Check our other helpful areas that might answer your question

Hi,

We are using Advanced Installer to sign our executables with Code Signing Certificates, including both EV and regular certificates. Currently, we are facing challenges in using EV Certificates in our Continuous Integration environment because it requires manual intervention for each code signing process.

Moreover, we anticipate that Digicert will soon change its approach, as explained in the following link: https://knowledge.digicert.com/solution ... ocker.html. Ideally, we would like to use EV Certificates in a batch process for Continuous Integration. However, we are experiencing difficulties since we need to provide the password manually for each signing operation.

Alternatively, we would be content if Advanced Installer could support the Digicert KeyLocker in some form. We are still evaluating if this new 'KeyLocker' approach is compatible with our CI Pipeline, and we hope that Advanced Installer may have some built-in solution to assist in this regard.

What is the best way to approach this problem?

best regards,

robert

Hello Robert,

You are indeed right about the password prompt. Unfortunately, this is the design for EV certificates.

For more details about this and a possible solution please see the following thread:

Signing with Smart Card - Too Many Password Prompts

Hope that helps!

Best regards,
Catalin

Thank you!

With the assistance of the mentioned settings for the authentication client, using EV certificates becomes much less troublesome.

We have to investigate if this helps us migrate all our builds to using EV certificates..

However, I still have a question regarding Digicert's cloud solution and how Advanced Installer would integrate with it. I was hoping that support for it was already included in your latest product version or a similar update.

Could you clarify this for me?

Hello Robert,

You are always welcome!

Now, regarding this:

However, I still have a question regarding Digicert's cloud solution and how Advanced Installer would integrate with it. I was hoping that support for it was already included in your latest product version or a similar update.

I have read a bit about DigiCert's Keylocker, and to be fully honest with you, I can not really offer you a conclusive answer for now.

However, I will add this on our TODO list of improvements so our dev team can further investigate it and once I will have more details, I will update this thread.

Thank you for your understanding!

Best regards,
Catalin

Hi,

We will monitor the evolution of this support from Digicert and once we have clear specs from them, along with more user requests we will increase the priority for this integration.

In the meantime, to avoid the limitations (password prompt/physical flash drive requirement) of EV signing you can try to evaluate the Azure Code Signing services from Microsoft.
https://techcommunity.microsoft.com/t5/ ... -p/3604669

This is what we are using in our pipeline for over 3 months, without any problems. It is a free service from Microsoft, if you already have an active Azure subscription, you just need to email them an ask for access to the program, at AzureCodeSigningTAP@microsoft.com.

This MS service uses a classical code signing signature (not EV) so you will get rid of the issues related to managing the password prompts/flash drive, but it does guarantee instant reputation within the MS platform (so you will get no problems with SmartScreen filter or other security checks from Windows, just like an EV certificate promises).

An integration with Azure Code Signing in Advanced Installer is on our roadmap, but blocked until Microsoft publishes all the info we need to implement it.

Regards,
Bogdan

Thanks for the link. You saved my day.

You are always welcome, Brian!

Best regards,
Catalin

You are the best

Thank you for your kind words, Brian!

Best regards,
Catalin

@Catalin

is there any progress on digicert and the new requirement for certs industry wide
our old pfx cert expires at the end of August

after this
you can no longer use a standard pfx cert and password
you must use HSM in one way or another
the new cert is a pf12 and must be accompanied by the crt file, the api key, and the pf12 password

digicert, when used with their cloud locker
provides the requirements for setting up environment variables
once this is done the sign command with SMCTL is different than previously

smctl sign --keypair-alias <alias name> --certificate <path\filename.crt> --input <path\filename.ext>
-- The file actualy used when signing is the .crt file not the pf12 and you use the keypair alias not the password --

exmple
smctl sign --keypair-alias SecretAliasName --certificate C:\path\filename.crt --input C:\path\filename.exe

Hello,

I'm afraid I do not have a certain solution for now.

However, we have this on our TODO list of improvements with a high priority.

Once I will have more details, I will update this thread.

Thank you for your understanding!

Best regards,
Catalin

ISSUE: To sign MSIX files AI must extract and add the correct publisher string into the AppXManifest. I am still struggling with that, and the wrong publisher ID is now being used, but signing of other types of files seems fine.

Hello Tim,

Thank you for bringing this issue to our attention.

Based on the information available in our bug tracking tool, I can confirm that this issue has already been included in our list of tasks to address. We are actively working towards a solution and hopefully this will be fixed in a future version of Advanced Installer.

I apologize for any inconvenience caused by this.

Best regards,
Liviu

Any updates on this?
We need to know whether we can use a digicert Cloud HSM EV Cert before we order one.
Not worried about password prompts, just need to ensure we acan use it before forking out the cash!

Hello and welcome to our forums,

As I see, my colleague Dan has already replied to your email.

However, this is already on our TODO list of improvements. We will let you know as soon as we have more information on this.

Best regards,
Liviu