rladstaetter
Posts: 11
Joined: Fri May 06, 2022 1:15 pm

Digicert Keylocker

Hi,

We are using Advanced Installer to sign our executables with Code Signing Certificates, including both EV and regular certificates. Currently, we are facing challenges in using EV Certificates in our Continuous Integration environment because it requires manual intervention for each code signing process.

Moreover, we anticipate that Digicert will soon change its approach, as explained in the following link: https://knowledge.digicert.com/solution ... ocker.html. Ideally, we would like to use EV Certificates in a batch process for Continuous Integration. However, we are experiencing difficulties since we need to provide the password manually for each signing operation.

Alternatively, we would be content if Advanced Installer could support the Digicert KeyLocker in some form. We are still evaluating if this new 'KeyLocker' approach is compatible with our CI Pipeline, and we hope that Advanced Installer may have some built-in solution to assist in this regard.

What is the best way to approach this problem?

best regards,

robert
Catalin
Posts: 7050
Joined: Wed Jun 13, 2018 7:49 am

Re: Digicert Keylocker

Hello Robert,

You are indeed right about the password prompt. Unfortunately, this is the design for EV certificates.

For more details about this and a possible solution please see the following thread:

Signing with Smart Card - Too Many Password Prompts

Hope that helps!

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube
rladstaetter
Posts: 11
Joined: Fri May 06, 2022 1:15 pm

Re: Digicert Keylocker

Thank you!

With the assistance of the mentioned settings for the authentication client, using EV certificates becomes much less troublesome.

We have to investigate if this helps us migrate all our builds to using EV certificates..

However, I still have a question regarding Digicert's cloud solution and how Advanced Installer would integrate with it. I was hoping that support for it was already included in your latest product version or a similar update. :?:

Could you clarify this for me?
Catalin
Posts: 7050
Joined: Wed Jun 13, 2018 7:49 am

Re: Digicert Keylocker

Hello Robert,

You are always welcome!

Now, regarding this:
However, I still have a question regarding Digicert's cloud solution and how Advanced Installer would integrate with it. I was hoping that support for it was already included in your latest product version or a similar update. :?:
I have read a bit about DigiCert's Keylocker, and to be fully honest with you, I can not really offer you a conclusive answer for now.

However, I will add this on our TODO list of improvements so our dev team can further investigate it and once I will have more details, I will update this thread.

Thank you for your understanding!

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube
Bogdan
Posts: 2792
Joined: Tue Jul 07, 2009 7:34 am
Contact: Website

Re: Digicert Keylocker

Hi,

We will monitor the evolution of this support from Digicert and once we have clear specs from them, along with more user requests we will increase the priority for this integration.

In the meantime, to avoid the limitations (password prompt/physical flash drive requirement) of EV signing you can try to evaluate the Azure Code Signing services from Microsoft.
https://techcommunity.microsoft.com/t5/ ... -p/3604669

This is what we are using in our pipeline for over 3 months, without any problems. It is a free service from Microsoft, if you already have an active Azure subscription, you just need to email them an ask for access to the program, at AzureCodeSigningTAP@microsoft.com.

This MS service uses a classical code signing signature (not EV) so you will get rid of the issues related to managing the password prompts/flash drive, but it does guarantee instant reputation within the MS platform (so you will get no problems with SmartScreen filter or other security checks from Windows, just like an EV certificate promises).

An integration with Azure Code Signing in Advanced Installer is on our roadmap, but blocked until Microsoft publishes all the info we need to implement it.

Regards,
Bogdan
Bogdan Mitrache - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube
BrianWolfe

Re: Digicert Keylocker

Thanks for the link. You saved my day.
Catalin
Posts: 7050
Joined: Wed Jun 13, 2018 7:49 am

Re: Digicert Keylocker

You are always welcome, Brian!

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube
BrianWolfe

Re: Digicert Keylocker

You are the best :)
Last edited by BrianWolfe on Fri Jul 14, 2023 4:22 pm, edited 2 times in total.
Catalin
Posts: 7050
Joined: Wed Jun 13, 2018 7:49 am

Re: Digicert Keylocker

Thank you for your kind words, Brian! :)

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube
charettepa
Posts: 7
Joined: Mon Mar 20, 2023 3:34 pm

Re: Digicert Keylocker

@Catalin

is there any progress on digicert and the new requirement for certs industry wide
our old pfx cert expires at the end of August

after this
you can no longer use a standard pfx cert and password
you must use HSM in one way or another
the new cert is a pf12 and must be accompanied by the crt file, the api key, and the pf12 password

digicert, when used with their cloud locker
provides the requirements for setting up environment variables
once this is done the sign command with SMCTL is different than previously

smctl sign --keypair-alias <alias name> --certificate <path\filename.crt> --input <path\filename.ext>
-- The file actualy used when signing is the .crt file not the pf12 and you use the keypair alias not the password --

exmple
smctl sign --keypair-alias SecretAliasName --certificate C:\path\filename.crt --input C:\path\filename.exe
Catalin
Posts: 7050
Joined: Wed Jun 13, 2018 7:49 am

Re: Digicert Keylocker

Hello,

I'm afraid I do not have a certain solution for now.

However, we have this on our TODO list of improvements with a high priority.

Once I will have more details, I will update this thread.

Thank you for your understanding!

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube
timmangan
Posts: 48
Joined: Fri Mar 30, 2018 1:17 pm

Re: Digicert Keylocker

ISSUE: To sign MSIX files AI must extract and add the correct publisher string into the AppXManifest. I am still struggling with that, and the wrong publisher ID is now being used, but signing of other types of files seems fine.
Liviu
Posts: 1205
Joined: Tue Jul 13, 2021 11:29 am
Contact: Website

Re: Digicert Keylocker

Hello Tim,

Thank you for bringing this issue to our attention.

Based on the information available in our bug tracking tool, I can confirm that this issue has already been included in our list of tasks to address. We are actively working towards a solution and hopefully this will be fixed in a future version of Advanced Installer.

I apologize for any inconvenience caused by this.

Best regards,
Liviu
________________________________________
Liviu Sandu - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube
AlexPage
Posts: 1
Joined: Wed Aug 09, 2023 10:06 pm

Re: Digicert Keylocker

Any updates on this?
We need to know whether we can use a digicert Cloud HSM EV Cert before we order one.
Not worried about password prompts, just need to ensure we acan use it before forking out the cash!
Liviu
Posts: 1205
Joined: Tue Jul 13, 2021 11:29 am
Contact: Website

Re: Digicert Keylocker

Hello and welcome to our forums,

As I see, my colleague Dan has already replied to your email.

However, this is already on our TODO list of improvements. We will let you know as soon as we have more information on this.

Best regards,
Liviu
________________________________________
Liviu Sandu - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

Return to “Common Problems”