Automating signing

I want to improve our automated build to sign the driver semi-automatically (only prompting for the password). The signing is done on a different machine than the building and we will use ssh.

The problem I have is supplying the password. The command line I use is the usual, something like:

signtool sign /ac c:\SigningCertificates\MSCV-VSClass3.cer /s my /n “We Inc.” /t http:/timestamp.verisign.com/scripts/timstamp.dll /q 13janv2009-14h\W2K\x86\driver.cat

But this pops up a window for the password. Is there any way to supply the password on the command line?

I’ve searched the web and list for an answer but didn’t find anything conclusive.

Perhaps I’m lost but how do you manage to get signtool ask for a password? My command is very similar to yours except that I don’t have the /q. I don’t think it’s a real difference.

What password is it asking for? Which ddk are you using?


Calvin Guan
Broadcom Corp.
Connecting Everything(r)

----- Original Message ----
From: “xxxxx@hotmail.com
To: Windows System Software Devs Interest List
Sent: Thursday, January 15, 2009 8:44:00 AM
Subject: [ntdev] Automating signing

I want to improve our automated build to sign the driver semi-automatically (only prompting for the password). The signing is done on a different machine than the building and we will use ssh.

The problem I have is supplying the password. The command line I use is the usual, something like:

signtool sign /ac c:\SigningCertificates\MSCV-VSClass3.cer /s my /n “We Inc.” /t http:/timestamp.verisign.com/scripts/timstamp.dll /q 13janv2009-14h\W2K\x86\driver.cat

But this pops up a window for the password. Is there any way to supply the password on the command line?

I’ve searched the web and list for an answer but didn’t find anything conclusive.


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

If you want to supply the password on the command-line, what’s the point in
having a password in the first place?

On Thu, Jan 15, 2009 at 12:21 PM, Calvin Guan wrote:

> Perhaps I’m lost but how do you manage to get signtool ask for a password?
> My command is very similar to yours except that I don’t have the /q. I don’t
> think it’s a real difference.
>
> What password is it asking for? Which ddk are you using?
>
> –
> Calvin Guan
> Broadcom Corp.
> Connecting Everything(r)
>
>
>
>
> ----- Original Message ----
> From: “xxxxx@hotmail.com
> To: Windows System Software Devs Interest List
> Sent: Thursday, January 15, 2009 8:44:00 AM
> Subject: [ntdev] Automating signing
>
> I want to improve our automated build to sign the driver semi-automatically
> (only prompting for the password). The signing is done on a different
> machine than the building and we will use ssh.
>
> The problem I have is supplying the password. The command line I use is the
> usual, something like:
>
> signtool sign /ac c:\SigningCertificates\MSCV-VSClass3.cer /s my /n “We
> Inc.” /t http:/timestamp.verisign.com/scripts/timstamp.dll /q
> 13janv2009-14h\W2K\x86\driver.cat
>
> But this pops up a window for the password. Is there any way to supply the
> password on the command line?
>
> I’ve searched the web and list for an answer but didn’t find anything
> conclusive.
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Guan Calvin: I don’t know how I manage to have signtool ask me a password. I’ve inherited this project temporarily so I’m not aware of all the details. This is the signing used before running the WHQL tests so that the driver will install silently, eventually.

Soren Dreijer: the password is actually prompted for on the automated build machine, which then ssh to the signing machine. The password will be given on the command line by the automation tool but is not kept anywhere.

The goal is to save us a step in the build process where we must switch remote desktop. It’s also because we must sign multiple versions of the driver and signtool asks for the password (which is quite lengthy and thus easy to get wrong) for each one.

Is it possible that this is the password to establish the SSH session? Do
you know what tool you are using to make that connection and does that tool
allow passing the password as a parameter? (For instance, I think putty
does allow such an option but others might or might not).

-dave

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@hotmail.com
Sent: Thursday, January 15, 2009 2:57 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Automating signing

Guan Calvin: I don’t know how I manage to have signtool ask me a password.
I’ve inherited this project temporarily so I’m not aware of all the details.
This is the signing used before running the WHQL tests so that the driver
will install silently, eventually.

Soren Dreijer: the password is actually prompted for on the automated build
machine, which then ssh to the signing machine. The password will be given
on the command line by the automation tool but is not kept anywhere.

The goal is to save us a step in the build process where we must switch
remote desktop. It’s also because we must sign multiple versions of the
driver and signtool asks for the password (which is quite lengthy and thus
easy to get wrong) for each one.


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

If it’s the PW for an ssh session, just use an RSA keypair and you don’t
need a PW anymore.

Phil

Philip D. Barila
Seagate Technology LLC
(720) 684-1842


From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of “David R.
Cattley”
Sent: Thursday, January 15, 2009 1:17 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Automating signing

Is it possible that this is the password to establish the SSH session?
Do
you know what tool you are using to make that connection and does that
tool
allow passing the password as a parameter? (For instance, I think putty
does allow such an option but others might or might not).

-dave

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@hotmail.com
Sent: Thursday, January 15, 2009 2:57 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Automating signing

Guan Calvin: I don’t know how I manage to have signtool ask me a
password.
I’ve inherited this project temporarily so I’m not aware of all the
details.
This is the signing used before running the WHQL tests so that the
driver
will install silently, eventually.

Soren Dreijer: the password is actually prompted for on the automated
build
machine, which then ssh to the signing machine. The password will be
given
on the command line by the automation tool but is not kept anywhere.

The goal is to save us a step in the build process where we must switch
remote desktop. It’s also because we must sign multiple versions of the
driver and signtool asks for the password (which is quite lengthy and
thus
easy to get wrong) for each one.


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

xxxxx@seagate.com wrote:

If it’s the PW for an ssh session, just use an RSA keypair and you don’t
need a PW anymore.

Putty also has the “pageant” app, which allows you to enter the password
once, and then caches it for future putty sessions.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Additional info: from my web digging, it seems that the password is related to the CryptoAPI and the way the certificate was added to the store with the strong private key protection option.

If only I could convince the CryptoAPI to prompt on the command-line instead of a window, that would fix my problem (I didn’t try through ssh yet. Maybe when working without a desktop the cryptoAPI uses a cmd-line prompt? Seems worth a try.)

wrote in message news:xxxxx@ntdev…
> Additional info: from my web digging, it seems that the password is
> related to the CryptoAPI and the way the certificate was added to the
> store with the strong private key protection option.
>
> If only I could convince the CryptoAPI to prompt on the command-line
> instead of a window, that would fix my problem (I didn’t try through ssh
> yet. Maybe when working without a desktop the cryptoAPI uses a cmd-line
> prompt? Seems worth a try.)

It’s been a couple years since I dealt with app signing, but as I recall,
you can use CAPICOM (a COM wrapper around CryptoAPI) to sign apps without
user interaction – you supply the private key password to the API & it does
the signing. I wrote some code at the time to do just that; IIRC I posted
it to one of the comp.os.windows.programmer.* or microsoft.public.* groups
within the last year; a Google search for my name in those hierarchies
should turn it up.

Whether or not this approach will work for driver signing, I have no idea –
I’ve never tried to sign a driver, but I have used it to sign EXE/DLL/MSI
files.

The short answer is…

Your getting a password prompt because when YOUR code signing
certificate+private key was installed in the certificate store the option to
prompt for a password was probably set. This prevents programs from just
signing things without explicit user action (a good thing for security).

What you should do is one of (if you’re a larger company after discussing
your security needs with a security administrator):

  1. specify the public+private key files and password on the command line,
    not from the certificate store
  2. delete and reinstall the public+private keys in the certificate store and
    specify not exportable and no password needed

If the code signing key was originally generated on the machine doing the
signing, and options were set to require a password and not allow exporting
the private key, you might be stuck.

The long answer is…

What I would probably do for code signing keys:

  1. generate the key signing request using a software crypto provider and
    specify an exportable private key
  2. after installed the signed certificate, export the private key and
    certificate to a file that requires a password
  3. remove the private key+certificate from the original certificate store
  4. burn the private key+certificate file to a cd or dedicated usb flash
  5. store a written copy of the private key password and private
    key+certificate someplace physically secure and with restricted company
    access
  6. on a machine you want to do signing on, install a hardware crypto device
    (about $50 USB gadget) and load a copy of your private key+certificate into
    this hardware and specify no password required (some hardware may require a
    password) and no private key export, this will prevent a security breach of
    that machine from copying the private key although will not prevent the
    breached machine from being used by the bad guys to sign code

You might want to get TWO signing keys. One you use for development, and has
some VERY obvious name that it should never show up in the real world. And
the other you ONLY use for final product signing. If the first one is
stolen, you can get it invalidated. If you invalidate your ONLY key, copies
of your product in the field may stop working. Ideally, the shipping key is
generated on a hardware crypto device without exportable private keys, so
you can ONLY sign code with the crypto device physically present and a user
physically there to enter the password. Good crypto hardware has the
password entry local to the crypto hardware, so there is no possibility for
breached software to record and then playback the crypto hardware password
needed for signing. TPM modules are an ok place to store a key, except to
unlock the TPM you will almost certainly give your password to the OS, which
passes it to the TPM, and thus your key could be breached and the TPM key
used without your concent.

Based on real world needs of developer build workflow, it seems like there
might be some refinements to code signing. For development/testing you
certainly do need automated easy signing, but then you don’t want those
signatures/keys to risk security breaches. Or maybe this can already be
handled, and I need to reread the code signing docs a half dozen more times
to understand how to achieve this. I know where I’m at, our build server
automatically puts real VeriSign signatures on every build, although the
build server is deeply protected inside a corporate network, there is
nothing to prevent social engineering key breaches (pssssss, hey buddy, wana
sell your company VeriSign key for $200).

I think an EXACT step by step procedure (and exact product sources) that
maximized security and minimized build hassle for developer’s companies to
follow might help.

Jan

I want to improve our automated build to sign the driver
semi-automatically (only prompting for the password). The
signing is done on a different machine than the building and
we will use ssh.

The problem I have is supplying the password. The command
line I use is the usual, something like:

signtool sign /ac c:\SigningCertificates\MSCV-VSClass3.cer /s
my /n “We Inc.” /t
http:/timestamp.verisign.com/scripts/timstamp.dll /q
13janv2009-14h\W2K\x86\driver.cat

But this pops up a window for the password. Is there any way
to supply the password on the command line?

My guess is that the OP enabled strong private key protection on their .pfx and it’s cryptoapi that is doing the UI.

? S

-----Original Message-----
From: Calvin Guan
Sent: Thursday, January 15, 2009 10:22
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Automating signing

Perhaps I’m lost but how do you manage to get signtool ask for a password? My command is very similar to yours except that I don’t have the /q. I don’t think it’s a real difference.

What password is it asking for? Which ddk are you using?


Calvin Guan
Broadcom Corp.
Connecting Everything(r)

----- Original Message ----
From: “xxxxx@hotmail.com
To: Windows System Software Devs Interest List
Sent: Thursday, January 15, 2009 8:44:00 AM
Subject: [ntdev] Automating signing

I want to improve our automated build to sign the driver semi-automatically (only prompting for the password). The signing is done on a different machine than the building and we will use ssh.

The problem I have is supplying the password. The command line I use is the usual, something like:

signtool sign /ac c:\SigningCertificates\MSCV-VSClass3.cer /s my /n “We Inc.” /t http:/timestamp.verisign.com/scripts/timstamp.dll /q 13janv2009-14h\W2K\x86\driver.cat

But this pops up a window for the password. Is there any way to supply the password on the command line?

I’ve searched the web and list for an answer but didn’t find anything conclusive.


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Export the key and re-import it without strong private key protection perhaps

? S

-----Original Message-----
From: xxxxx@hotmail.com
Sent: Thursday, January 15, 2009 13:09
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Automating signing

Additional info: from my web digging, it seems that the password is related to the CryptoAPI and the way the certificate was added to the store with the strong private key protection option.

If only I could convince the CryptoAPI to prompt on the command-line instead of a window, that would fix my problem (I didn’t try through ssh yet. Maybe when working without a desktop the cryptoAPI uses a cmd-line prompt? Seems worth a try.)


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer