Allow signing with CSP PIN-caches (Smartcard Code Signing asks for PIN too many times)

burnersk · Sat Jan 11, 2020 3:19 pm

I am using the Digital Signature feature with a code signing certificate stored on a smartcard. The smartcard ist PIN protected, and requires a PIN for every session (not transaction).

When I build setups, I get ask a hundred times (no joke) for the PIN. This takes me about an hour in password entry.

Every other software, I use in the toolchain, utilizes sessions (CSP PIN-caches). So it opens a handle to the Content Security Provider (CSP) and works with this instance/session for the rest of the execution.

Please add this CSP PIN-cache functionality. Basically, it is making the CSP for a build batch run "globally", instead of making a new CSP for every single file which result in hundreds of PIN entry situations. But - in any case - after the build batch run has finished or canceled, explicitly close the CSP session.

Currently, I see not workaround, since Advanced Installer is generating most of the files-to-sign on-the-fly, so I cannot sign them beforehand.

YouTube · Mon Jan 13, 2020 8:46 am

Hello,

I have added this on our TODO list of improvements and hopefully this will be added in a future version of Advanced Installer.

Thank you for bringing this to our attention!

Best regards,
Catalin

burnersk · Sat May 30, 2020 9:54 am

Hi Catalin,

almost half a year have passed. Has Caphyons priority list for AI cleanup up a little, so you can give me/us some hint on how long it could take until the AI developers could dig into this? I am not asking about "when it will be released" ( when its done ${L_SMILIES_WINK}$ ).

YouTube · Wed Jun 03, 2020 8:58 am

Hello,

I have discussed this with the developer in charge and this improvement is in his queue for further research and investigations.

Unfortunately, I can not give you an estimation as priorities may change over time (for instance, a critical bug appears).

I will, however, update this thread as soon as this improvement will be implemented in Advanced Installer.

Best regards,
Catalin

burnersk · Mon Jan 11, 2021 4:08 pm

Today I released a single (1) new version (1 single MSI file), and had to enter my PIN exactly 381 times!!!!

A half year have passed, what is the status on using CSP transactions instead of forking the sign tool for every file individually?

YouTube · Mon Jan 11, 2021 5:04 pm

Hello,

Today I released a single (1) new version (1 single MSI file), and had to enter my PIN exactly 381 times!!!!

I am really sorry to hear this and I apologize for this encountered behavior.

A half year have passed, what is the status on using CSP transactions instead of forking the sign tool for every file individually?

From what I can see, this issue is still under investigation on our side.

We have recently added support to select a custom signtool.exe tool to sign your files.

If possible, could you please go to "Digital Signature" page, select the "Custom" option (instead of the "Built-in" option)from the dropdown, point to your signtool.exe tool and retest this scenario and let me know if this is of any help?

Looking forward to hearing from you!

Later edit:

After a bit of research, I have found the following tool (free) which seems to do just what you need - allow passing the PIN through a command line:

Using signtool.exe with Smart Cards

Could you please have a look over that (together with our new support for custom signing tools mentioned above) and let me know if it is of any help?

Best regards,
Catalin

burnersk · Mon Jan 11, 2021 8:06 pm

Hi Catalin,

thanks for the update.

A different signtool.exe would not help, as AI executes the "different signtool.exe" for each file to sign individually. So we do not have a session here (or technically: not a session over multiple files to sign) and need a PIN entry for every session aka each file to sign.

Ignoring the security implications completely, ScSigntool.exe would help by allowing the PIN to be set on the command line.
However, I cannot thing of any (trusted) certification authority that allows (TOS) the PIN to be stored anywhere (plaintext, ciphertext, credential store), and from a security standpoint, it would be "unwise" to have the PIN listed in shell history files, process explorers and (possible) log files.

The only solution(s) that works and follows basic security standards would be that

AI creates a CSP session and uses this session for the entire build run (incl. all build flavours), or
AI implements the option (additional checkbox for the "different signtool.exe" use case) to pass all files to be signed to the "different signtool.exe".

I guess the workaround with passing all files to be signed to the "different signtool.exe" at ones (example below) would be very easy to implement on your side. With this workaround, I guess there are only 3 PIN entries (calls) per build flavour (signing content files, archives, and final MSI).

Code: Select all

Path = C:\DifferentSignTool.exe
CommandLine = sign /a /d "<signature description>" /du "Description URL" /fd SHA256 /tr "http://timestamp.digicert.com" /td sha256
MultipleFiles = True

this will result in

Code: Select all

C:\DifferentSignTool.exe sign /a /d "<signature description>" /du "Description URL" /fd SHA256 /tr "http://timestamp.digicert.com" /td sha256 C:\Project\File1.exe C:\Project\File2.dll C:\Project\File3.cab C:\Project\File4.ocx C:\Project\File5.jar C:\SetupFiles\Updater.exe
C:\DifferentSignTool.exe sign /a /d "<signature description>" /du "Description URL" /fd SHA256 /tr "http://timestamp.digicert.com" /td sha256 C:\SetupFiles\MainFeature.cab C:\SetupFiles\UpdaterFeature.cab
C:\DifferentSignTool.exe sign /a /d "<signature description>" /du "Description URL" /fd SHA256 /tr "http://timestamp.digicert.com" /td sha256 C:\SetupFiles\Project.msi

However, this would also be a crude workaround. The ideal solution without each customer has to build its own intermediate application would be to implement CSP session into AI. But the workaround would be very helpful in the meantime.

YouTube · Tue Jan 12, 2021 9:23 pm

Hello,

Thank you for your followup on this and for your feedback on this matter.

I have forwarded it to our development team and I have also increased the priority on this feature request.

Best regards,
Catalin

YouTube · Fri Jan 15, 2021 4:09 pm

Hello,

I have followed you up on this over the e-mail.

(writing this just in case you are missing the e-mail)

Looking forward to hearing from you!

Best regards,
Catalin

burnersk · Sat Jan 16, 2021 4:52 pm

Hi Catalin,

thanks for your suggestion but it seems that SafeNet Authentication Client, while developed not by DigiCert (directly), only works with DigiCert certificates and DigiCert's smart card readers.

It sees my certificate dongle by Certum, but when I try to setup a token, SafeNet wants to reset my dongle, which results into losing my private keys and certificates, irrevocable rendering couple thousand euros in certificates useless.

YouTube · Tue Jan 19, 2021 10:48 am

Hi,

I am sorry to hear that. In this case we would recommend you to check with your certificate vendor if there is any setting you can configure for your smartcard driver so that the PIN is not required per each file signing operation, but for each process/session that uses the smartcard to apply digital signatures.

After debating your scenario with our dev team we are quite reluctant to temporarily encrypt and store your smartcard pin during the setup project build operation. Mainly this is because the pin is a sensitive data and we would prefer not to handle it directly (any breach into such feature may lead to security issues).

Currently the PIN request is solely handled by the Windows system tool we use to sign the files (SignTool.exe) and we would like to completely rely on it for the signing operations.

Thank you for your understanding.

All the best,
Daniel

burnersk · Tue Jan 19, 2021 11:19 am

Hi Daniel.

Daniel wrote: ↑
Tue Jan 19, 2021 10:48 am
In this case we would recommend you to check with your certificate vendor if there is any setting you can configure for your smartcard driver so that the PIN is not required per each file signing operation, but for each process/session that uses the smartcard to apply digital signatures.

This is exactly the case why I have created this feature request. The PIN is only required once every session, but since AI uses the original SignTool.exe, which only supports one file to be signed at a time, every file signing operating is an individual process/session.

Daniel wrote: ↑
Tue Jan 19, 2021 10:48 am
After debating your scenario with our dev team we are quite reluctant to temporarily encrypt and store your smartcard pin during the setup project build operation. Mainly this is because the pin is a sensitive data and we would prefer not to handle it directly (any breach into such feature may lead to security issues).

Of course, the PIN must not be saved anywhere, and it is also not allowed to be saved anywhere by the CA.
Did I made any comment that you interpreted as I would "like" to save the password anywhere? This is absolutely not the case.

What about my proposal to allow "all" files to be passed to a "DifferentSignTool" at once?

burnersk wrote: ↑
Mon Jan 11, 2021 8:06 pm
I guess the workaround with passing all files to be signed to the "different signtool.exe" at ones (example below) would be very easy to implement on your side. With this workaround, I guess there are only 3 PIN entries (calls) per build flavour (signing content files, archives, and final MSI).
Code: Select all
Path = C:\DifferentSignTool.exe
CommandLine = sign /a /d "<signature description>" /du "Description URL" /fd SHA256 /tr "http://timestamp.digicert.com" /td sha256
MultipleFiles = True
this will result in
Code: Select all
C:\DifferentSignTool.exe sign /a /d "<signature description>" /du "Description URL" /fd SHA256 /tr "http://timestamp.digicert.com" /td sha256 C:\Project\File1.exe C:\Project\File2.dll C:\Project\File3.cab C:\Project\File4.ocx C:\Project\File5.jar C:\SetupFiles\Updater.exe
C:\DifferentSignTool.exe sign /a /d "<signature description>" /du "Description URL" /fd SHA256 /tr "http://timestamp.digicert.com" /td sha256 C:\SetupFiles\MainFeature.cab C:\SetupFiles\UpdaterFeature.cab
C:\DifferentSignTool.exe sign /a /d "<signature description>" /du "Description URL" /fd SHA256 /tr "http://timestamp.digicert.com" /td sha256 C:\SetupFiles\Project.msi

I have created an application ("DifferentSignTool.exe"), that is capable of receiving multiple files (via command line), and signs them in one session (1 PIN query). This way, I end up in only 3 PIN queries for a AI build flavour, which is acceptable (in contrast to 400 times).
Can you implement such option, to allow multiple files (see quote).

YouTube · Tue Jan 19, 2021 6:04 pm

Hi,

After further investigating on this on our side it seems actually we do have support to sign the multiple installation files at once. This way the built-in SignTool.exe will be called only once to sign all the installation files at once. And this should help you get rid of the multiple pin requests issue.

So, could you please proceed like this:

1. on your build machine create a DWORD registry value with this full path:

Code: Select all

HKEY_CURRENT_USER\Software\Caphyon\Advanced Installer\Settings\UseBatchSigning

2. set the "UseBatchSigning" reg value to 1

3. open your setup project in Advanced Installer, go to "Digital Signature" page and set the "SignTool" option to "Built-in"

4. rebuild your setup project

The drawback of this setting is that Advanced Installer could become unresponsive during build signing operation.

Let me know how this works for you.

All the best,
Daniel

burnersk · Wed Jan 27, 2021 1:10 am

Hi Daniel.

Unfortunately, it seems that "UseBatchSigning" does not have any effect at all (AI not even become unresponsive). I got the same (unacceptable high) amount of PIN entries as usual.

I have created a DWORD (32-bit) Value

: Image 1.png (86.59KiB)Viewed 109290 times

Is the registry location and value type correct?

YouTube · Wed Jan 27, 2021 6:04 pm

Hi,

Yes, the registry location and value (type) is correct.

Could you let me know how many PIN signing request do you get? You should get at most 7 requests we execute as it follows:

1. 3 signing operation for a dummy test file to validate the selected digital certificate (e.g. it is not expired, it is of Microsoft Authenticode type - can be used to sign MSI and CAB files).

2. 1 signing operation for all files (bulk signing) included in "Files and Folders" page

3. 1 signing operation for the CAB file

4. 1 signing operation for the MSI file

5. 1 signing operation for the EXE setup package file

All the best,
Daniel

Suggested Articles

User Guide

Videos

Allow signing with CSP PIN-caches (Smartcard Code Signing asks for PIN too many times)

Allow signing with CSP PIN-caches (Smartcard Code Signing asks for PIN too many times)

Re: Allow signing with CSP PIN-caches

Re: Allow signing with CSP PIN-caches (Smartcard Code Signing asks for PIN too many times)

Re: Allow signing with CSP PIN-caches (Smartcard Code Signing asks for PIN too many times)

Re: Allow signing with CSP PIN-caches (Smartcard Code Signing asks for PIN too many times)

Re: Allow signing with CSP PIN-caches (Smartcard Code Signing asks for PIN too many times)

Re: Allow signing with CSP PIN-caches (Smartcard Code Signing asks for PIN too many times)

Re: Allow signing with CSP PIN-caches (Smartcard Code Signing asks for PIN too many times)

Re: Allow signing with CSP PIN-caches (Smartcard Code Signing asks for PIN too many times)

Re: Allow signing with CSP PIN-caches (Smartcard Code Signing asks for PIN too many times)

Re: Allow signing with CSP PIN-caches (Smartcard Code Signing asks for PIN too many times)

Re: Allow signing with CSP PIN-caches (Smartcard Code Signing asks for PIN too many times)

Re: Allow signing with CSP PIN-caches (Smartcard Code Signing asks for PIN too many times)

Re: Allow signing with CSP PIN-caches (Smartcard Code Signing asks for PIN too many times)

Re: Allow signing with CSP PIN-caches (Smartcard Code Signing asks for PIN too many times)

Caphyon Products

Company

Product

Resources

Free Tools

Connect