-
-
Notifications
You must be signed in to change notification settings - Fork 113
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add ability to sign with additional certificates #119
Comments
Did you try the |
One issue (or difference) I noticed with some tools like jarsigner (used for signing Java archives, and which has a I'm happy to propose a patch to at least add an option to skip the check |
@laurentgo thank you for the PRs, I'll give them a look. Could you elaborate on the credentials issue with Google KMS? |
@laurentgo I've checked the documentation about application default credentials, have you tried getting an access token with https://cloud.google.com/sdk/gcloud/reference/auth/application-default/print-access-token |
I guess there's nothing wrong with One nice thing I discovered is that Google has extensive documentation regarding how ADC is supposed to work from an implementation point of view: https://google.aip.dev/auth/4110 |
Technically the access token is not a password, but if your security policies prohibit using it as a command line argument it's possible to read the token from an environment variable, and the actual value never appears as an argument:
Would that work for you? |
Possibly (would have to check with our team)? But we would definitively favor a solution relying on ADC mechanism for sure. That said, I don't want to distract from the original ask which is the ability to add additional certificates and/or use a different certificate chain. If you could have a look at my proposal, it would be much appreciated. And I'd gladly open a separate issue regarding Google authentication. |
If I understand well, adding extra certificates is useful in a cross signing scenario, when the same key is used by several certificates with different trust paths, right? |
correct |
Sorry I haven't managed to test this yet! I'll be back working on the part of our CI that uses jsign in a week or two and will test then :-) |
@ebourg - an update on using Currently we are pulling in an EV cert from Azure and using
It is expected that the additional cert is not related at all. |
@MrAlex94 Does that mean that when you renew your certificate, you reuse the same private key and update the certificate chain used by the build script, but you do not update the certificate stored in Azure Key Vault? |
@ebourg, no, everything gets updated and changed. The additional certificate (such as when using |
@mralex so you basically have two certificate chains, one EV, and the other non-EV, both sharing the same private key hosted by Azure Key Vault? I'd be curious to know the use case behind this. |
Apologies, my explanation was a bit poor. Essentially, the other certificate is a dummy certificate (unrelated and not hosted at all on Azure), used for partner builds of a program we have. You can see rationale/usage here:
Basically when a user comes from a marketing campaign, we inject the campaign data into the "empty" cert space so we can attribute it nicely. |
@MrAlex94 Thank you for the clarification. osslsigncode supports the |
Oh, didn’t know that was an option in I’ll give it a test and let you know. Currently I just sign the exe twice, once with the valid cert and once with the dummy. The only difference when using the Either way, appreciate your vigilance responding to this issue! Should this be closed, or changed to be the issue for adding the functionality of |
Because the dummy certificate isn't used for signing, it's simply appended to the certificate store embedded within the signature. This store is used by Windows to link the signing certificate with the CA certificate (this is necessary if some of the intermediate certificates are unknown to Windows). The dummy certificate doesn't participate in the certificate chain and is invisible in the file properties. The signature is simply larger. The addUnauthenticatedBlob feature is slightly different, it adds an entry into the unauthenticated attributes table of the signature. That's more compact that injecting a whole certificate, but it's visible in the file properties
No I'm still pondering if /ac is worth implementing, I'm just looking for a good use case. I'm tempted to extend the semantic of the |
/ac is useful for situations like this one: DigiCert's TSA seems like the fastest and most reliable by far but they did some sort of screwup and the way to fix it is by adding extra certificates so a path through their temp fix-it cert can be found. I'm not sure why they haven't fixed this situation yet but it seems to still be operative. |
@mikehearn Thank you for the example! |
@MrAlex94 FYI Jsign now has a tagging feature equivalent to osslsigncode's addUnauthenticatedBlob: https://ebourg.github.io/jsign/#tagging
|
Various other signing tools offer the ability to sign with additional certificates:
SignTool:
AzureSignTool:
It would be great if
jsign
also had this ability.The text was updated successfully, but these errors were encountered: