-
Notifications
You must be signed in to change notification settings - Fork 0
Code Signing
This can now be done only with the YubiKey. I revoked our Cloud signing certificate so we don't pay out the *** for that silliness.
All of the following steps require the Yubikey to first be inserted into the computer, and for Windows to have recognized the certificate. I had to first install the Yubikey mini-driver for this to work link here. When it is recognized, it should show up in the Windows Certificate Store (can be opened by invoking certmgr.msc through the Window-key search dialog) in the "Personal -> Certificates" pane. It should have SSL.com in the issuer field.
First, you need to download signtool from the Microsoft SDK. It comes as a giant installer with a whole bunch of other crap in it. Just remove all of the unneeded stuff and only choose Code signing tools.
Make note of where the install gets written. By default on Windows it will probably go to C:\Program Files (x86)\Windows Kits\10 or a similar place. Then, using file explorer search or some other method, find the directory which contains the signtool.exe binary. There will probably be several for various CPU architectures. My system is x86_64, so the full path to the directory for the one I'm using is: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64. You will need to add that to your PATH environment variable and save the PATH.
Once you've done that, pop up a new command prompt so that it picks up the new PATH. Here's the command to sign our executables (this assumes the unsigned executables are in E:\DarkAge\stormcloud-release\:
signtool sign /fd sha256 /tr http://ts.ssl.com /td sha256 /n "Dark Age" "E:\DarkAge\stormcloud-release\*"
You will need to enter the PIN associated with the YubiKey.
Verify:
signtool verify /pa E:\DarkAge\stormcloud-release\<file>