I have created a self-signed code signing certificate with the Microsoft lifetime OID 1.3.6.1.4.1.311.10.3.13. The certificate has expired, but the signed program continues to work normally. I was hoping the program would stop working or that Windows would give some kind of a warning. I am getting neither. Where am I going wrong ?
Ok, I put the Lifetime OID in the wrong place. It has to be a part of the Enhanced Key Usage attribute. The attribute then becomes:
Code Signing (1.3.6.1.5.5.7.3.3)
Lifetime Signing (1.3.6.1.4.1.311.10.3.13)
Related
I bumped into the same issue as this topic: Unable to sign VBA with valid Sectigo Code Signing certificate
Basically, I have a Sectigo EV code signing certificate with a USB-stick that I need to plug in in order to sign my code. I am using that for signing my excel add-in in Visual Studio (DLLs) and the .msi file that we build from that with signtool:
signtool sign /tr http://timestamp.comodoca.com /td sha256 /fd sha256 /d Prog2Installer.msi /a C:\Users\hello\source\repos\ME\Prog2\bin\Release\Prog2mInstaller.msi
That works fine, I get a pop-up asking me for my password and it signs ok.
But now I also want to use my certificate to sign my excel/VBA xlsm file. When I plug in my USB key I can select the certificate in VBE (named "Installed by Sectigo Browser extension"), but when I save the file, I get the same feedback as the referenced post:
There is a problem with the digital certificate. The VBA project could not be signed. The signature will be cancelled
I checked the certmgr, can see the certificate there, but can't export as .pfx, only as .cer (so no private keys, as they reside on the USB stick I assume). I also added those 3 timestamp items that were suggested in the referenced post, but still nothing.
Sectigo/Comodo seem to have no clue (tried their helpdesks), I hope that anyone here can advice me what to do to get this to work?
I had a response from Sectigo - who had contacted the certificate token manufacturer. It looks like this is indeed Microsoft's problem - requiring an MD5 hash when signing VBA code - even though that's no longer considered secure.
As a workaround, if you are using Safenet AND if your token still supports MD5, you can make the following registry changes:
Find the registry key "HKEY_LOCAL_MACHINE\SOFTWARE\SafeNet\Authentication\SAC"
Add a new registry key "Crypto"
Add a new string value to this key - "Disable-Crypto"
Give "Disable-Crypto" a value "None"
Then, add the signature to VBA in the usual way. In my case, when saving the file, it asks for the token password three times before completing the save.
Full details - inluding more information about the issue
Unless there is a change to the MD5 requirement for signing VBA code, it will not be possible to sign VBA code at all in the future (i.e. no certificate providers will support it). Therefore, I suggest that people contact Microsoft to urge them to act on this issue.
I had some phone conversations with their helpdesk. My summary of those conversations: it's Microsofts problem... I didn't file anything with MSFT but as I needed a working certificate, I went for the EV code signing for my DLL/Visual studio (works fine) and bought a simple code signing certificate to sign my VBA/Excel. After a bit of fiddling it simply works. So I pay 580 USD/year vs 400 USD/year but have a working solution.
So I'm a Schrodinger Sectigo customer now, being both happy & unhappy at the same time.
I am making an app for my own use, when I try to post JSON to my PHP server at example.com, I get the following error:
Uncaught Error: self signed certificate error
I tried the following code and it works:
process.env["NODE_TLS_REJECT_UNAUTHORIZED"] = 0
but I believe this approach is dangerous. What is the safe way to solve this error? I tried googling but did not find anything useful or maybe because I am a beginner I did not understand it.
I assume your self signed cert is on example.com and wherever your posting from doesn't trust it.
You may want to check out this answer for how to create and use self signed certs from iOS, Android, and a browser.
I'm trying to compute digital signature RSASSA-PSS with sha256 for my IdentityIdentificationData (ASN1).
Directory file address 0x3D00
Aplication ID A000000061123A22738F4421
Private key folder 0x2F01
My ASN1 encoded hex data after sha256 encoded:
860c30a5f2b254ee92cbd3ec5c4282a940853aaef5f36d50ca20050637aaf4b0
I'm sending this command after SAM pin verified
MSE:SET
002241B606800191840110
SW1SW2:9000
Select File
00A40800043D002F0100
SW1SW2:9000
PSO: Compute Digital Signature
002A9E9A20860c30a5f2b254ee92cbd3ec5c4282a940853aaef5f36d50ca20050637aaf4b000
SW1SW2:6982
I'm a bit new on smart cards. How can i solve this problem. What is wrong or missing.
My SAM don't want to algorithm identifier for RSASSA-PSS.
6982 means: Security condition not satisfied
You should probably send the VERIFY PIN command directly before the PSO: Compute Digital Signature. Signature generation generally has very high requirements with regards to PIN, because the user has give consent for each and every signature. Hence the PIN may be invalidated by each command, especially if that command is an MSE:SET command. Selecting a DF by name may also influence the security environment.
So try the following order:
SELECT by Name (AID)
MSE:SET (for digital signature)
VERIFY PIN
PSO:COMPUTE DIGITAL SIGNATURE
The signature may also be depending on other security related objects such as an authentication key, for instance one used to setup secure messaging.
Can you check the access condition of RSA_Sign key ? If the access condition is NEVER then you wont be able to sign with this key. So in such case, SW 6982 make sense.
002241b606800191840181 mse:set is worked on me.
I've created and signed a new executable file (the file is signed with double signature SHA1 and SHA256 and timestamped).
Since 1/1/2016 if I try to download it from Internet Explorer (or Microsoft Edge) I get an error (saying the signature is corrupted).
Smartscreen also tells that the file is not signed.
If I look at the file from the properties, it has the two signatures.
Can you help me out understanding what's the problem?
Here's the link for the download PhraseExpander setup file
Thanks.
This is what I wrote here:
valid certificate is corrupt with IE
I still doesn't have a solution, because I am not able to request a SHA-2 certificate. But you can't download any application from web with a SHA-1 certificate, anymore.
Class 3 certificates are a step above the Class 2. Class 2 does not require “Extended Validation”. However the “EV” code signing certificates combine all of the regular benefits of digitally-signed code with a rigorous extended validation process. They represent the gold standard for authentication and security in code signing certificates. EV code signing certificates adhere to strict validation standards from the CA/Browser Forum and to Microsoft specifications. Enhanced authentication is provided via an encrypted token containing the private key.
So will a digital certificate that is issued from a trusted signing authority, when used to sign an Excel document, allow the document to automatically run macros?
Does it make a difference whether the signature is self signed or signed by a certificate authority in terms of what the user sees?
Similar to when you use a verisign issued certificate on a webpage, the machine usually autmatically trusted certificates issued by that authority. I am wondering if the behavior in Excel is similar.
I am basically trying to address the issue of distributing Excel forms which are dependent upon a macro to function properly.
If you buy a signing key from (e.g. VeriSign), then you can use this to sign your macro code. When a user opens a file containing your signed code, what happens then depends on the "macro security level" they have set. Let's assume it's at the highest level, which would silently prevent any un-signed code from running.
In this case, they will be told that they file is signed by (your company name) and asked if they wish to run it. They'll be asked this every time they open the file. However, there's also a check-box titled "always trust macros from this publisher" - if they tick that, then any signed code from your company will thereafter be run with no further prompting.
Note: the signature you buy from VeriSign has an expiry date - usually after a year or two. Unless you take some extra steps before signing your code, then the code will no longer run after the certificate expires(!). This can lead to a nasty shock when your users suddenly find that nothing works a year later.
To ensure that the code continues to work even after the certificate has expired, you need to add some values in the registry that specify a "time-stamp server" that will be used to time-stamp the signed code. This time-stamp is later used to validate that the code was signed with a certificate that was valid at the time of signing, as opposed to one that is valid now.
For information on how to do this, see this link.