Retail signing of BSP keeps using Test Certificates

[bderuijsscher]

Hi,

as mentioned on this page the BSP files need to be retail signed when building a retail image. Despite setting this retail signing certificate correctly in the setsignature.cmd file (and which turns out to function properly in the buildpkg all command), the retail signing certificates are not picked up when running the build.cmd file in the BSP folder (for raspberry pi).

What would be the advice to achieve retail signed BSP files?

Thanks in advance.

[parameshbabu]

You will have to call retailsign.cmd On to enable using the signature set in setsignature.cmd

Regards, Paramesh

---

From: Bart de Ruijsscher notifications@github.com Sent: Thursday, April 12, 2018 8:19:50 AM To: ms-iot/iot-adk-addonkit Cc: Subscribed Subject: [ms-iot/iot-adk-addonkit] Retail signing of BSP keeps using Test Certificates (#219)

Hi,

as mentioned on this pagehttps://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fiot-core%2Fbuild-your-image%2Fcreatebsps&data=02%7C01%7Cpabab%40microsoft.com%7Ca0063b7b32314b94e77608d5a088d5bf%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636591431921108512&sdata=t2gEmKtRETuMtTJtQCrxZwwWWorKCWIM4JYetf2DvMg%3D&reserved=0 the BSP files need to be retail signed when building a retail image. Despite setting this retail signing certificate correctly in the setsignature.cmd file (and which turns out to function properly in the buildpkg all command), the retail signing certificates are not picked up when running the build.cmd file in the BSP folder (for raspberry pi).

What would be the advice to achieve retail signed BSP files?

Thanks in advance.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHubhttps://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fms-iot%2Fiot-adk-addonkit%2Fissues%2F219&data=02%7C01%7Cpabab%40microsoft.com%7Ca0063b7b32314b94e77608d5a088d5bf%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636591431921118525&sdata=VJ5ZhkNAeJ8XXouUIS2ZEvmF%2BN3X%2F5guoizP30D53VA%3D&reserved=0, or mute the threadhttps://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAPjoIHAppY9hWENxG2SMyQ93-gGPbS2dks5tn3CWgaJpZM4TR_o7&data=02%7C01%7Cpabab%40microsoft.com%7Ca0063b7b32314b94e77608d5a088d5bf%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636591431921118525&sdata=uz1NGFRIcRYMsUkwIkIVqxLMAPpmW5nIUIFQ7zFJv90%3D&reserved=0.

[bderuijsscher]

Hi,

That is exactly what I did but that didn’t make any difference

[parameshbabu]

Can you please confirm that the SIGNTOOL_OEM_SIGN is set as you expect in the env variables? This is what used for signing the files in the sign.cmd.

[bderuijsscher]

Well, when running

buildpkg All

it does seem to be signing the other packages using the correct certificate

[bderuijsscher]

Here is an excerpt from the buildfm_oem.log file generated after running buildfm oem command.

Apparently this process involves first signing the cabs with a test certificate before signing them with a retail certificate?

info: Trying to load file 'C:\iot-adk-addonkit\Build\arm\InputFMs\OEMFMFileList.xml' as a FM file list ...
FeatureAPI: Successfully validated the Feature Manifest XML: C:\iot-adk-addonkit\Build\arm\InputFMs\OEMCommonFM.xml
info: Merging packages for feature 'BASE.OEMCOMMON'
info: Merging packages for feature 'OEM_Sec_LockDown.OEMCOMMON'
info: Merging packages for feature 'OEM_CUSTOM_CMD.OEMCOMMON'
info: Merging packages for feature 'OEM_OEMCommon_HotKey.OEMCOMMON'
info: Merging packages for feature 'OEM_CUSTOM_BCD.OEMCOMMON'
info: PkgCommonManaged: CreateCatalog: Signing catalog path C:\Users\MyUserName\AppData\Local\Temp\eehy5ti4.ko2\glamwqj1.z0a_content.cat with -testonly for package 'MyProductName.OEM_CUSTOM_BCD.OEMCOMMON.MainOS'.
info: Calling sign.cmd with options '-testonly' and file 'C:\Users\MyUserName\AppData\Local\Temp\eehy5ti4.ko2\glamwqj1.z0a_content.cat'.
info: PkgCommonManaged: CreateCatalog: Signing catalog path C:\Users\MyUserName\AppData\Local\Temp\pndufyll.sov\gvecd2pz.mf0_content.cat with -testonly for package 'MyProductName.OEM_Sec_LockDown.OEMCOMMON.MainOS'.
info: Calling sign.cmd with options '-testonly' and file 'C:\Users\MyUserName\AppData\Local\Temp\pndufyll.sov\gvecd2pz.mf0_content.cat'.
info: PkgCommonManaged: CreateCatalog: Signing catalog path C:\Users\MyUserName\AppData\Local\Temp\q3pazaf1.ni3\t1qbxosv.oay_content.cat with -testonly for package 'MyProductName.BASE.OEMCOMMON.MainOS'.
info: Calling sign.cmd with options '-testonly' and file 'C:\Users\MyUserName\AppData\Local\Temp\q3pazaf1.ni3\t1qbxosv.oay_content.cat'.
info: PkgCommonManaged: CreateCatalog: Signing catalog path C:\Users\MyUserName\AppData\Local\Temp\2oqdblzr.hpy\wf2wefkn.jcm_content.cat with -testonly for package 'MyProductName.OEM_CUSTOM_CMD.OEMCOMMON.MainOS'.
info: Calling sign.cmd with options '-testonly' and file 'C:\Users\MyUserName\AppData\Local\Temp\2oqdblzr.hpy\wf2wefkn.jcm_content.cat'.
info: PkgCommonManaged: CreateCatalog: Signing catalog path C:\Users\MyUserName\AppData\Local\Temp\qd1jn1cn.ehx\jfqdzait.qbn_content.cat with -testonly for package 'MyProductName.OEM_OEMCommon_HotKey.OEMCOMMON.MainOS'.
info: Calling sign.cmd with options '-testonly' and file 'C:\Users\MyUserName\AppData\Local\Temp\qd1jn1cn.ehx\jfqdzait.qbn_content.cat'.
info: Merging packages for feature 'OEM_Sec_SecureBoot.OEMCOMMON'
info: PkgCommonManaged: CreateCatalog: Signing catalog path C:\Users\MyUserName\AppData\Local\Temp\pqkmtfix.f1g\1a1hv3l0.u20_content.cat with -testonly for package 'MyProductName.OEM_Sec_SecureBoot.OEMCOMMON.MainOS'.
info: Calling sign.cmd with options '-testonly' and file 'C:\Users\MyUserName\AppData\Local\Temp\pqkmtfix.f1g\1a1hv3l0.u20_content.cat'.
signtool.exe sign /v /s my /i "DigiCert EV Code Signing CA (SHA2)" /n "MyCompanyName B.V." /ac "C:\iot-adk-addonkit\DigiCert High Assurance EV Root CA.crt" /fd SHA256  /t http://timestamp.verisign.com/scripts/timestamp.dll   "C:\Users\MyUserName\AppData\Local\Temp\q3pazaf1.ni3\t1qbxosv.oay_content.cat"
The following certificate was selected:
    Issued to: MyCompanyName B.V.

    Issued by: DigiCert EV Code Signing CA (SHA2)

    Expires:   Tue Mar 23 14:00:00 2021

    SHA1 hash: omitted

Cross certificate chain (using machine store):
    Issued to: Microsoft Code Verification Root

    Issued by: Microsoft Code Verification Root

    Expires:   Sat Nov 01 15:54:03 2025

    SHA1 hash: omitted

        Issued to: DigiCert High Assurance EV Root CA

        Issued by: Microsoft Code Verification Root

        Expires:   Thu Apr 15 21:55:33 2021

        SHA1 hash: omitted

            Issued to: DigiCert EV Code Signing CA (SHA2)

            Issued by: DigiCert High Assurance EV Root CA

            Expires:   Sun Apr 18 14:00:00 2027

            SHA1 hash: omitted

                Issued to: MyCompanyName B.V.

                Issued by: DigiCert EV Code Signing CA (SHA2)

                Expires:   Tue Mar 23 14:00:00 2021

                SHA1 hash: omitted

Done Adding Additional Store
Successfully signed: C:\Users\MyUserName\AppData\Local\Temp\q3pazaf1.ni3\t1qbxosv.oay_content.cat

Number of files successfully Signed: 1

Number of warnings: 0

Number of errors: 0

signed:  "C:\Users\MyUserName\AppData\Local\Temp\q3pazaf1.ni3\t1qbxosv.oay_content.cat"
Sign.Cmd RC=0

info: PkgCommonManaged: SaveCab: Signing cab path 'C:\iot-adk-addonkit\Build\arm\pkgs\MyProductName.BASE.OEMCOMMON.MainOS.spkg' with -testonly.
info: Calling sign.cmd with options '-pkg -testonly' and file 'C:\iot-adk-addonkit\Build\arm\pkgs\MyProductName.BASE.OEMCOMMON.MainOS.spkg'.
signtool.exe sign /v /s my /i "Windows Phone Intermediate 2013" /n "Windows Phone OEM Test Cert 2013 (TEST ONLY)" /fd SHA256  /t http://timestamp.verisign.com/scripts/timestamp.dll   "C:\iot-adk-addonkit\Build\arm\pkgs\MyProductName.BASE.OEMCOMMON.MainOS.spkg"
signtool.exe : fatal error : Signing failed with 1 on -pkg -testonly "C:\iot-adk-addonkit\Build\arm\pkgs\MyProductName.BASE.OEMCOMMON.MainOS.spkg"
Sign.Cmd RC=1

signtool.exe sign /v /s my /i "DigiCert EV Code Signing CA (SHA2)" /n "MyCompanyName B.V." /ac "C:\iot-adk-addonkit\DigiCert High Assurance EV Root CA.crt" /fd SHA256  /t http://timestamp.verisign.com/scripts/timestamp.dll   "C:\Users\MyUserName\AppData\Local\Temp\eehy5ti4.ko2\glamwqj1.z0a_content.cat"
The following certificate was selected:
    Issued to: MyCompanyName B.V.

    Issued by: DigiCert EV Code Signing CA (SHA2)

    Expires:   Tue Mar 23 14:00:00 2021

    SHA1 hash: omitted

Cross certificate chain (using machine store):
    Issued to: Microsoft Code Verification Root

    Issued by: Microsoft Code Verification Root

    Expires:   Sat Nov 01 15:54:03 2025

    SHA1 hash: omitted

        Issued to: DigiCert High Assurance EV Root CA

        Issued by: Microsoft Code Verification Root

        Expires:   Thu Apr 15 21:55:33 2021

        SHA1 hash: omitted

            Issued to: DigiCert EV Code Signing CA (SHA2)

            Issued by: DigiCert High Assurance EV Root CA

            Expires:   Sun Apr 18 14:00:00 2027

            SHA1 hash: omitted

                Issued to: MyCompanyName B.V.

                Issued by: DigiCert EV Code Signing CA (SHA2)

                Expires:   Tue Mar 23 14:00:00 2021

                SHA1 hash: omitted

Done Adding Additional Store
Successfully signed: C:\Users\MyUserName\AppData\Local\Temp\eehy5ti4.ko2\glamwqj1.z0a_content.cat

Number of files successfully Signed: 1

Number of warnings: 0

Number of errors: 0

signed:  "C:\Users\MyUserName\AppData\Local\Temp\eehy5ti4.ko2\glamwqj1.z0a_content.cat"
Sign.Cmd RC=0

Anyway, it appears that this process also reverts to the expired 2013 test certificates as mentioned in this issue

How can we proceed to prevent this error?

Many thanks in advance.

[bderuijsscher]

I managed to build the BSP, packages and final retail image by manually replacing the references to the obsolete certificates in the sign.cmd from the ADK, however, this probably is not the most elegant solution.

[parameshbabu]

You can use the sign.cmd added to the addonkit recently in the tools folder. This will be used due to the path precedence and you can leave the sign.cmd in the ADK folder intact.

The updated sign.cmd will also avoid signing the intermediate files with test cert. though that is not an issue as the cab files used are properly signed.

Regards, Paramesh

---

From: Bart de Ruijsscher notifications@github.com Sent: Friday, April 13, 2018 5:32:20 AM To: ms-iot/iot-adk-addonkit Cc: Paramesh Babu; Comment Subject: Re: [ms-iot/iot-adk-addonkit] Retail signing of BSP keeps using Test Certificates (#219)

I managed to build the BSP, packages and final retail image by manually replacing the references to the obsolete certificates in the sign.cmd from the ADK, however, this probably is not the most elegant solution.

— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fms-iot%2Fiot-adk-addonkit%2Fissues%2F219%23issuecomment-381120841&data=02%7C01%7Cpabab%40microsoft.com%7C5853bfd73bf6476866e708d5a13a9a24%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636592195421203032&sdata=iIVXYBGof6Mf3fqsY6mGhfGhFbxZgEsIPfk4ozJaoDc%3D&reserved=0, or mute the threadhttps://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAPjoIHGC1E_6o-8dVVrc97KVQaArIiDuks5toJrUgaJpZM4TR_o7&data=02%7C01%7Cpabab%40microsoft.com%7C5853bfd73bf6476866e708d5a13a9a24%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636592195421213040&sdata=aui27slAo570eoeXonqQybJVt7XhJJm%2BJuMRjoRPSLc%3D&reserved=0.

[parameshbabu]

Let me know if the above solution works for you so I can close this issue. Thanks

[bderuijsscher]

Hi,

after some testing this appears to be functioning properly. However, only after disabling integration of a Write Filter (which was initialized at first boot through oemcustomization.cmd) because apparently there is some initialization done or saved by the SystemConfigurator or any related service.

Regards

[parameshbabu]

Closing.