Authenticode Signing not properly implemented

Got a problem you cannot solve? Try here.
Post Reply
RobertKozak
Posts: 47
Joined: Thu Mar 15, 2007 6:51 pm

Authenticode Signing not properly implemented

Postby RobertKozak » Tue Mar 20, 2007 6:35 pm

Are there plans to properly implement Authenticode Signing? Right now I cannot do a build of my install from our build machine because it prompts for the password. There is no place within the script I can place a password nor can I pass it in on the commandline.

I also thought about dividing the install into 2 parts. The main install as an MSI and the second one as a wrapper to call the first so I can sign them separately but that doesn't seem to work either because InstallAware will automatically wrap it up into an exe.

1. It is not pratical for me to babysit our automated build process just to type in a password twice for each build. I have more imprtant things to do.

2. I can't just give out the password to our QA dept because it is *supposed* to be secure. How secure is our private key if a low level empoyee that is managing the build has access to the password?

Is there a very good reason for the way this is implemented and can you give me a timeframe when this will be fixed?

So far I am impressed by most of InstallAware but there are times it can be so frustrating because something just doesn't seem well thought out.

Robert Kozak
Top
neillans
Posts: 536
Joined: Sat Nov 04, 2006 6:21 am
Location: Scottish Borders, UK
Contact:
Contact neillans

Postby neillans » Thu Mar 22, 2007 4:58 am

I'm afraid this is a MS issue; we are simply calling the SignCode application as provided by Microsoft and it displays the prompt. There is no provision to provide the password via the command line, however, you can simply not password protect your certificate (however, I acknowledge this is far from a suitable solution!). It seems Microsoft expect the people that are doing the signing to be in a privileged position.

We are currently investigating ways round this, but so far have not been able to turn up anything promising.
Andy Neillans
Top
RobertKozak
Posts: 47
Joined: Thu Mar 15, 2007 6:51 pm

Postby RobertKozak » Thu Mar 22, 2007 2:04 pm

Thanks for your candor. But why not use Signtool from Microsoft which allows you to pass a password via the command line.

You could ask for the password once and then store it encrypted in the registry to use when you call SignTool.

-- Robert Kozak
Top
neillans
Posts: 536
Joined: Sat Nov 04, 2006 6:21 am
Location: Scottish Borders, UK
Contact:
Contact neillans

Postby neillans » Thu Mar 22, 2007 2:18 pm

As I say, we are investigating potential solutions.

SignTool has its own disadvantages; such as the certificate needs to be converted into a PFX.

We would never to store the password in the Registry; it would be stored in the IA script file.
Andy Neillans
Top
RobertKozak
Posts: 47
Joined: Thu Mar 15, 2007 6:51 pm

Postby RobertKozak » Thu Mar 22, 2007 2:30 pm

That would work for me as I already have a .pfx :D

-- Robert
Top
Anthony Wieser
Posts: 7
Joined: Sun Mar 11, 2007 4:44 am
Location: England
Contact:
Contact Anthony Wieser

Postby Anthony Wieser » Thu Mar 29, 2007 4:56 am

Perhaps, allow the user to specify a -cn argument to signcode. That would allow you to use an installed certificate, which doesn't require a password.

All you need to do is add the certificate to your store on the build machine with a friendly name that you use as the -cn argument.

Anthony Wieser
Wieser Software Ltd
Top
Post Reply

Return to “Technical Support”

Who is online

Users browsing this forum: No registered users and 95 guests