Title: Using the Digicert code signing service
We are currently transitioning from the old Symantec service to the new DigiCert service. The Symanetc service is no longer supported. While it is currently still available, it may be decommissioned at any time. Perform all new signing via the DigiCert service.
If you require assistance migrating to the DigiCert service, please open an INFRA Jira ticket and select code signing as the component.
DigiCert Secure Software supports a range of signing tools and formats. For the full list see the client user guide in the private repository for ASF committers.
Adding a new PMC or a new user to an existing PMC needs to be performed by the infrastructure team. Please open an INFRA Jira ticket and select code signing as the component.
When the infrastructure team create your accout you will be sent a password reset email. The link in that email is only valid for 12 hours. If you are unable to complete the creation of your account in that time you can request a new password reset email by going to DigiCert ONE and clicking on the password reset link. Your username is the same as your ASF id. You should then receive a new password reset email you can use to set your password. You will also need to configure your OTP token. Officially, only Google authenticator is supported but any similar tool should also work.
Whatever you need to sign and however you choose to sign it, the fist step is to create the necessary credentials via the DigiCert ONE web interface.
To configure your system for Windows signing:
SM_HOST
should be https://clientauth.one.digicert.com
(no demo
in the URL)smctl.exe keypair ls
(see section 4.6 of the client user guide). You should see at least one certificate listed.certutil.exe -csp "DigiCert Signing Manager KSP" -key -user
(see section 4.7 of the client user guide).smksp_cert_sync.exe
(see section 4.8 of the client user guide).certmgr.msc
(see section 4.9 of the client user guide) and you should see your code signing certificate(s) listed under personal certificates. If a new certificate is issued to your PMC you will need to repeat this step.To sign Windows binaries you will need a copy of SignTool.exe. This can be found in both Visual Studio and the Windows SDK. Very old versions only support SHA-1 signing. Version 6.1.7600.16385 (2009-07-14) supports newer hashes for signing.
Signing Windows binary is covered by section 14 of the client user guide. You'll need the fingerprint of the certificate you want to use for signing (view via certmgr.msc
). You can then sign a file with signtool.exe sign /sha1 <cert-fingerprint> /fd sha512 /tr http://timestamp.digicert.com <file-to-be-signed>
To sign a file with SHA-256 rather than SHA-512 use ... /fd sha256...
rather than ... /fd sha512 ...
.
Currently under investigation by the Apache Tomcat project. Looks to be possible via OpenSSL (see section 9 of client user guide) and osslsigncode.
See the client user guide.