This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
appnote:etoken [2017/05/10 19:37] mcb30 |
appnote:etoken [2023/08/31 10:58] (current) mcb30 |
||
---|---|---|---|
Line 5: | Line 5: | ||
==== EV Code Signing Certificate ==== | ==== EV Code Signing Certificate ==== | ||
- | Microsoft requires submitted UEFI binaries to be signed using an EV Code Signing certificate. These can be obtained from providers such as [[https://www.digicert.com/friends/sysdev/|DigiCert]] at a cost of around US$500 for a three-year certificate. Note that you must purchase the more expensive **EV Code Signing Certificate** for signing UEFI submissions; the regular Code Signing Certificate will not be accepted by Microsoft. | + | Microsoft requires submitted UEFI binaries to be signed using an EV Code Signing certificate. These can be obtained from providers such as [[https://www.digicert.com/friends/sysdev/|DigiCert]] at a cost of around US$2000 for a three-year certificate. Note that you must purchase the more expensive **EV Code Signing Certificate** for signing UEFI submissions; the regular Code Signing Certificate will not be accepted by Microsoft. |
- | ==== Aladdin eToken PRO 72k (Java) ==== | + | ==== SafeNet eToken 5110+ FIPS ==== |
{{ :clipart:etoken.jpeg?160x120|An Aladdin eToken}} | {{ :clipart:etoken.jpeg?160x120|An Aladdin eToken}} | ||
- | At the time of writing, DigiCert provides EV Code Signing Certificates in the form of an Aladdin eToken PRO 72k (Java) USB hardware token. The token contains the certificate and the corresponding private key. | + | At the time of writing, DigiCert provides EV Code Signing Certificates in the form of an Aladdin/SafeNet eToken 5110+ FIPS USB hardware token. The token contains the certificate and the corresponding private key. |
- | The token is almost (but not quite) supported by the various open source hardware token drivers available for Linux. As an interim measure, you can download and install the proprietary [[https://www.digicert.com/StaticFiles/SafeNetAuthenticationClient-SAC_9_0_43_Linux.zip|Safenet Authentication Client]]. The Safenet Authentication Client includes many features which you don't need or want (such as GUI tools and RPM post-installation scripts which cause Firefox to automatically attempt to use your certificate to identify you to every website that you visit): you probably want to disable or delete most of these after installation. | + | The token is almost (but not quite) supported by the various open source hardware token drivers available for Linux. As an interim measure, you can download and install the proprietary [[https://www.digicert.com/StaticFiles/SAC_10_0_Linux_Post_GA.zip|Safenet Authentication Client]]. The Safenet Authentication Client includes many features which you don't need or want (such as GUI tools and RPM post-installation scripts which cause Firefox to automatically attempt to use your certificate to identify you to every website that you visit): you probably want to disable or delete most of these after installation. |
The only required portion of the Safenet Authentication Client software is the library ''/usr/lib64/libeToken.so''. This library provides a standardised PKCS#11 API which allows tools such as ''[[https://github.com/OpenSC/OpenSC/wiki|opensc]]'' and ''[[https://www.openssl.org|openssl]]'' to use the hardware token. | The only required portion of the Safenet Authentication Client software is the library ''/usr/lib64/libeToken.so''. This library provides a standardised PKCS#11 API which allows tools such as ''[[https://github.com/OpenSC/OpenSC/wiki|opensc]]'' and ''[[https://www.openssl.org|openssl]]'' to use the hardware token. | ||
Line 37: | Line 37: | ||
Certificate Object, type = X.509 cert | Certificate Object, type = X.509 cert | ||
label: Fen Systems Ltd. | label: Fen Systems Ltd. | ||
- | ID: 3342cb0ff9b8e672bdcecbff80ebf89f9c785ce5 | + | ID: 842ea4f497f6defa75e786015c2cdbfd12a18891 |
The certificate can then be extracted using the command | The certificate can then be extracted using the command | ||
- | pkcs11-tool --module libeToken.so --read-object --type cert --id 3342cb0ff9b8e672bdcecbff80ebf89f9c785ce5 \ | + | pkcs11-tool --module libeToken.so --read-object --type cert --id 842ea4f497f6defa75e786015c2cdbfd12a18891 \ |
| openssl x509 -inform DER -out codesigning.crt | | openssl x509 -inform DER -out codesigning.crt | ||
- | (replacing "''3342cb0ff9b8e672bdcecbff80ebf89f9c785ce5''" with the ID of your certificate). This will give you a file ''codesigning.crt'' containing your code signing certificate (but not the private key, which remains on the token). You can examine the contents of ''codesigning.crt'' using | + | (replacing "''842ea4f497f6defa75e786015c2cdbfd12a18891''" with the ID of your certificate). This will give you a file ''codesigning.crt'' containing your code signing certificate (but not the private key, which remains on the token). You can examine the contents of ''codesigning.crt'' using |
openssl x509 -in codesigning.crt -noout -text | openssl x509 -in codesigning.crt -noout -text | ||
Line 50: | Line 50: | ||
==== Toolchain ==== | ==== Toolchain ==== | ||
- | {{ :clipart:chain.jpeg?300x144|A (tool)chain}} | + | {{ :clipart:chain.jpeg?300x180|A (tool)chain}} |
To sign UEFI .cab files for submission to Microsoft you will need to also install | To sign UEFI .cab files for submission to Microsoft you will need to also install | ||
- | * ''[[https://github.com/rhinstaller/pesign|pesign]]'' | ||
* ''[[http://ftp.gnome.org/pub/GNOME/sources/gcab|gcab]]'' | * ''[[http://ftp.gnome.org/pub/GNOME/sources/gcab|gcab]]'' | ||
* ''[[https://www.openssl.org|openssl]]'' | * ''[[https://www.openssl.org|openssl]]'' | ||
* ''[[https://github.com/OpenSC/OpenSC/wiki/Engine-pkcs11-quickstart|engine_pkcs11]]'' | * ''[[https://github.com/OpenSC/OpenSC/wiki/Engine-pkcs11-quickstart|engine_pkcs11]]'' | ||
- | * ''[[http://sourceforge.net/projects/osslsigncode/|osslsigncode]]'' | + | * ''[[http://sourceforge.net/projects/osslsigncode/|osslsigncode]]''((Do not try to use ''pesign'' for code signing, since it is [[https://github.com/rhboot/pesign/issues/105|broken]] and unable to perform signing using a hardware token. Use ''osslsigncode'' instead. In case ''pesign'' is ever fixed in future: you can configure NSS to use ''libeToken.so'' for ''pesign'' using |
- | + | ||
- | All of these are available prepackaged for Red Hat and SuSE derivatives (Fedora, CentOS, OpenSuSE, etc). You should not need to build any of these from source. | + | |
- | + | ||
- | You will need to configure NSS to use ''libeToken.so'' for ''pesign'' using | + | |
sudo modutil -dbdir /etc/pki/pesign -add eToken -libfile /usr/lib64/libeToken.so | sudo modutil -dbdir /etc/pki/pesign -add eToken -libfile /usr/lib64/libeToken.so | ||
- | You can list the certificates available for use by ''pesign'' using | + | You can then list the certificates available for use by ''pesign'' using |
certutil -d /etc/pki/pesign -h eToken -L | certutil -d /etc/pki/pesign -h eToken -L | ||
+ | | ||
+ | and attempt signing using e.g. | ||
+ | |||
+ | pesign -s -i unsigned.exe -o signed.exe -t "Fen Systems Ltd." -c "Fen Systems Ltd." | ||
+ | | ||
+ | (replacing "''Fen Systems Ltd.''" with the name of your token as shown by ''certutil'' above). | ||
+ | )) | ||
+ | |||
+ | |||
+ | All of these are available prepackaged for Red Hat and SuSE derivatives (Fedora, CentOS, OpenSuSE, etc). You should not need to build any of these from source. | ||
==== Microsoft Hardware Dev Center ==== | ==== Microsoft Hardware Dev Center ==== | ||
- | You will need to sign up for an account at the [[https://sysdev.microsoft.com/|Microsoft Hardware Dev Center]]. The sign-up process will require you to sign a copy of ''[[http://go.microsoft.com/fwlink/?LinkId=393250|winqual.exe]]'': you can do this using | + | You will need to sign up for an account at the [[https://partner.microsoft.com|Microsoft Partner Center]] and [[https://partner.microsoft.com/en-us/dashboard/account/managecertificates|add your code signing certificate]]. This process will require you to sign a downloaded file ''SignableFile.bin'': you can do this using |
- | pesign -s -i winqual.exe -o winqual-signed.exe -t "Fen Systems Ltd." -c "Fen Systems Ltd." | + | osslsigncode -pkcs11module /usr/lib64/libeToken.so -h sha256 -askpass \ |
+ | -t http://timestamp.digicert.com -certs codesigning.crt \ | ||
+ | -key 842ea4f497f6defa75e786015c2cdbfd12a18891 \ | ||
+ | -in SignableFile.bin -out SignedFile.bin | ||
- | (replacing "''Fen Systems Ltd.''" with the name of your token as shown by ''certutil'' above). | + | (replacing "''842ea4f497f6defa75e786015c2cdbfd12a18891''" with the ID of your certificate as before). |
==== Creating a UEFI signing submission ==== | ==== Creating a UEFI signing submission ==== | ||
Line 86: | Line 94: | ||
You can sign the ''submission.cab'' file using | You can sign the ''submission.cab'' file using | ||
- | osslsigncode -pkcs11engine /usr/lib64/openssl/engines/engine_pkcs11.so \ | + | osslsigncode -pkcs11module /usr/lib64/libeToken.so -h sha256 -askpass \ |
- | -pkcs11module /usr/lib64/libeToken.so -certs codesigning.crt \ | + | -t http://timestamp.digicert.com -certs codesigning.crt \ |
- | -h sha256 -askpass -t http://timestamp.digicert.com \ | + | -key 842ea4f497f6defa75e786015c2cdbfd12a18891 \ |
- | -key 3342cb0ff9b8e672bdcecbff80ebf89f9c785ce5 \ | + | |
-in submission.cab -out submission-signed.cab | -in submission.cab -out submission-signed.cab | ||
- | (replacing "''3342cb0ff9b8e672bdcecbff80ebf89f9c785ce5''" with the ID of your certificate as before). | + | (replacing "''842ea4f497f6defa75e786015c2cdbfd12a18891''" with the ID of your certificate as before). |
+ | |||
+ | Please note that version 2.6 of ''osslsigncode'' has a [[https://github.com/mtrojnar/osslsigncode/issues/289|bug]] that causes it to generate invalid ''.cab'' files. You will need to use ''osslsigncode'' version 2.7 or later (or version 2.5 or earlier). | ||
==== Submitting to Microsoft ==== | ==== Submitting to Microsoft ==== | ||
- | Log in to the [[https://sysdev.microsoft.com/|Microsoft Hardware Dev Center]] and choose "Create UEFI submission". You will unfortunately need to use Windows to upload the ''submission-signed.cab'' file, since the submission page uses Silverlight instead of a standard HTML form.((Microsoft is special.)) | + | Log in to the [[https://partner.microsoft.com/en-us/dashboard/hardware/filesign|Microsoft Partner Center]] and choose "Submit New UEFI". |
==== Waiting ==== | ==== Waiting ==== |