Re[2]: Re[2]: Re[2]: Automating EV Signing (Windows Attestation)

Mark,

With the DigiCert dongle, there is a checkbox down in the settings page
of the utility to indicate to only request the password once after a
user logs into the system. After that you are good to go, no more
requesting it.

Pete


Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295

------ Original Message ------
From: “Mark Roddy”
To: “Windows System Software Devs Interest List”
Sent: 4/24/2017 1:31:21 PM
Subject: Re: [ntdev] Re[2]: Re[2]: Automating EV Signing (Windows
Attestation)

>No what has me confused is
>that anyone thinks the dongle-thing doesn’t require manual intervention
>every time you try to sign something; and that somehow a non-ev cert
>magically appears from an ev cert and that this non-ev cert can be used
>as in the past by installing it on a secure build system and having the
>secure build system automatically release sign things without humans
>having to type shit in.
>I think I have to go buy a second non-ev sha2 cert for (2) but would
>love to have it 'splained otherwise, and at least with the Symantec
>dongle there doesn’t appear to be any way to avoid humans with fingers,
>but I would also like to know that some humanoid has managed to
>convince the Symantec dongle to be amenable to automation.
>
>Mark Roddy
>
>On Mon, Apr 24, 2017 at 9:20 AM, wrote:
>>Mark,
>>
>>If it’s the multiple dongle thing that has you confused. Our EV cert
>>(it might be different for others, but I understand that this is the
>>EV standard) has the private key on the smart card (dongle). This
>>dongle is linked to a specific machine. Moving it around from machine
>>to machine is a hassle. Moving it to another machine deactivates the
>>first machine and you have to go though a process to get it registered
>>with that other machine. Rather then do that I’m told (from DigiCert)
>>that you can obtain multiple dongles for the same cert. This allows
>>you to register them with multiple machines. Ultimately so you can
>>sign with the EV cert on more then one machine.
>>
>>On the Developer Portal Attestation Signing: it’s my experience that
>>Microsoft only allows you to store one EV cert on their portal for
>>them to acknowledge submissions by. According to Peter he was able to
>>convince Microsoft to register a non-EV cert (correct me if I’m wrong
>>here Peter) in order to get around the extra security of signing a
>>file with an EV cert.
>>
>>—
>>NTDEV is sponsored by OSR
>>
>>Visit the list online at:
>>http:>>http:>
>>
>>MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>>software drivers!
>>Details at http:
>>
>>To unsubscribe, visit the List Server section of OSR Online at
>>http:>>http:>
>
>— NTDEV is sponsored by OSR Visit the list online at: MONTHLY
>seminars on crash dump analysis, WDF, Windows internals and software
>drivers! Details at To unsubscribe, visit the List Server section of
>OSR Online at</http:></http:></http:></http:></http:>

Pete,

We use DigiCert and are you talking about the SafeNet application? I’m not seeing the setting you’re referring to. Could you help point me to where that is?

With the Symantec dongle, there is a checkbox down in the settings page of
the utility to indicate to only request the password once after a user logs
into the system. After that you continue to be asked for the password,
defeating automation. If I had a day or two I would enter the hell that is
symantec customer support and learn why I am doing it all wrong and need to
do some other thing first that they didn’t document. As my actual signing
needs are rare, I’ve just put up with ev signing is manual. As ev signing
is also really not needed except in some cases, I’d really like my ev cert
to cough up its non-ev cousin so I could release sign everything like I
used too.

Mark Roddy

On Tue, Apr 25, 2017 at 9:20 AM, PScott wrote:

>
> Mark,
>
> With the DigiCert dongle, there is a checkbox down in the settings page of
> the utility to indicate to only request the password once after a user logs
> into the system. After that you are good to go, no more requesting it.
>
> Pete
>
> –
> Kernel Drivers
> Windows File System and Device Driver Consulting
> www.KernelDrivers.com
> 866.263.9295 <(866)%20263-9295>
>
>
>
> ------ Original Message ------
> From: “Mark Roddy”
> To: “Windows System Software Devs Interest List”
> Sent: 4/24/2017 1:31:21 PM
> Subject: Re: [ntdev] Re[2]: Re[2]: Automating EV Signing (Windows
> Attestation)
>
> No what has me confused is
>
> 1. that anyone thinks the dongle-thing doesn’t require manual
> intervention every time you try to sign something; and that
> 2. somehow a non-ev cert magically appears from an ev cert and that
> this non-ev cert can be used as in the past by installing it on a secure
> build system and having the secure build system automatically release sign
> things without humans having to type shit in.
>
> I think I have to go buy a second non-ev sha2 cert for (2) but would love
> to have it 'splained otherwise, and at least with the Symantec dongle there
> doesn’t appear to be any way to avoid humans with fingers, but I would also
> like to know that some humanoid has managed to convince the Symantec dongle
> to be amenable to automation.
>
> Mark Roddy
>
> On Mon, Apr 24, 2017 at 9:20 AM, wrote:
>
>> Mark,
>>
>> If it’s the multiple dongle thing that has you confused. Our EV cert (it
>> might be different for others, but I understand that this is the EV
>> standard) has the private key on the smart card (dongle). This dongle is
>> linked to a specific machine. Moving it around from machine to machine is a
>> hassle. Moving it to another machine deactivates the first machine and you
>> have to go though a process to get it registered with that other machine.
>> Rather then do that I’m told (from DigiCert) that you can obtain multiple
>> dongles for the same cert. This allows you to register them with multiple
>> machines. Ultimately so you can sign with the EV cert on more then one
>> machine.
>>
>> On the Developer Portal Attestation Signing: it’s my experience that
>> Microsoft only allows you to store one EV cert on their portal for them to
>> acknowledge submissions by. According to Peter he was able to convince
>> Microsoft to register a non-EV cert (correct me if I’m wrong here Peter) in
>> order to get around the extra security of signing a file with an EV cert.
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> Visit the list online at: http:>> lists.cfm?list=ntdev>
>>
>> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>> software drivers!
>> Details at http:
>>
>> To unsubscribe, visit the List Server section of OSR Online at <
>> http://www.osronline.com/page.cfm?name=ListServer&gt;
>>
>
> — NTDEV is sponsored by OSR Visit the list online at: MONTHLY seminars
> on crash dump analysis, WDF, Windows internals and software drivers!
> Details at To unsubscribe, visit the List Server section of OSR Online at
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:> showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:></http:></http:></http:>