EV Code Signing certificates
EV Code Signing certificates
The entire security world is forcing EV, or token based certificate signing beginning in November of this year. What is the plan to allow InstallAware to work with this method of authentication? Right now I see no updates, only a topic from 5 years ago saying you had no plans to udpate for this technology. But now we are being forced to use it, so what is the plan for InstallAware?
-
- Site Admin
- Posts: 5361
- Joined: Sun Aug 22, 2010 4:28 am
Re: EV Code Signing certificates
I suppose you are missing that EV code signing is already supported.
https://www.installaware.com/right-edition.htm (SHA 256 Authenticode Code Signing, EV Certificates)
https://www.installaware.com/right-edition.htm (SHA 256 Authenticode Code Signing, EV Certificates)
Francesco Toscano
InstallAware Software
White Papers (HowTos) - http://www.installaware.com/publication ... papers.htm
Publications - http://www.installaware.com/publications-review.htm
InstallAware Help -F1 anywhere in the InstallAware IDE
InstallAware Software
White Papers (HowTos) - http://www.installaware.com/publication ... papers.htm
Publications - http://www.installaware.com/publications-review.htm
InstallAware Help -F1 anywhere in the InstallAware IDE
Re: EV Code Signing certificates
Could you please guide on how to EV Code Signing with Installaware X13?
Re: EV Code Signing certificates
Please upgrade to InstallAware X14 (or newer) for built-in extended verification certificate support.
You may also use Build Events as an alternative, if you would not like to upgrade at this time:
www.installaware.com/build-events.htm
You may also use Build Events as an alternative, if you would not like to upgrade at this time:
www.installaware.com/build-events.htm
John Gaver
InstallAware Skunkworks
InstallAware Multi Platform - Liberating DEB/RPM/PKG/MSI(X) into universal native setups!
Get your free copy today - https://www.installaware.com/installaware-multi-platform.htm
InstallAware Skunkworks
InstallAware Multi Platform - Liberating DEB/RPM/PKG/MSI(X) into universal native setups!
Get your free copy today - https://www.installaware.com/installaware-multi-platform.htm
-
- Posts: 34
- Joined: Mon Mar 01, 2021 9:01 am
Re: EV Code Signing certificates
JohnGaver wrote:Please upgrade to InstallAware X14 (or newer) for built-in extended verification certificate support.
You may also use Build Events as an alternative, if you would not like to upgrade at this time:
http://www.installaware.com/build-events.htm
John, I'm curious if there is documentation in how we can use InstallAware for Extended Verification? I have an EV cert that is stored in an Azure Key Store currently and the only way I have it working is through the Build Events. However if I need to build and sign a new application runtime for hosting on the internet, that isn't as easy to do through Build Events (although I haven't tried) than if the hooks are done through the Authenticode Signature.
I see the Key Container Name and CER mentioned but haven't found any documentation how to hook everything together for talking to something like Azure.
Re: EV Code Signing certificates
Great to hear from you, Bart!
It would be awesome to have your command line(s) shared. It may not be too much more effort than what you've already accomplished for signing the final package binaries.
To clarify, you're not using Azure Code Signing / Trusted Signing Integration, but some kind of other Azure service to store your EV certificate online - or are these one and the same thing?
From what I understand, EV certificates always require some sort of dongle and thus are the public enemy of build automation across devices, as the dongle needs to be plugged in physically to the build device. However Azure Code Signing works around this limitation, while providing a level of trust that even exceeds that obtained via EV certificates.
It would be awesome to have your command line(s) shared. It may not be too much more effort than what you've already accomplished for signing the final package binaries.
To clarify, you're not using Azure Code Signing / Trusted Signing Integration, but some kind of other Azure service to store your EV certificate online - or are these one and the same thing?
From what I understand, EV certificates always require some sort of dongle and thus are the public enemy of build automation across devices, as the dongle needs to be plugged in physically to the build device. However Azure Code Signing works around this limitation, while providing a level of trust that even exceeds that obtained via EV certificates.
John Gaver
InstallAware Skunkworks
InstallAware Multi Platform - Liberating DEB/RPM/PKG/MSI(X) into universal native setups!
Get your free copy today - https://www.installaware.com/installaware-multi-platform.htm
InstallAware Skunkworks
InstallAware Multi Platform - Liberating DEB/RPM/PKG/MSI(X) into universal native setups!
Get your free copy today - https://www.installaware.com/installaware-multi-platform.htm
Re: EV Code Signing certificates
I have InstallAware 16, does the extended verification tab get around the need for a token? We do our install builds in automation and there is no way to apply a usb dongle.
How does Install Aware works with the extended verification requirement?
Do I need to purchase my ssl cert a specific way?
How does Install Aware works with the extended verification requirement?
Do I need to purchase my ssl cert a specific way?
Re: EV Code Signing certificates
axisuser wrote:I have InstallAware 16, does the extended verification tab get around the need for a token? We do our install builds in automation and there is no way to apply a usb dongle.
How does Install Aware works with the extended verification requirement?
Do I need to purchase my ssl cert a specific way?
There's unfortunately nothing we can do to rewrite the physical requirements of the EV technology stack. That'd break the entire EV technology foundation, something it was designed to prevent.
BTW you shouldn't buy an SSL certificate, but an EV code signing certificate - if you want an EV one, that is. You could also get an OV one, of course.
John Gaver
InstallAware Skunkworks
InstallAware Multi Platform - Liberating DEB/RPM/PKG/MSI(X) into universal native setups!
Get your free copy today - https://www.installaware.com/installaware-multi-platform.htm
InstallAware Skunkworks
InstallAware Multi Platform - Liberating DEB/RPM/PKG/MSI(X) into universal native setups!
Get your free copy today - https://www.installaware.com/installaware-multi-platform.htm
-
- Posts: 34
- Joined: Mon Mar 01, 2021 9:01 am
Re: EV Code Signing certificates
JohnGaver wrote:Great to hear from you, Bart!
It would be awesome to have your command line(s) shared. It may not be too much more effort than what you've already accomplished for signing the final package binaries.
To clarify, you're not using Azure Code Signing / Trusted Signing Integration, but some kind of other Azure service to store your EV certificate online - or are these one and the same thing?
From what I understand, EV certificates always require some sort of dongle and thus are the public enemy of build automation across devices, as the dongle needs to be plugged in physically to the build device. However Azure Code Signing works around this limitation, while providing a level of trust that even exceeds that obtained via EV certificates.
We have our EV Certificate in an Azure Key Vault and thus I'm calling the azuresigntool.exe to do signing of certain files outside of the Installers right now as they require an EV certificate. Obviously the command line for the usage of the signtool is very similar to using the signtool that gets installed with InstallAware but requires a bunch of keys that allow connecting to the Azure Key Vault:
azuresigntool.exe sign -kvu <vault> -tr <timestampURL> -td sha256 -fd sha256 -kvi <kvclientid> -kvs <kvclientsecret> -kvc <kvcert> -kvt <kvTenantId> file
I asked my question as it would be great if InstallAware would have the ability to put this type of configuration inside of it to do signing. Otherwise when our current cert that doesn't require the dongle expires, we are going to have to do all build events in the installers to do signing as we have multiple build systems that do InstallAware builds and are in DataCenters which makes using a dongle difficult.
It seems like the Azure Key Vault acts like a HSM.
Re: EV Code Signing certificates
Thanks for the details!
How many data centers are you supporting right now?
This helps us internally justify and escalate your Azure Key Vault request, among other things.
How many data centers are you supporting right now?
This helps us internally justify and escalate your Azure Key Vault request, among other things.
John Gaver
InstallAware Skunkworks
InstallAware Multi Platform - Liberating DEB/RPM/PKG/MSI(X) into universal native setups!
Get your free copy today - https://www.installaware.com/installaware-multi-platform.htm
InstallAware Skunkworks
InstallAware Multi Platform - Liberating DEB/RPM/PKG/MSI(X) into universal native setups!
Get your free copy today - https://www.installaware.com/installaware-multi-platform.htm
Re: EV Code Signing certificates
What code sign certificate vendor did you go with? I've look at SSL.com (hidden fees), DigiCert, and GlobalSign.
What is Azure's HSM cost structure?
What is Azure's HSM cost structure?
Who is online
Users browsing this forum: No registered users and 45 guests