I hope someone has some experience with this because we are so frustrated at this point.
I purchased a code signing certificate from K Software and it was handed off to Sectigo. I finally received my USB token after weeks of waiting for validation to complete. However, in the past, we were able to obtain a P12 file which we could convert to a certificate file and a key file (both PEM files) using openSSL; however, that is no longer possible. It appears that they now want you to use the token to code sign windows EXE’s.
We wrote our own code signing application that used the PEM files to code sign (using OSSLSIGNCODE) but since we cannot convert the CER file that is exported from the token to a P12 file, our code signing is broken.
Does anyone have any code that can be used to code sign an EXE with the token installed?
Thanks for your reply, but the online converter requires a private key, which is stored on the token (USB drive) provided to us by Sectigo and it cannot be exported, so this converter will not work.
The exported certificate only contains a public key!
You are correct, we were using OSSLSIGNCODE to code sign our EXE’s; however, now that the CA’s have gone to a hardware device to distribute the certificates, this will no longer work.
I would think that you would want to update ExeWrapper since eventually no one will have certificates in a file format and they will have to use the hardware tokens to code sign.
We are going to modify our application to use SignTool to code sign our EXE’s but it will take a short while to modify.
The biggest hurdle we have right now is that Sectigo will only provide ONE USB token - no duplicates and we have 4 developers that sometimes work remotely and may need to post updates to our software. What a hassle.
Still looking for an OSSLSIGNCODE command that will code sign an EXE with a hardware token provided by Sectigo. Found some information on how to do it on Ubantu, but not sure if that command will translate to MacOS. Anyone successfully done this?
Just looking for feedback before we proceed with a workaround for the limitations presented by signing certificates being distributed via a hardware token (USB drive).
The hardware token has thrown us a curve in that you must have it inserted in the USB drive of the computer you are going to use to code sign the EXE or INSTALLER. We have three developers who need to code sign apps at various times and there are times when this needs to be done remotely. The hardware token makes this extremely difficult.
Our workaround is to setup a remote computer that we will access through Mac OS screen sharing. We will leave the hardware token inserted in the USB indefinitely. We have our own application that will do the code signing for the EXE and INSTALLER so we will just run that application remotely and let it do the code signing and copy our INSTALLER to our website for user download.