search

wazuh / wazuh-agent

Wazuh agent, the Wazuh agent for endpoints.
GNU Affero General Public License v3.0
25 stars 16 forks source link

signtool issues command within batch file #118

Closed eshortway closed 7 hours ago

eshortway commented 1 month ago

Im just wondering if this command signtool sign /a /tr http://timestamp.digicert.com /fd SHA256 /d "%MSI_NAME%" /td SHA256 "%MSI_NAME%" is a tested and had a success. Im trying to sign the msi file but I keep getting SignTool Error: No certificates were found that met all the given criteria. Im using the latest windows sdk and have defined paths to 64/bin and also x86/bin where signtool exist. Im on a fresh install of win10 is this a strictly version related to some old signtool.exe or what seems to be the case

vikman90 commented 2 weeks ago

Hi @eshortway,

The error message from SignTool indicates that it cannot find a valid certificate on your system to sign the package. Could you verify that your certificate is properly installed?

To sign an MSI file, you need a code-signing certificate. Here's how you can obtain and install a certificate from DigiCert and ensure that SignTool recognizes it:

  1. Obtaining a Code-Signing Certificate
    • You can purchase a code-signing certificate from DigiCert by visiting their Code Signing Certificates page.
    • After your purchase, DigiCert will guide you through the process of verifying your identity and issuing the certificate.
  2. Installing the Certificate
    • Once you receive the certificate from DigiCert, you will need to install it on your system.
    • Open the certificate file and follow the installation prompts. You should choose to install it in the "Personal" certificate store, as this is where SignTool will look for certificates.
  3. Ensuring SignTool Can Access the Certificate
    • After installation, you can verify that the certificate is available by using the following command in PowerShell: 
      Get-ChildItem Cert:\CurrentUser\My
    • This command will list all certificates in the "Personal" store for the current user. Your code-signing certificate should appear in the list.
  4. Using SignTool
    • Once the certificate is installed, you can run the signtool command as before: 
      signtool sign /a /tr http://timestamp.digicert.com /fd SHA256 /d "%MSI_NAME%" /td SHA256 "%MSI_NAME%"
    • The /a flag tells SignTool to automatically select the best certificate, which should now work if the certificate is installed correctly.

If the certificate is installed correctly but you are still facing issues, ensure that:

Let me know if you need further assistance. Best!

eshortway commented 2 weeks ago

What's the cheapest signing cert provider? We are testing for now and we don't want to spend big amount on side stuff

--

On Mon, Oct 21, 2024, at 11:49, Victor M. Fernandez-Castro wrote:

Hi @eshortway https://github.com/eshortway,

The error message from SignTool indicates that it cannot find a valid certificate on your system to sign the package. Could you verify that your certificate is properly installed?

To sign an MSI file, you need a code-signing certificate. Here's how you can obtain and install a certificate from DigiCert and ensure that SignTool recognizes it:

  1. Obtaining a Code-Signing Certificate • You can purchase a code-signing certificate from DigiCert by visiting their Code Signing Certificates page https://www.digicert.com/code-signing/. • After your purchase, DigiCert will guide you through the process of verifying your identity and issuing the certificate.
  2. Installing the Certificate • Once you receive the certificate from DigiCert, you will need to install it on your system. • Open the certificate file and follow the installation prompts. You should choose to install it in the "Personal" certificate store, as this is where SignTool will look for certificates.
  3. Ensuring SignTool Can Access the Certificate • After installation, you can verify that the certificate is available by using the following command in PowerShell: Get-ChildItem Cert:\CurrentUser\My • This command will list all certificates in the "Personal" store for the current user. Your code-signing certificate should appear in the list.

  4. Using SignTool • Once the certificate is installed, you can run the signtool command as before: signtool sign /a /tr http://timestamp.digicert.com /fd SHA256 /d "%MSI_NAME%" /td SHA256 "%MSI_NAME%" • The /a flag tells SignTool to automatically select the best certificate, which should now work if the certificate is installed correctly. If the certificate is installed correctly but you are still facing issues, ensure that:

    • You are running the command with administrative privileges. • Your certificate is valid and not expired. • Your system time is accurate, as time discrepancies can cause issues with timestamp servers.

Let me know if you need further assistance. Best!

— Reply to this email directly, view it on GitHub https://github.com/wazuh/wazuh-agent/issues/118#issuecomment-2426020827, or unsubscribe https://github.com/notifications/unsubscribe-auth/AHC6C5JGZLTYYDQJQTIOO33Z4S5YRAVCNFSM6AAAAABNZKGCS2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDIMRWGAZDAOBSG4. You are receiving this because you were mentioned.Message ID: @.***>

vikman90 commented 7 hours ago

For code-signing certificates, there are several providers that you can consider, depending on your budget. Here are some options:

  1. DigiCert We use DigiCert for our signing needs. They are known for their reliability and security, but they can be more expensive compared to others.
  2. Sectigo (formerly Comodo) Often more affordable than DigiCert, Sectigo offers code-signing certificates with good support and features.
  3. GoDaddy GoDaddy offers a cost-effective solution, and their certificates are recognized across all major platforms.
  4. GlobalSign Another option with a balance between price and reputation, they also provide a variety of code-signing certificates.

If you are just testing and don't want to spend on a certificate for now, you can still build and use an unsigned MSI package by running the build script without signing it:

.\wazuh-installer-build-msi.bat

The MSI will function normally, but you may encounter warnings when trying to install it, as Windows typically warns users about unsigned software. However, for internal testing purposes, this approach will work just fine.

Best regards.