Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support modern signing algorithms like sha256ECDSA #150

Open
denisbrodbeck opened this issue Apr 26, 2024 · 0 comments
Open

Support modern signing algorithms like sha256ECDSA #150

denisbrodbeck opened this issue Apr 26, 2024 · 0 comments
Assignees
@marcinotorowski
Milestone
3.2

Comments

@denisbrodbeck
Copy link

Hi,

thank you for this really interesting project. Just stumbled upon it and liking it very much.

I'm trying to build and sign some custom apps using a self-generated code signing certifacte, which uses sha256ECDSA instead of rsa.

This certificate is signed by our internal intermediate certificate authority and trusted by all active-directory or Azure AD joined devices.
We use this certificate to sign all of our internal company apps (mostly C#-Apps) and IT-related PowerShell-Scripts. This works flawlessly on our Win10 and Win11 clients.

Here's how we sign our regular files:

$cert=Get-ChildItem -Path Cert:\CurrentUser\My -CodeSigningCert
$TimeStampingAuthority = 'http://timestamp.digicert.com'

Set-AuthenticodeSignature -Certificate $cert -TimestampServer $TimeStampingAuthority -FilePath .\*.dll
Set-AuthenticodeSignature -Certificate $cert -TimestampServer $TimeStampingAuthority -FilePath .\*.exe
Set-AuthenticodeSignature -Certificate $cert -TimestampServer $TimeStampingAuthority -FilePath .\*.ps1

Set-AuthenticodeSignature doesn't work on .msix files, so I used signtool.exe, which works fine so far, but I couldn't get it to work with my code signing cert stored in personal policy store. The only way I could sign is by using a .pfx and passing the password via command line (which might get exposed via shell history):

MakeAppx pack /v /h SHA256 /d "..\app1\" /p app1.msix
SignTool sign /debug /fd sha256 /a /f code_signing.p12 /p "<loooongpassword>" app1.msix

Using these commands gets me a fully signed msix, which can be installed on our clients without issues -- all cert validation by windows is okay (because IT deployed the correct root and intermediate certs on the clients).

Is there a specific reason, why ecdsa-based certificates are generally not supported by MSIX-Hero? Even when the current signtool has no issues with such certs?

I'm a long time C#-Dev myself and are willing to contribute a PR+tests.

Thank your for this project, again. The app looks very polished and the code looks the same 🙃

Greetings
Denis from Stuttgart
@marcinotorowski marcinotorowski added this to the 3.2 milestone Dec 1, 2024
@marcinotorowski marcinotorowski self-assigned this Dec 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@marcinotorowski marcinotorowski

Labels
None yet
Projects
None yet
Milestone
3.2
Development

No branches or pull requests
2 participants
@denisbrodbeck @marcinotorowski