ARGYROU-MINAS initial post this time it was issued on a USB token rather than just being a download.

More info for you on the process in case it is useful:

So it means when I received it I had to firstly install SafeNet Authentication Client - https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA03l000000o6kL

Then plug in my USB eToken and enter the password I was given via email - this then puts the certificate in my Personal Certificate Store on my computer

So to sign an EXE I then use the below signtool command line and SafeNet then pops up and asks me to enter the password for my token - the token has to remain plugged in whenever I need to sign anything.

signtool.exe sign /tr http://timestamp.sectigo.com/ /td sha256 /fd sha256 /a "filename_to_sign.exe"

Whereas before when I just a a PFX file, then to sign an EXE I would have used the below command line:

signtool.exe sign /tr http://timestamp.sectigo.com /td SHA256 /fd SHA256 /f code_signing_certificate.pfx /p "mypassword" "filename_to_sign.exe"

Hope this is helpful.

GlitchedPolygons commented 1 year ago

Hi, just found your tool whilst looking for a GUI for signtool. Have used pfx files for years, but just renewed my certificate and as per @ARGYROU-MINAS initial post this time it was issued on a USB token rather than just being a download.

More info for you on the process in case it is useful:

So it means when I received it I had to firstly install SafeNet Authentication Client - https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA03l000000o6kL

Then plug in my USB eToken and enter the password I was given via email - this then puts the certificate in my Personal Certificate Store on my computer

So to sign an EXE I then use the below signtool command line and SafeNet then pops up and asks me to enter the password for my token - the token has to remain plugged in whenever I need to sign anything.

signtool.exe sign /tr http://timestamp.sectigo.com/ /td sha256 /fd sha256 /a "filename_to_sign.exe"

Whereas before when I just a a PFX file, then to sign an EXE I would have used the below command line:

signtool.exe sign /tr http://timestamp.sectigo.com /td SHA256 /fd SHA256 /f code_signing_certificate.pfx /p "mypassword" "filename_to_sign.exe"

Hope this is helpful.

Thanks! Yes, it helps a lot. When I'll have time to implement this feature I'll already have a starting point :)

GlitchedPolygons commented 7 months ago

@ARGYROU-MINAS @PCAssistSoftware

Hey y'all, sorry for the slight delay (ehrm...) 🫠

I fixed this in release 1.1.0 - in case you even need this anymore ;D

https://github.com/GlitchedPolygons/SigntoolGUI/releases/tag/1.1.0