While not directly applicable, you may be able script it similar to using a CAC.
DOD uses Smart Cards for authentication and you can have command line tools use the card for authentication (runas /smartcard program). What happens is that you get a pop up from the system to choose cert and enter PIN. A similar process may be possible. Brian Milby br...@milby7.com > On Oct 10, 2023, at 6:40 AM, Paul Dupuis via use-livecode > <use-livecode@lists.runrev.com> wrote: > > To any with a recommendation: > > I have been getting my Windows Code Signing Certificates from Comodo. I have > been able to get certs in file formats like .pfx or .p12 that allows me to > code sign using a single command line with the password as part of the > command. This lets me script code signing as part of the "on standaloneSaved" > message using the "shell()" function, so the code signing is part of saving > the Standalone. > > My current Windows cert expires in November, so I click the renew link and > renewed. The new Cert came on a "USB token" - a small USB memory stick that > is specially encoded. To sign, I HAVE to use a desktop GUI app called > SafeNet Authentication Client Tools. After a bunch of back and forth with > Sertgo - Comodo's fullfillment branch - I got the following message: > > ----------------- > > We apologize for the delayed response and any inconvenience it may have > caused. We understand that you need a Code Signing certificate in PFX format > to automate the signing process. As per the CA/B forum's new regulation, the > private key should be generated, stored, and used on a suitable > FIPS-compliant hardware token. This change from the CA/B Forum aims to > improve security and help reduce the risk of compromise. > > The Code Signing token is a hardware device with a certificate/key inbuilt > and they cannot create/export PFX files. Since the private key is stored on > the hardware token, for security it cannot be copied or exported. The concept > of the token-based code signing certificate is to plug the USB into the > system where you want to sign the software. We appreciate your understanding > in this matter. > > ----------------- > > So, apparently Comodo/Sertgo does NOT issue ANY cert that can be used in a > sign command line PER the CA/B Forums (whatever they are). > > > Does anyone know if this is an industry wide change? Or can anyone recommend > a Window Code Signing Certificate provider that can provide a cert in a > format that support a command line signing, such as: > > "C:\Program Files (x86)\Windows Kits\10\App Certification Kit\signtool.exe" > sign /fd certHash /debug /f "C:\Users\Paul\Desktop\Code > Signing\RWCodeSigningCert4.pfx" /t http://timestamp.comodoca.com/authenticode > /v /p <PASSWORD> "<PATH_TO_STANDALONE>" > > > I really do not want to return to have to manually signing standalones! > > > _______________________________________________ > use-livecode mailing list > use-livecode@lists.runrev.com > Please visit this url to subscribe, unsubscribe and manage your subscription > preferences: > http://lists.runrev.com/mailman/listinfo/use-livecode _______________________________________________ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
