Closed bderuijsscher closed 6 years ago
You will have to call retailsign.cmd On to enable using the signature set in setsignature.cmd
Regards, Paramesh
From: Bart de Ruijsscher notifications@github.com Sent: Thursday, April 12, 2018 8:19:50 AM To: ms-iot/iot-adk-addonkit Cc: Subscribed Subject: [ms-iot/iot-adk-addonkit] Retail signing of BSP keeps using Test Certificates (#219)
Hi,
as mentioned on this pagehttps://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fiot-core%2Fbuild-your-image%2Fcreatebsps&data=02%7C01%7Cpabab%40microsoft.com%7Ca0063b7b32314b94e77608d5a088d5bf%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636591431921108512&sdata=t2gEmKtRETuMtTJtQCrxZwwWWorKCWIM4JYetf2DvMg%3D&reserved=0 the BSP files need to be retail signed when building a retail image. Despite setting this retail signing certificate correctly in the setsignature.cmd file (and which turns out to function properly in the buildpkg all command), the retail signing certificates are not picked up when running the build.cmd file in the BSP folder (for raspberry pi).
What would be the advice to achieve retail signed BSP files?
Thanks in advance.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHubhttps://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fms-iot%2Fiot-adk-addonkit%2Fissues%2F219&data=02%7C01%7Cpabab%40microsoft.com%7Ca0063b7b32314b94e77608d5a088d5bf%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636591431921118525&sdata=VJ5ZhkNAeJ8XXouUIS2ZEvmF%2BN3X%2F5guoizP30D53VA%3D&reserved=0, or mute the threadhttps://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAPjoIHAppY9hWENxG2SMyQ93-gGPbS2dks5tn3CWgaJpZM4TR_o7&data=02%7C01%7Cpabab%40microsoft.com%7Ca0063b7b32314b94e77608d5a088d5bf%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636591431921118525&sdata=uz1NGFRIcRYMsUkwIkIVqxLMAPpmW5nIUIFQ7zFJv90%3D&reserved=0.
Hi,
That is exactly what I did but that didn’t make any difference
Can you please confirm that the SIGNTOOL_OEM_SIGN is set as you expect in the env variables? This is what used for signing the files in the sign.cmd.
Well, when running
buildpkg All
it does seem to be signing the other packages using the correct certificate
Here is an excerpt from the buildfm_oem.log file generated after running buildfm oem command.
Apparently this process involves first signing the cabs with a test certificate before signing them with a retail certificate?
info: Trying to load file 'C:\iot-adk-addonkit\Build\arm\InputFMs\OEMFMFileList.xml' as a FM file list ...
FeatureAPI: Successfully validated the Feature Manifest XML: C:\iot-adk-addonkit\Build\arm\InputFMs\OEMCommonFM.xml
info: Merging packages for feature 'BASE.OEMCOMMON'
info: Merging packages for feature 'OEM_Sec_LockDown.OEMCOMMON'
info: Merging packages for feature 'OEM_CUSTOM_CMD.OEMCOMMON'
info: Merging packages for feature 'OEM_OEMCommon_HotKey.OEMCOMMON'
info: Merging packages for feature 'OEM_CUSTOM_BCD.OEMCOMMON'
info: PkgCommonManaged: CreateCatalog: Signing catalog path C:\Users\MyUserName\AppData\Local\Temp\eehy5ti4.ko2\glamwqj1.z0a_content.cat with -testonly for package 'MyProductName.OEM_CUSTOM_BCD.OEMCOMMON.MainOS'.
info: Calling sign.cmd with options '-testonly' and file 'C:\Users\MyUserName\AppData\Local\Temp\eehy5ti4.ko2\glamwqj1.z0a_content.cat'.
info: PkgCommonManaged: CreateCatalog: Signing catalog path C:\Users\MyUserName\AppData\Local\Temp\pndufyll.sov\gvecd2pz.mf0_content.cat with -testonly for package 'MyProductName.OEM_Sec_LockDown.OEMCOMMON.MainOS'.
info: Calling sign.cmd with options '-testonly' and file 'C:\Users\MyUserName\AppData\Local\Temp\pndufyll.sov\gvecd2pz.mf0_content.cat'.
info: PkgCommonManaged: CreateCatalog: Signing catalog path C:\Users\MyUserName\AppData\Local\Temp\q3pazaf1.ni3\t1qbxosv.oay_content.cat with -testonly for package 'MyProductName.BASE.OEMCOMMON.MainOS'.
info: Calling sign.cmd with options '-testonly' and file 'C:\Users\MyUserName\AppData\Local\Temp\q3pazaf1.ni3\t1qbxosv.oay_content.cat'.
info: PkgCommonManaged: CreateCatalog: Signing catalog path C:\Users\MyUserName\AppData\Local\Temp\2oqdblzr.hpy\wf2wefkn.jcm_content.cat with -testonly for package 'MyProductName.OEM_CUSTOM_CMD.OEMCOMMON.MainOS'.
info: Calling sign.cmd with options '-testonly' and file 'C:\Users\MyUserName\AppData\Local\Temp\2oqdblzr.hpy\wf2wefkn.jcm_content.cat'.
info: PkgCommonManaged: CreateCatalog: Signing catalog path C:\Users\MyUserName\AppData\Local\Temp\qd1jn1cn.ehx\jfqdzait.qbn_content.cat with -testonly for package 'MyProductName.OEM_OEMCommon_HotKey.OEMCOMMON.MainOS'.
info: Calling sign.cmd with options '-testonly' and file 'C:\Users\MyUserName\AppData\Local\Temp\qd1jn1cn.ehx\jfqdzait.qbn_content.cat'.
info: Merging packages for feature 'OEM_Sec_SecureBoot.OEMCOMMON'
info: PkgCommonManaged: CreateCatalog: Signing catalog path C:\Users\MyUserName\AppData\Local\Temp\pqkmtfix.f1g\1a1hv3l0.u20_content.cat with -testonly for package 'MyProductName.OEM_Sec_SecureBoot.OEMCOMMON.MainOS'.
info: Calling sign.cmd with options '-testonly' and file 'C:\Users\MyUserName\AppData\Local\Temp\pqkmtfix.f1g\1a1hv3l0.u20_content.cat'.
signtool.exe sign /v /s my /i "DigiCert EV Code Signing CA (SHA2)" /n "MyCompanyName B.V." /ac "C:\iot-adk-addonkit\DigiCert High Assurance EV Root CA.crt" /fd SHA256 /t http://timestamp.verisign.com/scripts/timestamp.dll "C:\Users\MyUserName\AppData\Local\Temp\q3pazaf1.ni3\t1qbxosv.oay_content.cat"
The following certificate was selected:
Issued to: MyCompanyName B.V.
Issued by: DigiCert EV Code Signing CA (SHA2)
Expires: Tue Mar 23 14:00:00 2021
SHA1 hash: omitted
Cross certificate chain (using machine store):
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 15:54:03 2025
SHA1 hash: omitted
Issued to: DigiCert High Assurance EV Root CA
Issued by: Microsoft Code Verification Root
Expires: Thu Apr 15 21:55:33 2021
SHA1 hash: omitted
Issued to: DigiCert EV Code Signing CA (SHA2)
Issued by: DigiCert High Assurance EV Root CA
Expires: Sun Apr 18 14:00:00 2027
SHA1 hash: omitted
Issued to: MyCompanyName B.V.
Issued by: DigiCert EV Code Signing CA (SHA2)
Expires: Tue Mar 23 14:00:00 2021
SHA1 hash: omitted
Done Adding Additional Store
Successfully signed: C:\Users\MyUserName\AppData\Local\Temp\q3pazaf1.ni3\t1qbxosv.oay_content.cat
Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0
signed: "C:\Users\MyUserName\AppData\Local\Temp\q3pazaf1.ni3\t1qbxosv.oay_content.cat"
Sign.Cmd RC=0
info: PkgCommonManaged: SaveCab: Signing cab path 'C:\iot-adk-addonkit\Build\arm\pkgs\MyProductName.BASE.OEMCOMMON.MainOS.spkg' with -testonly.
info: Calling sign.cmd with options '-pkg -testonly' and file 'C:\iot-adk-addonkit\Build\arm\pkgs\MyProductName.BASE.OEMCOMMON.MainOS.spkg'.
signtool.exe sign /v /s my /i "Windows Phone Intermediate 2013" /n "Windows Phone OEM Test Cert 2013 (TEST ONLY)" /fd SHA256 /t http://timestamp.verisign.com/scripts/timestamp.dll "C:\iot-adk-addonkit\Build\arm\pkgs\MyProductName.BASE.OEMCOMMON.MainOS.spkg"
signtool.exe : fatal error : Signing failed with 1 on -pkg -testonly "C:\iot-adk-addonkit\Build\arm\pkgs\MyProductName.BASE.OEMCOMMON.MainOS.spkg"
Sign.Cmd RC=1
signtool.exe sign /v /s my /i "DigiCert EV Code Signing CA (SHA2)" /n "MyCompanyName B.V." /ac "C:\iot-adk-addonkit\DigiCert High Assurance EV Root CA.crt" /fd SHA256 /t http://timestamp.verisign.com/scripts/timestamp.dll "C:\Users\MyUserName\AppData\Local\Temp\eehy5ti4.ko2\glamwqj1.z0a_content.cat"
The following certificate was selected:
Issued to: MyCompanyName B.V.
Issued by: DigiCert EV Code Signing CA (SHA2)
Expires: Tue Mar 23 14:00:00 2021
SHA1 hash: omitted
Cross certificate chain (using machine store):
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 15:54:03 2025
SHA1 hash: omitted
Issued to: DigiCert High Assurance EV Root CA
Issued by: Microsoft Code Verification Root
Expires: Thu Apr 15 21:55:33 2021
SHA1 hash: omitted
Issued to: DigiCert EV Code Signing CA (SHA2)
Issued by: DigiCert High Assurance EV Root CA
Expires: Sun Apr 18 14:00:00 2027
SHA1 hash: omitted
Issued to: MyCompanyName B.V.
Issued by: DigiCert EV Code Signing CA (SHA2)
Expires: Tue Mar 23 14:00:00 2021
SHA1 hash: omitted
Done Adding Additional Store
Successfully signed: C:\Users\MyUserName\AppData\Local\Temp\eehy5ti4.ko2\glamwqj1.z0a_content.cat
Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0
signed: "C:\Users\MyUserName\AppData\Local\Temp\eehy5ti4.ko2\glamwqj1.z0a_content.cat"
Sign.Cmd RC=0
Anyway, it appears that this process also reverts to the expired 2013 test certificates as mentioned in this issue
How can we proceed to prevent this error?
Many thanks in advance.
I managed to build the BSP, packages and final retail image by manually replacing the references to the obsolete certificates in the sign.cmd from the ADK, however, this probably is not the most elegant solution.
You can use the sign.cmd added to the addonkit recently in the tools folder. This will be used due to the path precedence and you can leave the sign.cmd in the ADK folder intact.
The updated sign.cmd will also avoid signing the intermediate files with test cert. though that is not an issue as the cab files used are properly signed.
Regards, Paramesh
From: Bart de Ruijsscher notifications@github.com Sent: Friday, April 13, 2018 5:32:20 AM To: ms-iot/iot-adk-addonkit Cc: Paramesh Babu; Comment Subject: Re: [ms-iot/iot-adk-addonkit] Retail signing of BSP keeps using Test Certificates (#219)
I managed to build the BSP, packages and final retail image by manually replacing the references to the obsolete certificates in the sign.cmd from the ADK, however, this probably is not the most elegant solution.
— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fms-iot%2Fiot-adk-addonkit%2Fissues%2F219%23issuecomment-381120841&data=02%7C01%7Cpabab%40microsoft.com%7C5853bfd73bf6476866e708d5a13a9a24%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636592195421203032&sdata=iIVXYBGof6Mf3fqsY6mGhfGhFbxZgEsIPfk4ozJaoDc%3D&reserved=0, or mute the threadhttps://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAPjoIHGC1E_6o-8dVVrc97KVQaArIiDuks5toJrUgaJpZM4TR_o7&data=02%7C01%7Cpabab%40microsoft.com%7C5853bfd73bf6476866e708d5a13a9a24%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636592195421213040&sdata=aui27slAo570eoeXonqQybJVt7XhJJm%2BJuMRjoRPSLc%3D&reserved=0.
Let me know if the above solution works for you so I can close this issue. Thanks
Hi,
after some testing this appears to be functioning properly. However, only after disabling integration of a Write Filter (which was initialized at first boot through oemcustomization.cmd) because apparently there is some initialization done or saved by the SystemConfigurator or any related service.
Regards
Closing.
Hi,
as mentioned on this page the BSP files need to be retail signed when building a retail image. Despite setting this retail signing certificate correctly in the setsignature.cmd file (and which turns out to function properly in the buildpkg all command), the retail signing certificates are not picked up when running the build.cmd file in the BSP folder (for raspberry pi).
What would be the advice to achieve retail signed BSP files?
Thanks in advance.