Hello Paul, unfortunately this is the "new" standard. Since 1st June 2023 private keys has to be stored on a Token. https://www.sslpoint.com/new-private-key-storage-requirement-for-standard-code-signing-certificates/
There is no way anymore to export a certificate for example to .pfx. And much more of a pain, it is not possible anymore to code sign Windows app under macOS or at least i was not able to so so far. I have a "cloud" certificate from Certum which i purchased from SSL Point (https://www.sslpoint.com <https://www.sslpoint.com/>) With this type of certificate the private key is not stored on a USB token. This "cloud" certifcate works similar to a usb token. I also have to install some software. This software allow me to login to the "cloud" and after successful login i can use that certificate with Microsoft's signtool and JARsigner. https://www.files.certum.eu/documents/manual_en/Code-Signing-signing-the-code-using-tools-like-Singtool-and-Jarsigner_v2.3.pdf So to automate your signing, you just have to keep a Windows PC running and make sure that you are logged in to the "Cloud". As long as the software is logged in you have access to the certificate. I don't know if this is also the case with the USB Token. Could not test it, because i do not have a usb token. ;) Regards, Matthias > Am 10.10.2023 um 12:39 schrieb Paul Dupuis via use-livecode > <[email protected]>: > > To any with a recommendation: > > I have been getting my Windows Code Signing Certificates from Comodo. I have > been able to get certs in file formats like .pfx or .p12 that allows me to > code sign using a single command line with the password as part of the > command. This lets me script code signing as part of the "on standaloneSaved" > message using the "shell()" function, so the code signing is part of saving > the Standalone. > > My current Windows cert expires in November, so I click the renew link and > renewed. The new Cert came on a "USB token" - a small USB memory stick that > is specially encoded. To sign, I HAVE to use a desktop GUI app called > SafeNet Authentication Client Tools. After a bunch of back and forth with > Sertgo - Comodo's fullfillment branch - I got the following message: > > ----------------- > > We apologize for the delayed response and any inconvenience it may have > caused. We understand that you need a Code Signing certificate in PFX format > to automate the signing process. As per the CA/B forum's new regulation, the > private key should be generated, stored, and used on a suitable > FIPS-compliant hardware token. This change from the CA/B Forum aims to > improve security and help reduce the risk of compromise. > > The Code Signing token is a hardware device with a certificate/key inbuilt > and they cannot create/export PFX files. Since the private key is stored on > the hardware token, for security it cannot be copied or exported. The concept > of the token-based code signing certificate is to plug the USB into the > system where you want to sign the software. We appreciate your understanding > in this matter. > > ----------------- > > So, apparently Comodo/Sertgo does NOT issue ANY cert that can be used in a > sign command line PER the CA/B Forums (whatever they are). > > > Does anyone know if this is an industry wide change? Or can anyone recommend > a Window Code Signing Certificate provider that can provide a cert in a > format that support a command line signing, such as: > > "C:\Program Files (x86)\Windows Kits\10\App Certification Kit\signtool.exe" > sign /fd certHash /debug /f "C:\Users\Paul\Desktop\Code > Signing\RWCodeSigningCert4.pfx" /t http://timestamp.comodoca.com/authenticode > /v /p <PASSWORD> "<PATH_TO_STANDALONE>" > > > I really do not want to return to have to manually signing standalones! > > > _______________________________________________ > use-livecode mailing list > [email protected] > Please visit this url to subscribe, unsubscribe and manage your subscription > preferences: > http://lists.runrev.com/mailman/listinfo/use-livecode _______________________________________________ use-livecode mailing list [email protected] Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
