Open elparasite opened 3 years ago
elparasite
commented
3 years ago OK I tried modifying the dwCertPolicy in the SIGNER_CERT_STORE_INFO and it seems OK. I don't really understand why, according to the documentation, both values should be OK.
https://github.com/elparasite/AzureSignTool/commit/a6af1e441ee8856cb17fdd6ef0a3577d673cbfbe
odalet
commented
3 years ago Hi, I'm quite interested in this modification being reintegrated in the official AzureSignTool. Shall we propose a PR for this? Awaiting some review of this proposition by people here!
vcsjones
commented
2 years ago I think I would like to improve this for the next release of AST. I think it's a little more complicated than changing that flag.
Really the -ac in AST just helps the chain builder understand how to build a path. We then take that singular path and embed it's certificates in the signature. I think it would be wise to always include addtional certificates specified regardless if they were in the chain or not, in addition to the chain itself.
I'm using version 2.0.17 of the tool but I also tried with the lastest "main" version.
I'm currently trying to sign our product setup with some fake authority in order to be prepared when Digicert will provide an EV Code singing certificate in KeyVault.
I didn't have any issue until I was trying to make a more real certification chain with an intermediate authority and to add this additional certificate in signature.
NB: I create all certificate using OpenSSL, maybe my certificate authorities configurations are wrong. chain.zip
Here is my fake authority conf :
The CS pfx is uploaded in key vault.
Then I sign my exe/msi with:
azuresingntool sign -du "https://www.xxx.com" -kvu "https://mykeyvault" -kvi "myclientid" -kvs "mysecret" -kvt "myteniantid" -kvc testfullchain -ac "fakeint.crt" -tr http://timestamp.digicert.com -td sha256 -fd sha256 "my.exe/msi"(also tried with additional -ac "fakeauth.crt", same result) No error,trce: AzureSignTool.SignCommand[0] Including additional certificate BFCE8168D20A5971BAFFCEF5D978432A514E39C7. trce: AzureSignTool.SignCommand[0] Retrieving certificate testfullchain. trce: AzureSignTool.SignCommand[0] Retrieved certificate testfullchain. trce: AzureSignTool.SignCommand[0] Creating context info: AzureSignTool.SignCommand[0] Signing file. trce: AzureSignTool.SignCommand[0] Getting SIP Data trce: AzureSignTool.SignCommand[0] Calling SignerSignEx3 info: AzureSignTool.SignCommand[0] Signing completed successfully. info: AzureSignTool.SignCommand[0] Successful operations: 1 info: AzureSignTool.SignCommand[0] Failed operations: 0I checked in DEBUG and it find the RCA installed in my certificate store so the chain seems complete and OK.
But when I check the signature using signtool or "right click => properties => signature", it seems that Windows can't verify the certification chain (ROOT CA is installed on my computer). So I conclude that the "-ac" option didn't worked and that the signature doesn't contain the additional certificate.
If I check with https://www.digicert.com/support/tools/certificate-utility-for-windows, the signature doesn't contain any other certificate than the signer one.
And note that if I use Windows SDK Signtool with the same certificates, the signature is OK and verfified: "C:\Program Files (x86)\Windows Kits\10\App Certification Kit\signtool.exe" sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /f "fakeclient.p12" /p test /ac "fakeint.crt" "my.exe"