Skip to content

This repo aiming to help that quite complicated digital code signing process.

Notifications You must be signed in to change notification settings

egemengulpinar/yubikey-code-signing

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
 
 
 
 
 
 
 
 

Repository files navigation

yubikey-code-signing

This repo aiming to help that quite complicated digital code signing process.

Requirements

This repo used Yubikey 5C FIPS device, please be sure that your own device support features below.

Windows SDK - signtool.exe

To get that tool, please refer to Windows SDK site, install relevant windows SDK version Then you can find your signtool like below C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64 For configuring your signtool.exe, please open

  • ⊞ Win + R
  • enter sysdm.cpl
  • Click advanced tab and environment variables
  • Under system variables open Path then paste your signtool folder
  • then finish and close all tabs open a new editor as administrator

You must be sure, you need to generate .csr files before and send it to them to code signing provider. They will generate .crt files, download them and follow these lines below. If you don't know how to generate .csr files , follow providers documentation..

Installation

Root Certificate : my own certificate started like 1705XXXXXX.crt(includes your company information and timestamp )

Intermediate Certificate : my own certificate started like CodeSigning_CABundle.crt(includes code signing provider information)

After install all required programs, please follow the lines below.

  1. Open Yubikey Manager and select tab(Authentication or Digital Signature that tab used for generate .csr files before) Enter Import button and select your Root certificate. If you not created Management Key select use default checkbox, or enter your own Management Key. yubikey

  2. Be sure that you get your certificates(.crt) from your digital code sign provider (ex: signmycode) You must get 3 more certificates for importing to Yubikey. These called(maybe different for you)

  • AAACertificateServices.crt (ROOT)
  • SectigoPublicCodeSigningCAEVE36.crt (INTERMEDIATE 1)
  • SectigoPublicCodeSigningRootE46_AAA.crt (INTERMEDIATE 2)

Open powershell as administrator, then

cd "C:\Program Files\Yubico\YubiKey Manager"

Enter the lines below (give your own .crt paths)

.\ykman.exe piv certificates import 82 "C:\Users\ege\AAACertificateServices.crt"  
.\ykman.exe piv certificates import 83 "C:\Users\ege\SectigoPublicCodeSigningCAEVE36.crt"
.\ykman.exe piv certificates import 84 "C:\Users\ege\SectigoPublicCodeSigningRootE46_AAA.crt"     
  1. Get your ROOT_THUMBPRINT, double click your Root Certificate then click details tab, you can see below as Thumbprint Copy the Thumbprint value now that is your ROOT_THUMBPRINT. Now, follow the last step.

thumbprint

  1. For sign your .exe applications, follow the lines
signtool sign /sha1 ROOT_THUMBPRINT /fd SHA256 /t PROVIDER_TIMESTAMP "YOUR .EXE FILE"

That's look like below:


signtool sign /sha1 XXXXXXXXXXXXXXXXXXXXXXX /fd SHA256 /t http://timestamp.sectigo.com "C:\Users\ege\MyTestApp.exe"

code_signing

About

This repo aiming to help that quite complicated digital code signing process.

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published