search

GoogleCloudPlatform / kms-integrations

https://cloud.google.com/kms
Apache License 2.0
39 stars 13 forks source link

Releasing an x86 version of the CNG provider #18

Open obones opened 1 year ago

obones commented 1 year ago

Hello,

The current version of the CNG provider is targeting x64 only and while this works, it's a bit counter intuitive as the vast majority of online tutorials for signtool all refer to the x86 version. As a result, one will get the dreaded "no private key is available" error message as described in Issue #17.

Further to this, Microsoft is providing various accompanying tools for use with signtool in the form of Subject Interface packages that allow signing files beyond the usual binary or powershell script. One of the most popular is for Microsoft Office to allow signing all office documents. Those Subject Interface packages are DLLs that get registered with the operating system and are only available for the x86 platform which means an x64 signtool will not be able to use them. As a result, with the current situation, either we can use the CNG (x64) or we can use Office SIPS (x86) but we can't use them at the same time.

I thus believe it would be beneficial for most users to have an x86 version of the CNG.

ysichrisdag commented 1 year ago

Another vote for this request. I need it for signing MS Office docs as well.

bbamsch commented 4 months ago

FYI: I can only find the Microsoft Visual Studio SDK VsixSignTool distributed as a 32-bit executable. While the VsixSignTool does have the ability to select a CSP, it does not appear to be possible to use the KMS CNG integration to sign with this tool since the KMS CNG integration only provides a 64-bit dynamic library.

ysichrisdag commented 4 months ago

Signtool.exe is distributed in both 32 and 64 bit.

bbamsch commented 4 months ago

Note that my prior comment is specifically about Visual Studio SDK VsixSignTool.exe which is used to sign Visual Studio extensions. This is distinct from the Microsoft SDK Signtool.exe that can be used to sign Windows executables, libraries, and other scripts. The Microsoft SDK's Signtool.exe does not appear to have support for signing *.vsix artifacts.

obones commented 3 months ago

I tried building the project in 32 bits mode (--config m32) but even if I leave out the config flag, it errors out on trying to patch various items. I believe this is because of missing prerequisites, but it seems very complex to get all this right.