I am trying to integrate Code Signing with a DigiCert SafeNet Token based cert with our CI machine.
I am following the description given in which leads to my command line - that does work, but very slowly:
Please note that I have specifically included windows-10 as tag on this question, as I am unsure whether this comes from signtool or is a Windows side effect, because when viewing a certificate ("Details") in Windows Explorer, I also get such a delay, because the machine is airgapped. (The timestamp server is explicitly allowed though.)
D:\TEMP>signtool.exe sign /csp "eToken Base Cryptographic Provider" /k "[{{token_password}}]=priv_key_container_name" /f token_exported_cert.cer /tr /td SHA256 /fd SHA256 /v /debug .\test.dll
The following certificates were considered:
Issued to: My Company (redacted)
Issued by: DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Expires: Wed Apr 11 00:59:59 2xxx
SHA1 hash: 633...
After EKU filter, 1 certs were left.
After expiry filter, 1 certs were left.
The following certificate was selected:
Issued to: My Company (redacted)
Issued by: DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Expires: Wed Apr 11 00:59:59 2xxx
SHA1 hash: 633...
<<<<<<<<<<<<<<<<<<<<<<<<<<< Delay of about 1m 20sec here <<<<<<<<<<<
The following additional certificates will be attached:
Issued to: DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Issued by: DigiCert Trusted Root G4
Expires: Tue Apr 29 00:59:59 2036
SHA1 hash: 7B0...
Done Adding Additional Store
<<<<<<<< *No* Password or delay here, thanks to "[{{token_password}}]=priv_key_container_name"
Successfully signed: .\test.dll
Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0
I can get this to run with no delay, but then I get a password prompt:
D:\TEMP>signtool.exe sign /sha1 633...c /tr /td SHA256 /fd SHA256 /v /debug .\test.dll
The following certificates were considered:
Issued to: My Company (redacted)
Issued by: DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Expires: Wed Apr 11 00:59:59 2xxx
SHA1 hash: 633...c
After EKU filter, 1 certs were left.
After expiry filter, 1 certs were left.
After Hash filter, 1 certs were left.
After Private Key filter, 1 certs were left.
The following certificate was selected:
Issued to: My Company (redacted)
Issued by: DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Expires: Wed Apr 11 00:59:59 2xxx
SHA1 hash: 633...c
Done Adding Additional Store
<<<<<<<<<<<<<<<<<<< Interactive Password Prompt here (Windows GUI of SafeNet Client)
Successfully signed: .\test.dll
Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0
One apparent difference being that in the "slow" case it tells me:
The following additional certificates will be attached:
Issued to: DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
but I'm unsure what to make of that detail.
I am trying to integrate Code Signing with a DigiCert SafeNet Token based cert with our CI machine.
I am following the description given in https://stackoverflow/a/54439759/321013 which leads to my command line - that does work, but very slowly:
Please note that I have specifically included windows-10 as tag on this question, as I am unsure whether this comes from signtool or is a Windows side effect, because when viewing a certificate ("Details") in Windows Explorer, I also get such a delay, because the machine is airgapped. (The timestamp server is explicitly allowed though.)
D:\TEMP>signtool.exe sign /csp "eToken Base Cryptographic Provider" /k "[{{token_password}}]=priv_key_container_name" /f token_exported_cert.cer /tr http://timestamp.digicert /td SHA256 /fd SHA256 /v /debug .\test.dll
The following certificates were considered:
Issued to: My Company (redacted)
Issued by: DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Expires: Wed Apr 11 00:59:59 2xxx
SHA1 hash: 633...
After EKU filter, 1 certs were left.
After expiry filter, 1 certs were left.
The following certificate was selected:
Issued to: My Company (redacted)
Issued by: DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Expires: Wed Apr 11 00:59:59 2xxx
SHA1 hash: 633...
<<<<<<<<<<<<<<<<<<<<<<<<<<< Delay of about 1m 20sec here <<<<<<<<<<<
The following additional certificates will be attached:
Issued to: DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Issued by: DigiCert Trusted Root G4
Expires: Tue Apr 29 00:59:59 2036
SHA1 hash: 7B0...
Done Adding Additional Store
<<<<<<<< *No* Password or delay here, thanks to "[{{token_password}}]=priv_key_container_name"
Successfully signed: .\test.dll
Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0
I can get this to run with no delay, but then I get a password prompt:
D:\TEMP>signtool.exe sign /sha1 633...c /tr http://timestamp.digicert /td SHA256 /fd SHA256 /v /debug .\test.dll
The following certificates were considered:
Issued to: My Company (redacted)
Issued by: DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Expires: Wed Apr 11 00:59:59 2xxx
SHA1 hash: 633...c
After EKU filter, 1 certs were left.
After expiry filter, 1 certs were left.
After Hash filter, 1 certs were left.
After Private Key filter, 1 certs were left.
The following certificate was selected:
Issued to: My Company (redacted)
Issued by: DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Expires: Wed Apr 11 00:59:59 2xxx
SHA1 hash: 633...c
Done Adding Additional Store
<<<<<<<<<<<<<<<<<<< Interactive Password Prompt here (Windows GUI of SafeNet Client)
Successfully signed: .\test.dll
Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0
One apparent difference being that in the "slow" case it tells me:
The following additional certificates will be attached:
Issued to: DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
but I'm unsure what to make of that detail.
Share Improve this question asked Mar 20 at 8:48 Martin BaMartin Ba 39.1k35 gold badges197 silver badges362 bronze badges1 Answer
Reset to default 1I would suggest tracing with Wireshark the network connections attempted during the signing process, there is probably one blocked by your network configuration that ultimately times out. For example signtool may attempt to check if the certificate was revoked, or to pull the intermediate issuer certificates by following the "Authority Information Access" URL in the signing certificate.
You could try installing the intermediate certificates in the Windows truststore so signtool won't download it. If it doesn't work you could also try an alternative signing tool such as Jsign (disclaimer: I'm the author).