Nightly Windows build can not be signed any more.

[rustdesk]

Our OV certificate expired yesterday. We bought a new OV certificate from Sectigo and received a hardware token storing the certificate, but it can not be used in Github CI since the private key can not be exported out of the hardware token.

Starting June 1, 2023, code signing certificate keys must be stored on a hardware security module or token that’s certified as FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent. This is intended to fight against an increasingly common problem—stolen code signing keys being used to sign and distribute malware.
https://stackoverflow.com/questions/75927152/how-will-new-rules-of-ca-b-forums-code-signing-certificates-affect-uwp-signing/76030052#76030052

[danielmarschall]

The TeamViewer custom client and the AnyDesk custom client both use DigiCert. I don't know if DigiCert might have options for private keys outside of security modules, maybe you can ask them.

If all CAs are enforcing security modules, then it would mean GitHub CI will not work for anyone else requiring code signing, which would be very concerning.

[rustdesk]

Old signing certifcate sitll can be used before expiry, June 1 2026 is the cut off time. I missed the chance to buy a 3-years certificate before June 1 2023.

[danielmarschall]

@rustdesk Maybe this helps:
electron/windows-installer#473
They also talk about Digicert (which seem to have a cloud solution "KeyLocker"). I guess Digicert is good for automatic signing solutions, hence TeamViewer and anydesk uses Digicert?

[doerig]

We bought a certificate from GlobalSign and stored it in AzureKeyVault, like in this Walkthrough. This way at least no Hardware-Token is required and signing can be automated easily. https://melatonin.dev/blog/how-to-code-sign-windows-installers-with-an-ev-cert-on-github-actions/

[rustdesk]

@globalsign its vetting process is disgusting, time wasting and money wasting. I got an EV from Sectigo after a ID video call. But @globalsign requests third-party lawyer's document verfication, and for new company, it request lawyer's letter and bank deposit requirement.

[rustdesk]

@doerig When did you do this? I learned from a CA expert, your solution is not viable after June 1, 2023. Because hardware attestations is required now. ssl.com also said key vault can not be supported any more.

Unfortunately, Azure Key Vault does not provide hardware attestations to prove that the HSM is managing the key, and therefore, I doubt any CA would use it, unlike GCP and AWS. This requirement stems from Microsoft's move to mandate that all keys be stored in hardware crypto devices effective June 1, 2023, as the accepted method of proving this to the CA.

Just be aware, right now the CA might ask you to show the attestation proof that the code signing private key is stored in FIPS 140-2 Level 2 compliant device.

Following the Microsoft Azure key generation guide which was mentioned in this article would result in generation of “Software-protected” RSA key. This is compliant with FIPS 140-2 Level 1(!) only – so the compliance requirements are not met here.

Moreover, even if you would somehow do it differently and have the proper RSA-HSM key generated in the Key Vault, it’s still not possible to download the attestation proof as of now:
https://learn.microsoft.com/en-us/answers/questions/1185506/current-azure-key-vault-fips-140-2-level-2-proof

I’ve switched to Google Cloud KMS because it allows to generate the HSM proof, which seems to be mandatory to have now.

[doerig]

We did it in December 2023. We just had to sign a document where we had to declare how the key will be stored.

[Karbust]

I had the same issue for my pipeline, ended up writing a REST API in C# to sign the file (using jsign) and return it.

I could probably share it, but since it is to be used over the internet I don't have any kind of authentication, my use case was for docker and windows server on the same host.

I also have Sectigo's IV certificate.

[Karbust]

Well, I wasn't even able to use safenet, the yubikey wasn't detected properly, it was detected as a smart card 😮

But I was able to sign either signtool without it, just not able to sign with jsign or osslsigncode.

[rustdesk]

My eToken usb is deteced as a smart card also.

[ebourg]

Note that the PIV storetype is for Yubikeys (and other PIV card implementations), it doesn't require the Yubikey tools to be installed, Jsign talks directly to the card. The SafeNet eToken is a completely different beast, it's supported by Jsign with the ETOKEN storetype and requires the SafeNet Authentication Client to be installed. The certfile parameter is optional if the hardware token contains the certificate. Some token do not have the certificate, or only the signing certificate and not the intermediate certificates. This parameter is useful to ensure the full certificate chain is embedded in the signature.

[rustdesk]

Yes, it works. Tested on Mac.

java -jar ./jsign-6.0.jar --storetype ETOKEN --storepass <token-password> --tsaurl http://timestamp.sectigo.com <file>

https://ebourg.github.io/jsign/

[rustdesk]

Also tested @SSLcom, it works perfectly.

java -jar ./jsign-6.0.jar --storetype ESIGNER --storepass <username>|<password> --alias 40de936d-f634-4ac0-a847-d0a84eacd31c --keypass <totp_secret_base64> --tsaurl http://ts.ssl.com <file>

[rustdesk]

Azure Dedicated HSM pricing: $4.85 per hour, https://azure.microsoft.com/en-gb/pricing/details/azure-dedicated-hsm/
AWS CloudHSM pricing: $1.45 per hour, https://aws.amazon.com/cloudhsm/pricing/
ssl.com support azure/aws/google cloud hsm, https://www.ssl.com/hsm-attestation/
ssl.com eSigner pricing: https://www.ssl.com/guide/esigner-pricing/ $250.00 for 1000 signings per month.

Digicert's KeyLocker pricing:

At the moment, KeyLocker is charged at USD 90 per year (1000 signings) but this price will increase in January 2024.

Azure keyvault pricing: https://azure.microsoft.com/en-us/pricing/details/key-vault/ $3.20 hourly fee plus the other fees

[doerig]

Regarding the pricing: you don't need the dedicated HSM on Azure for signing, a Premium Key vault is sufficient (shared HSM).
Cost is (AFAIK) 5$/month for the HSM Protected Key + $0.03/10,000 transactions

[rustdesk]

Does $0.03/10,000 mean can sign 10,000 files?

[Karbust]

The problem with Azure HSM is the lack of support for Key attestation, something that is required by Sectigo, which is the CA that rustdesk use (mine is also from Sectigo).

Not even the dedicated HSM has key attestation from what I was told on a meeting with Azure resell partners.

[rustdesk]

If key vault is affordable, I can consider switch to the other CA who support azure key vault.

[doerig]

It's hard to say the cost for each signing request, but I guess signing requires more than 1 Transaction (Rest API Request to Keyvault). I just run our pipeline which signs one executable and now see 5 Transactions on the keyvault insights. It's 0.15$/10k transactions on HSM-Protected keys, so a bit more expensive than the $0.03 i previously stated (for our company thats still negligible, as we probably never even hit 10k Transactions).

Another option might be azure code signing, but It's not yet publicly available... https://techcommunity.microsoft.com/t5/security-compliance-and-identity/azure-code-signing-democratizing-trust-for-developers-and/ba-p/3604669
Maybe you could apply for the preview for Rustdesk