Difficulty using EV-HSM certificate for code signing on CentOS across multiple VPS

Actualpacs Improve your diagnoses 20 Reputation points
2024-01-25T10:02:42.55+00:00

We recently acquired an EV-HSM certificate from GlobalSign and successfully integrated it into our Azure Key Vault. Our current challenge lies in the automated use of this certificate for code signing executables (exe) on CentOS. Our aim is to seamlessly incorporate it across multiple VPS instances to sign dynamically generated executables for specific users, featuring a medical image viewer and associated medical images. We are actively seeking guidance or support, specifically looking for a reference or guide that facilitates an automated solution. Your insights or recommendations for achieving an automated executable signing process would be greatly appreciated. Thank you for your time and support. tl;dr: Struggling with the automated use of EV-HSM certificate for code signing on CentOS across multiple VPS instances. Executables generated dynamically.

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,048 questions
{count} votes

Accepted answer
  1. JamesTran-MSFT 36,046 Reputation points Microsoft Employee
    2024-02-02T17:35:29.72+00:00

    @Actualpacs Improve your diagnoses

    I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this!

    Issue:

    Difficulty using EV-HSM certificate for code signing on CentOS across multiple VPS

    We recently acquired an EV-HSM certificate from GlobalSign and successfully integrated it into our Azure Key Vault. Our current challenge lies in the automated use of this certificate for code signing executables (exe) on CentOS. Our aim is to seamlessly incorporate it across multiple VPS instances to sign dynamically generated executables for specific users, featuring a medical image viewer and associated medical images. We are actively seeking guidance or support, specifically looking for a reference or guide that facilitates an automated solution. Your insights or recommendations for achieving an automated executable signing process would be greatly appreciated. Thank you for your time and support. tl;dr: Struggling with the automated use of EV-HSM certificate for code signing on CentOS across multiple VPS instances. Executables generated dynamically.

    Solution:

    After setting up everything as per the specifications outlined in this stackoverflow answer and using this tool https://github.com/ebourg/jsign, we have successfully implemented the signing of our executables.

    The 'signtool' tool proved to be ineffective for our purposes as we operate on CentOS 7, and there is no longer support for mingw, as indicated in this bug report: https://bugzilla.redhat.com/show_bug.cgi?id=1807975."

    If I missed anything please let me know and I'd be happy to add it to my answer, or feel free to comment below with any additional information.

    I hope this helps!

    If you have any other questions, please let me know. Thank you again for your time and patience throughout this issue.

    1 person found this answer helpful.
    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Q&A Assist
    2024-01-25T10:02:42.5533333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    To automate the use of an EV-HSM certificate for code signing on CentOS across multiple VPS instances, you can use the signtool command-line tool to sign the executables.

    First, you need to install the signtool tool on your CentOS instances. You can do this by installing the mingw-w64-tools package using the following command:

    sudo yum install mingw-w64-tools
    

    Next, you need to configure signtool to use your EV-HSM certificate. You can do this by specifying the certificate thumbprint and the CSP file from the HSM in the signtool command.

    Here's an example command to sign an executable using signtool:

    signtool sign /fd sha256 /tr http://timestamp.digicert.com /td sha256 /sha1 <thumbprint> /ac <path-to-certificate> /csp <csp-name> /v <path-to-executable>
    

    Replace <thumbprint> with the thumbprint of your EV-HSM certificate, <path-to-certificate> with the path to your EV-HSM certificate, <csp-name> with the name of the CSP file from the HSM, and <path-to-executable> with the path to the executable you want to sign.

    To automate this process across multiple VPS instances, you can use a script that runs the signtool command on each instance. You can use a configuration management tool like Ansible or Puppet to deploy the script to each instance and run it.

    References:

    0 comments No comments