Signing using standard Signtool is also possible

[tomasszabo]

I was struggling with this problem for past few days. Unfortunately, tool in this repository was not working in my case due to:

Validating certificate thumbprint
Converting thumbprint to bytes
Acquiring cryptographic context
Setting PIN
Opening system-level cryptographic store 65536/MY
Retrieving certificate from the store
Beginning the signing process
Loading MSSign32.dll from specific path: C:\Windows\System32\mssign32.dll
Getting SignerSignEx2 pointer
Marshalling SignerSignEx2 pointer to a delegate
Invoking SignerSignEx2
Signing operation failed. Error details:
An attempt was made to load a program with an incorrect format. (Exception from HRESULT: 0x8007000B)

However I've found another solution which is working for me:

https://stackoverflow.com/questions/17927895/automate-extended-validation-ev-code-signing/54439759#54439759

and according to mentioned Stackoverflow, I was able to sign appxbundle using standard Signtool:

signtool sign /fd sha256 /f mycert.cer /csp "eToken Base Cryptographic Provider" /kc "[{{TokenPasswordHere}}]=KeyContainerNameHere" mybundle.appxbundle

For troubleshooting of Signtool (because it is also not working out-of-the-box), read Microsoft's documentation:

https://docs.microsoft.com/en-us/windows/msix/package/sign-app-package-using-signtool

I'm not sure if this should be a bug report but at least I wanted to inform you that there is also "standard" way and custom tools are not necessary. Also if someone else is searching for solution, this could help them.

[mareklinka]

Hi @tomasszabo. The error given out by the signing process looks like a bitness problem happening inside the SignerSignEx2 call. Could you provide more information about the configuration of the system you were running on and the app bundle? What Windows version and bitness is it? What is the bitness of the app bundle?

I also noticed you are using an explicitly specified MSSign32.dll path, was the tool not able to pick up the library automatically?

Regarding the usage of signtool, that is actually pretty cool, I'll need to take a look at that. As said in the SO post, this capability is not advertised (or didn't use to be). Thanks for letting me know!

[tomasszabo]

Windows:

• version 1803
• 64-bit on 64-bit processor

The tool was able to find MSSign32.dll but for testing I've explicitly set it to specific version. Result from signing attempt with what the tool found automatically was also An attempt was made to load a program with an incorrect format. (Exception from HRESULT: 0x8007000B).

I've tried all combinations:

• SafeNetTokenSigner 32-bit, MSSign32.dll 32-bit (from C:\Windows\System32\mssign32.dll) - program is not running (requiring 64-bit build, as expected)
• SafeNetTokenSigner 32-bit, MSSign32.dll 64-bit (from C:\Windows\SysWOW64\mssign32.dll) - program is not running (requiring 64-bit build, as expected)
• SafeNetTokenSigner 64-bit, MSSign32.dll 32-bit (from C:\Windows\System32\mssign32.dll) - unable to sign due to An attempt was made to load a program with an incorrect format. (Exception from HRESULT: 0x8007000B)
• SafeNetTokenSigner 64-bit, MSSign32.dll 64-bit (from C:\Windows\SysWOW64\mssign32.dll) - unable to sign due to is not a valid Win32 application. (Exception from HRESULT: 0x800700C1)

I'm not sure what is C:\Windows\SysWOW64\mssign32.dll but these are all MSSign32.dll's I've found on disk. Maybe I'm missing some SDK installation? As Signtool is working, I've not investigated it further.

[winthrop-polk]

Absolutely beautiful! Thank you.

No idea what some of these parameters are (mainly container and provider), but once I found similarly named properties in Safenet I was able to get this to work... I failed to get it to work by reading the original referenced stackoverflow thread.

I do have worries that this will not gain the full benefits of the EV license, but I really suspect that's because I lack some knowledge on these issues and I'm just being paranoid.

Here is my version, only real change is adding the timestamp server:

signtool sign /tr http://timestamp.digicert.com /fd sha256 /f EV-CERT.cer /csp "eToken Base Cryptographic Provider" /kc "[{{MY_PASSWORD}}]=CONTAINER_NAME" "FILE_TO_SIGN"

Question: Since the cert is exported and I can send it a password with the above command to sign certs, is it also true that now I can use and/or install this cert on multiple computers for signing? I could theoretically throw out the physical token at this point? Heck, I could even put the cert and signtool.exe directly in our installer builder code on github and it could theoretically work independantly from anywhere without setup! Correct me if I'm wrong... that's what we were doing before we had to switch to EV and it was ideal. Man, I bet I don't even need that stupid safenet software anymore.

Looks like safenet and the dongle are still required =(... still one problem solved, thanks!

[mareklinka]

I finally got around to testing the signtool approach and it works as advertised. Thanks for pointing me in this direction. Since the situation that originally prompted me to write this piece of code is now resolved in a using semi-official and better way, I'm archiving this repo.

Thanks for playing 👍