Run window code signing batch file from mac using parallels

Not sure how many Parallels users there are but we are trying to automate our windows code signing by creating a batch file that would call signtool.exe and then return a code indicating if it was successful. We have our batch file created and it works fine, but now we like to be able to call it from Windows WITHOUT sharing the windows desktop in Mac.

We’ve setup Parallels to make the Windows folders accessible, but navigating through Finder to the batch file and clicking on it does not work.

Any suggestions?

Well I’m a relative newbie to the Windows signing space, but I’ll put in my two cents based upon my experience over the last couple of months.

So you’re talking about using Parallels but not sharing the desktop. Do you mean you want to run the Parallels VM headless (e.g. running in the background with no window/display)?

Assuming this is what you mean, then you’ll need some way of invoking some kind of an event to said machine. Maybe a web app running on this machine that you can start the process or maybe something such as, if this file shows up in the shared folder, then kick off the build process.

This all implies, signtool.exe running in Parallels as there’s no way to run this directly on the Mac.

Additionally, if you have one of the older signing certs, then I believe you can sign directly on the Mac until it expires. @Tim_Parnell built ExeWrapper to handle this, but I believe it’s EOL’d as all newer certs have moved over to hardware key signing (e.g. fancy USB stick). If you still have an older cert that is in file form, then reach out to Tim and he might be able to help.

Otherwise, for any of the new signing certs, this requires the hardware key and entering in your PIN when signing. Assuming Microsoft did their homework and is adequately handling security, I’d expect it not to be easily possible to script automatically entering in your PIN into this dialog when signfile.exe runs. Who knows, you might be able to figure something out if you’re in this space though.

Alternatively, many of the signing certificate vendors offer cloud-based signing. In my case, I’m using ssl.com and they have an optional eSigner service that runs about $20 a month. As much as I don’t like the idea of yet another subscription, if I had a team of people and needed to craft an automated solution in the space, I’d likely pick this option. Just being around the block a few times in these kinds of endeavors, one could potentially burn tons of time and brain cycles crafting a solution (e.g. think about maybe a Web app running on said Parallels VM, crafting some way of entering the PIN, etc.) when the Cloud service might be the less costly and easier solution.

In John’s post from 8 days ago I tried to subtly imply that I can update ExeWrapper for hardware tokens. This time I will be less subtle.

I can make ExeWrapper work with hardware tokens, but I will not do so for $29. If someone has a need to Authenticode sign on macOS and wants to arrange a consulting contract with me, ExeWrapper may live on. But as a shareware offering to the general Xojo community, it has not had the return on investment I had originally hoped.

If you dig down into the parallels bundle like this:

/Applications/Parallels Desktop/Contents/MacOS/

You’ll see that there’s a file in there called prlctl. That little console app can be run from a script to list VMs as well as launch a VM and run a command with a particular username and password.

My suggestion would be to create a share inside the VM, use your script to copy the exe and the bat into there, use prlctl to run the script, then copy the file back and remove it from the VM.

…and you should be able to do that with a VM that starts up headless.

Tim, I appreciated your offer, but as I mentioned to you in my previous reply, ExeWrapper will probably need to be modified to work with tokens if it is going to continue being viable since that is the only way they can now distribute code signing certificates.

Unfortunately, our needs are immediate rather than at sometime in the future because our certificate has expired and we need to continue code signing with the token.

We are currently using SignCode and that works fine. To make it somewhat easier, we created batch files to code sign the EXE and the installer separately and then we just have to run them from our in-house developed application.

So Parallels is running Windows 11 (for Arm - we are using M1 Mackbook Pros) and we wanted to make a shell call to Windows to run the batch file depending on the application we are building.

We’ll continue to look for a solution.

Another option is to create a simple WebService (e.g. with “Xojo Web”).
Some GET or POST request to that service (running on the Windows VM) can execute whatever you need there (given the service is running under an appropriate user/account).