What is the recommended approach to sign the executable in a Chocolatey package?
My organization has implemented AppLocker in their new Windows 10 regime. Though I understand the why the regime is in place, I'm not sure how to implement it in custom Chocolatey packages we put into our package feed. Nor am I sure if I need to sign both the installation file as well as the executable file. If any non-signed executable tries to run, the AppLocker stops the execution.
Chocolatey mention a bit about signing in their security section
https://github.com/chocolatey/choco/wiki/Security
Roadmap: https://chocolatey.org/docs/roadmap
The guide "Code signing a windows application" (https://mkaz.blog/code/code-signing-a-windows-application/)
However, I don't know where to start.
There are a couple of binaries in Chocolatey provided packages (packagebuilder.exe, packageuploader.exe) that are not currently authenticode signed.
It is something we've identified recently and have on the list to get taken care of.
In the meantime, let's get your question answered properly.
To be honest, the blog post you linked is very straightforward. However, I will validate a couple of WTFs you might have had.
signtool.exe.Basically you are going to make a call similar to:
"C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Bin\signtool.exe" sign /t "http://timestamp.digicert.com" /fd [SHA1|SHA256|SHA512] /f C:\path\to\authenticode.certificate.pfx /p [YOURPASSWORD] /a "C:\path\to\the\file.exe"
The path to sign tool might be slightly different based on what SDK you have installed. Also like the article mentioned, you might want to stick with SHA1 for most compatibility, but you can go higher if you would like to.
The above was adapted out of the Chocolatey (choco) codebase and you can inspect that at https://github.com/chocolatey/choco/blob/54ddf11fa025e97e071ae884c738ef8456b60b76/.build.custom/codeSign.step#L42-L48).