Reputation: 494
How to authenticode sign binaries in packages?
What is the recommended approach to sign the executable in a Chocolatey package?
My organization has implemented AppLocker in their new Windows 10 regime. Though I understand the why the regime is in place, I'm not sure how to implement it in custom Chocolatey packages we put into our package feed. Nor am I sure if I need to sign both the installation file as well as the executable file. If any non-signed executable tries to run, the AppLocker stops the execution.
Chocolatey mention a bit about signing in their security section
https://github.com/chocolatey/choco/wiki/Security
Roadmap: https://chocolatey.org/docs/roadmap
The guide "Code signing a windows application" (https://mkaz.blog/code/code-signing-a-windows-application/)
However, I don't know where to start.
Upvotes: 1
Views: 287
Answers (2)
Reputation: 1
This will not help you though. The next problem you will face is that Chocolatey will not run in constrained language mode powershell
Upvotes: 0
Reputation: 12591
Background
There are a couple of binaries in Chocolatey provided packages (packagebuilder.exe, packageuploader.exe) that are not currently authenticode signed.
It is something we've identified recently and have on the list to get taken care of.
In the meantime, let's get your question answered properly.
How To Authenticode Sign
To be honest, the blog post you linked is very straightforward. However, I will validate a couple of WTFs you might have had.
Requirements for Windows
- The primary prerequisite is that you will need an Authenticode certificate (about $200+ per year). Yes, you will really need this - and it really requires verification of an organization (or person if you can go that route).
- Secondarily you'll need the Windows SDK which has
signtool.exe.
How to Sign
Basically you are going to make a call similar to:
"C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Bin\signtool.exe" sign /t "http://timestamp.digicert.com" /fd [SHA1|SHA256|SHA512] /f C:\path\to\authenticode.certificate.pfx /p [YOURPASSWORD] /a "C:\path\to\the\file.exe"
The path to sign tool might be slightly different based on what SDK you have installed. Also like the article mentioned, you might want to stick with SHA1 for most compatibility, but you can go higher if you would like to.
The above was adapted out of the Chocolatey (choco) codebase and you can inspect that at https://github.com/chocolatey/choco/blob/54ddf11fa025e97e071ae884c738ef8456b60b76/.build.custom/codeSign.step#L42-L48).
References
- https://github.com/chocolatey/choco/blob/54ddf11fa025e97e071ae884c738ef8456b60b76/.build.custom/codeSign.step#L42-L48).
- https://github.com/chocolatey/ChocolateyGUI/blob/e2e94edbd2091b91332e7a6fa70741e280efe45b/recipe.cake#L49-L52
- https://github.com/chocolatey/ChocolateyGUI/blob/e2e94edbd2091b91332e7a6fa70741e280efe45b/recipe.cake#L113-L134
Upvotes: 1
Related Questions
- How to Sign an Already Compiled Apk
- Checksum error in installing software using chocolatey
- How to sign Mac OS X application?
- What are the ways or technologies to sign an executable application file in mac os x environment?
- How can I code sign a bundled executable file in a mac app using xcode5
- Signing a Package in MAC
- Signing mac installer (pkgmaker)
- How to make Mac app archive signed?
- How can I sign a release iphone binary provided by a 3rd party?
- Signing executables for Windows