When I tried to download the code signing certificate from Sectigo/Comodo, using Firefox I just ended up downloading a file called CollectCCC
, with no file extension. It is not clear to me how to use it to sign a binary. When I try to use it to sign a binary (with /debug
on) I get the following:
> .\installation\signtool.exe sign /debug /f 'C:\Users\username\Downloads\CollectCCC' .\DraughtHub_Link.exe
The following certificates were considered:
Issued to: GoDragons
Issued by: Sectigo RSA Code Signing CA
Expires: Fri Oct 22 00:59:59 2021
SHA1 hash: <hash>
Issued to: Sectigo RSA Code Signing CA
Issued by: USERTrust RSA Certification Authority
Expires: Wed Jan 01 00:59:59 2031
SHA1 hash: <hash>
Issued to: USERTrust RSA Certification Authority
Issued by: AAA Certificate Services
Expires: Mon Jan 01 00:59:59 2029
SHA1 hash: <hash>
Issued to: AAA Certificate Services
Issued by: AAA Certificate Services
Expires: Mon Jan 01 00:59:59 2029
SHA1 hash: <hash>
After EKU filter, 4 certs were left.
After expiry filter, 4 certs were left.
After Private Key filter, 0 certs were left.
SignTool Error: No certificates were found that met all the given criteria.
Part of the problem is that I wasn't able to download their certificate using IE (their recommended way, sigh), because I hadn't created a code signing certificate request using IE. I created the code signing certificate request using openssl
.
Here is the error message I got from IE:
I tried importing the CollectCCC
into IE as well and that failed.
Disclaimer: I would not recommend using Sectigo and/or Comodo for code signing certificates! My experience with them was terrible! It's worth paying more to get a better service.
Run the DigiCert® Certificate Utility for Windows (double-click DigiCertUtil). In the Certificate Export wizard, select Yes, export the private key, select pfx file, and then check Include all certificates in the certification path if possible, and finally, click Next. A . pfx file uses the same format as a .
After a lot of googling, I eventually worked out that the CollectCCC
file is of type .p7s
.
You can convert .p7s
files into .pfx
files (required to sign binaries) using openssl
with the following commands (it's a two step process):
openssl pkcs7 -inform der -in CollectCCC -print_certs -out CollectCCC.pem
openssl pkcs12 -export -out certificate.pfx -inkey ~/.csr/www.draughthub.com.key -in CollectCCC.pem
where you replace ~/.csr/www.draughthub.com.key
with the location of the private key you created to make the code sign certificate request. The second step will prompt you for a password. This is the password you used to create the request (and corresponding private key).
I went through this process recently and I also had troubles with this process. After I bought a code signing certificate from Sectigo, I had to:
Step 1. Create a certificate request file (.csr) and the certificate key file (.key). After this you will have 2 files, one with .key extension and one with .csr extension.
openssl.exe req -nodes -newkey rsa:3072 -nodes -keyout DESIREDNAME.key -out DESRIREDNAME.csr -subj "/C=COUNTRY_CODE/ST=STATE_NAME/L=CITY_NAME/O=ORGANIZATION_NAME /CN=YOUR_DOMAIN_NAME.com"
Step 2. Use the .csr file on Sectigo website to generate your certificate.
Step 3. Download your certificate from the email received from Sectigo. After this step you should have a new file with .crt extension, in my case it was user.crt.
Step 4. Convert the .key and .crt files to a .pfx file for code signing.
openssl.exe pkcs12 -inkey DESIREDNAME.key -in user.crt -export -out mycertificate.pfx
During this process you will be asked to set a password for the .pfx file.
Step 5. Dual sign the file with SHA1 and SHA256.
signtool.exe sign /tr http://timestamp.digicert.com /td sha1 /fd sha1 /f mycertificate.pfx /p MY_CERT_PASSWORD myapp.exe
signtool.exe sign /tr http://timestamp.digicert.com /as /td sha256 /fd sha256 /f mycertificate.pfx /p MY_CERT_PASSWORD myapp.exe
Note that the second call contains the /as parameter to append the signature. Remember, always sign with SHA1 first and append the SHA256 second.
Step 6. Right click your file and select Properties. Check the Digital Signatures tab. Your file should be now digitally signed. Congratulations!
Some side notes:
At Step 1 I have used one openssl.exe found in C:\Program Files\Git\usr\bin\openssl.exe but this one failed at Step 4 with "can't find certificates" error. I had to install Win64 OpenSSL Light from https://slproweb.com/products/Win32OpenSSL.html and then Step 4 worked as expected and my .pfx file was finally generated.
I did not have signtool.exe available on my machine, so from Visual Studio Installer I selected to modify the installation and I added one of the Windows 10 SDK item from Individual Components. Then I had this file available in C:\Program Files (x86)\Windows Kits\10\bin\10xxxx\x64\signtool.exe.
Can't wait to see those AV false positives go away now that my application is digitally signed :)
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With