How to sign a Microsoft Authenticodes with Entrust CSaaS (Code Signing as a Service)
Note:
This is a workaround step for signing Microsoft Authenticode using the PKCS11 function with a third-party tool called Jsign from ebourg github .
The Entrust signing client tool does not support CNG signing directly using Microsoft's sign tool in this release.
Requirements:
Several tasks need to be completed before signing the codes
These tasks can be found on the Home screen. To view the requirement tasks, follow the steps below:
1. Login to your ECS portal
2. On your Home screen, click on the Get Started Tab.
3. On the left column, click on Signing Automation Service. Complete the requirement steps in sequence.
4. You may click on the Signing Automation Service Documentation as the reference.
5. Java Development Kit installed and working correctly.
6. The JSign tool has been downloaded and saved it to your computer. The filename is Jsign-5.0.jar.
Step by step to sign the Microsoft Authenticodes using Entrust CSaaS:
1. Create csaas.cfg file. You only need to create this file once.
In any line editor (Notepad, for example), create a text file containing the lines below and save it to your JDK bin folder (for example, C:\Program Files (x86)\Java\jre1.8.0_65\bin) as csaas.cfg. Note: You must use a double-backslash ( \\ )for an absolute path.
name = Entrust
library=C:\\Program Files\\Entrust\\SigningClient\\P11SigningClient64.dll
2. In the command prompt, type Signingclient
This step ensures that the Signing Client Tool is installed correctly and working. The correct result is shown in the screenshot below.
3. Find your private key alias name for the private key in your SAS environment. You can run the command:
signingclient list keys
You should see the label name, which will be your alias. In this example, the label name is
Staging SG team
4. You can run the
dir
command to ensure the Jsign file is in the same folder as the Java bin folder.
dir jsign*
If the file does not exist, copy the downloaded
Jsign-5.0.jar
to the Java bin folder.
5. You are ready to sign the Authenticodes. Enter the following command:
java -jar jsign-5.0.jar --keystore <your config file> --alias <your ALIAS name> -storepass <your private key store password> --storetype PKCS11 --tsaurl http://timestamp.entrust.net/rfc3161ts2 --tsmode RFC3161 <your codes file>
Descriptions
<your config file> | Your configuration file for the SAS environment. In this example: csaas.cfg |
<your codes file> | Your own Java codes. In this example, testsign.exe |
<your ALIAS name> |
Your alias name/friendly name/label.
In this example, the alias name is Staging SG team The alias name is case-sensitive. |
<your private key store password> |
The private key store password you created while activating the signing client license.
In this example, the password is entrust This switch is optional. If you don't use the storepass switch, you must manually enter the password when prompted. |
Example
java -jar jsign-5.0.jar --keystore csaas.cfg --alias "Staging SG team" -storepass entrust --storetype PKCS11 --tsaurl http://timestamp.entrust.net/rfc3161ts2 --tsmode RFC3161 c:\test\testsign.exe
6. You can just run the verify command below to ensure the code signing has been done successfully.
Before running this command, please install your Windows SDK for Windows 10.
You can go to the command prompt where your signtool.exe is located.
Run the command:
SignTool verify /pa /v <filename>
Example
SignTool verify /pa /v c:\test\testsign.exe
You should see the successfully verified message if you signed your codes successfully.