MSIX : Signing code with Timestamp server......

If you have a package and you need to get it signed so that it runs without warning then you need to code sign the package or for that matter any application with a timestamp code signing certificate, this is shown in the digital certificate tab on the file as shown below:

When you examine this certificate you will notice is was signed back in 2015 for this application in question however with a timestamp certificate the expiry does not matter

If you view the certificate you will notice it expired back in 2016 but for installing is still valid, this is because at time of signing it was valid, so when you run this it is looking that it was signed at the time it was produced.

Get the timestamp URL

Once you have chosen you code signing provider, for this example I will use Entrust you will get a URL link for code sign with, this link relevant to this example is shown below:

https://www.entrust.com/knowledgebase/ssl/time-stamp-url

When you look at the Entrust options you get a document signing URL or a code signing URL, and wer need the code signing URL which is this one (for this example)

Code Signing verification CANNOT be HTTPS, this particular requirement applies to CRLs as well

http://timestamp.entrust.net/rfc3161ts2

Right so now you have the URL, you cannot just download a PFX file as many providers, especially the secure ones no longer support software key providers and you need a software key provider to get a PFX that can be used in Windows.

Load up your token

You require hardware stored code signing certificate, this means you either need a security USB token (known as a security token) or a HSM which is a Hard Security Module which is usually a virtual appliance or a physical rack mount device.

Software storage of these code signing certificates, is my most reputable vendors, considered insecure, which means you will not be able to install this type of certificate to the software storage provider, which includes your computer and user certificate store built into Windows 🪟 

Then you get the response from the authority, get the certificate installed on the hardware provider or key, with me so far?

You will almost certainly need Safenet Authentication client which is a download you will need to get for your version of the OS, once you have this software and the token you will need to initialise the token, to do this plug it in the navigate to the settings (the cog under the entrust logo) then right click you token and choose Initialise token......

You need to ensure you choose the option to "configure all initialisation settings and options" and ensure that "token password must be changed on next logon" and "keep current administrator password" are NOT selected.

WARNING : Ensure you do not forget any of the data, once initialized, you require that data to access the security token,  if you do you will loose your certificate and all tokens on the device

You will then need to follow your vendors advice to get the token loaded with the certificate, however once you have this loaded onto the token which will look like this:

With the certificates details on the right side like this:

If using Entrust you will need to follow this guide from this link: 

https://www.entrust.com/-/media/documentation/userguides/ecs_getting_started_code_signing_guide.pdf

Download signtool.exe for Signing

You really need a non-virtualised device or environment as pass thru USB to remote desktop or Citrix will not work, once you have this device you need to get the SDK 

https://developer.microsoft.com/en-us/windows/downloads/windows-sdk/

Once you have this downloaded and you run it, once you have accept terms and conditions which you need to accept (and read) then when you get to the "what to install" you need to select only this option:

Windows SDK Signing tools for Desktop Apps

When you click install it will go off and do that action, once complete there will be no desktop icon or start menu icons as its a SDK, it except you to know where the files are, so if you navigate to this folder:

C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x64

You will see the file we are after signtool.exe, so now we can make the magic happen :) 

Preparation for : Sign the application

This is the last bit, so before you start on the signing, open you safenet authentication client, click the settings cog then navigate to client settings then to Advanced then ensure the "Enable single logon" and "Enable single login for PCKS#11" is ticked, once ticked click Save.

Sign the application

Start a command prompt as admin, then navigate to the folder : C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x64 

Once you are in the root folder, ensure you security token is connect to the device then run this command, and change the section in BOLD to the path to your unsigned package or application

signtool.exe sign /tr http://timestamp.entrust.net/rfc3161ts2 /td sha256 /fd sha256 /a C:\path\to\program.exe

Get an error here? < click that link if it failed with file format not recognized 😞 

The safenet client will prompt you for the password, the one you set when you initialised the device, enter this password and the token will sign the application or program with the correct certificate ready for you to deploy.

If you look at the details for the certificate you will notice that the "digital signature" is OK, this means it has not been tampered with and is valid.

All done.......