How to sign file using installed Certificate instead pfx file

[namtb49]

So, I want to developt our update solution based on Omaha protocol (and this source code, respectly) to allow live-update for our customer. After several times try to tangle and digged into this source code and all document related, final I've applied Omaha update solution to my application successful. Every things seem tobe OK, and my software update nicely, btw still minor problem to hinder for the deployment process. After upload update version to some download site and forum for trial purpose, some customer complaint that, when they download this update setup, some common web browser (such as IE or Chrome) warning they about risk security problem. After some research, I knew that because my update software was signed by test certificate (pair with download source), not by Trusted cert, so this may be lead to problem, and more seriously, this may be blocked by some Antivirus or System Protection software.

I've read in all source and script related to signing process and found that this using signtool utilites from Window SDK to sign all exe and dll file with the pfx/ cert file pair in building process. And to solve this non-trusted problem, it must be to replace these with the suitable file. And according MSDN tutorial page, I knew signtool can be using with many option, one of this is pass input param point to installed Cert has been register by Window system, which I have got from legacy project . And, because every thing have in startup step, so we want to build update software with this preinstall cert, without refund to buy the precious Global key.

So could I apply this signing approach with omaha source code, and how could achive this. I've seen in main scons file has some block of code related setup input param to call signtool utilite, but it may be lead to recursive change to many script and py file in other module.

[sorinj]

We will reply to this email after we push a new set of patches that affect signing, as a result of http://aka.ms/sha1.

[namtb49]

Sorry, may be I didn't describe my problem clearly in prev post. In more details, I get this installed cert from my owned USB token device, that producer dont cater any information about cert file ship with it from these deal. After install this token to my Window PC, I have installed cert into my PC that may be use to sign and verify file before public. This cert can be view from cert management snapin Window program. With single file I can use this device to sign and verify file with signtool util, by spectific input param to installed cert that belong to that USB token (the sign command may be referrence from MSDN site), and type the correct password for next prompt window from signing process step. It's work, and now I plan to sign all file in omaha build result using this device. But with Omaha script process, I haven't found properly way to pass this cert in right way. It lead some difficult problem to config with script and source file related.

[GitHubGanesh]

You may need to modify omaha/site_scons/site_tools/code_signing.py. Look at the DualSignedBinaryGenerator() function, where the parameters are being constructed and passed to signtool. Currently there are environment variables that you can override for SHA1_CERTIFICATE_PATH, SHA2_CERTIFICATE_PATH, CERTIFICATE_NAME, etc.

[namtb49]

Thanks for your advanced ! Btw, as my prev post, now I try to sign by hardware cert instead pfx file, ie, I decide will be change the formal way to pass param to signtools to support get info from installed cert and after that, cater cert valid password at later prompt window. The signing process can be done exactly by sign cmd: Signtool sign /v /s MY /n MyPrivateCert /t http://timestamp.verisign.com/scripts/timstamp.dll FileToSign.exe

I think this may be lead to make some code to probe and query info about installed cert stored in Window system to bypass some ugly prompt window in building process.

[WinLwinTun33]

thanks for your tean support and supply

[namtb49]

Finally I has finished build omaha with hardward cert from my token. Thanks alot !