uwpcode-signingfips

How will new rules of CA/B Forum's Code Signing Certificates affect UWP Signing process?


We have a UWP that we use to sign with a certificate installed in a CI/CD Pipeline Machine. We use this PowerShell command to get it signed

.\signtool.exe sign /fd sha256 /t http://timestamp.digicert.com /n "935B2960-B127-4AAC-8CEF-12B537I6737D" "C:\Users\%username%\source\myrepo\MyUwpTestApp\MyUwpTestApp\AppPackages\MyUwpTestApp_1.0.1.0_Debug_Test\MyUwpTestApp_1.0.1.0_x64_Debug.msixbundle"

The signing certificate is an OV Certificate from Digicert. But apparently, the OV Certificates are going to get overhauled to be stored in a hardware key https://www.thesslstore.com/blog/code-signing-price-changes-as-cas-align-with-new-industry-standards/

Starting June 1, 2023, code signing certificate keys must be stored on a hardware security module or token that’s certified as FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent. This is intended to fight against an increasingly common problem—stolen code signing keys being used to sign and distribute malware.

I have been trying to find documentation about how this could be implemented in the signing command posted before, but haven't find anything. As I understand the certificate and everything is stored in a hardware key, so it never leaves the USB Key.

  1. How should we inject the binary through the USB using a PowerShell command?
  2. Do we need to add some kind of command to the PowerShell to force it to use the hardware key?
  3. Any way to avoid human interaction during the signing process? Would be nice to have the CI/CD pipeline independent as it is now.

Thanks.


Solution

  • The USB token holding the private key will most likely be a SafeNet eToken or a Yubikey depending on the CA issuing the certificate. The SafeNet eToken comes with its own client software which integrates with Windows, the signtool syntax is mostly the same. See for example the DigiCert documentation on EV code signing, the procedure for OV certificates will be the same. I'm not sure if the interactive prompt to unlock the key can be avoided, it's likely to be configurable from the SafeNet Authentication client.

    For Yubikey backed certificates, there is also a client software to install (YubiKey Smart Card Minidriver) and again the signtool syntax is pretty much the same (see the Yubikey documentation for more details). The key password can be specified on the command line, but depending on the Yubikey slot holding the key, it may be necessary to physically touch the Yubikey to perform the signing operation (the slot 9c used for digital signature requires it by default, but CAs often issue the certificate on the authentication slot 9a which doesn't require a physical interaction).