Code Signing with Hardware Token (EV Certificate) mixing jarsigner, signtool and codesign in batch

2
votes

We have currently a fully automated process to generate installers from source code using ANT.

We create different files of below type :

  1. JAR
  2. EXE
  3. DLL
  4. MSI
  5. APP files for the MAC OS X version.

Each one of the files is digitally signed, but the digital certificate is stored in the required format of each tool.

For example: jarsigner uses JSR files. signtool uses the digital certificates repository in the control panel and codesign uses the similar repository in the MAC. We created a PKCS12 to import our certificate on every other required container.

Now we plan to shift up and use an EV certificate for code signing that is stored in a hardware token connected via USB to the computer. The challenge is to integrate the hardware token with all signing tools from different vendors and use it in a batch mode so we don't need to type a password for every file to be signed (we can sign up to 2,000 files in one batch).

I am searching for a solution that shows it can handle all requirements. I've found no solution yet.

1
tokenbuild-automationcode-signing
I think mean to say that jarsigner uses JKS files. In addition now days it often also supports PKCS#12 keystores.Markus
jarsigner supports integration with external libraries, one of them supports PKCS11. Hardware Tokens supports PKCS11 as well. We finally managed to obtain a working solution but it was really a painIgnacioHR

1 Answers

0
votes

SignServer Enterprise [1] is a server-side software based on SignServer [2] that currently at least supports the formats in points 1-3 and using hardware tokens.

This makes the signing process the same regardless of signature type/format.

Unfortunately, not yet points 4 and 5 all though MSI support might be coming soon.