Did you know that signing Windows binaries has gotten a lot more fun since june 2023 ? It was already a great experience, but not on the same scale as today.

So, up to june 2023, in order to sign windows binaries, you had to choose between buying:

  • an OV certificate, cheaper and easier validation. You pay, you get a phone call for identify verification, and at the end of the process you receive a pkcs12 certificate file. You can copy this file on any computer, it is pretty easy to integrate it in you build servers etc. Life is relatively easy as long as the correct phone number is listed in the phone registry that matters to the company issuing the certificates (in my case it was not..).

Drawback of the OV certificate: Microsoft does not trust you by default, so the first people that will download your signed executables will received a pretty scary warning from Windows Defender SmartScreen, telling them that they most likely have downloaded malware and they should erase it ASAP. Thank you MS, I'm glad I paid $700 for such a great service. After a few days/downloads, the warning is gone as MS now thinks your identity is trustworthy. Until.. 3 years later, when you renew the certificate, and all your earned "trust" is gone.

  • an EV certificate, a bit more expensive, with deeper verification (no sure what), and instead of a pkcs12 file, you get a shiny USB key that must be plugged in the computer doing the signing. You are immediately trusted by Microsoft, none of your users will be scared by the SmartScreen malware alert, but having to deal with a physical token instead of a simple file is such a headache that I have always preferred the OV certificate.

So, on 27 may 2023, I decided to renew our previous OV certificate which was about to expire. The provider I use is Sectigo. I could have been one of the last people on earth to receive a 3-years valid PKCS12 OV Certificate file, but no, what I got was a massive delay, and then a stupid SafeNet USB key that must be plugged when signing a file.

Why did this change ? Apparently there are these guys, named the 'CA/Browser forum', who have decided that handing a pkcs12 file to the user was not secure enough and that it was much more fun to make their life miserable by mailing them a stupid USB dongle.

How miserable ? Well quite a lot, indeed. You get a small USB key, and some software (from Thalès, mind you), the "SafeNet Authentification Client", that must be running when signing files. When you launch it, you get a screen with buttons such as "Change Token Password", "Unlock Tocken" etc. But, you cannot unlock the token because you do not have its password, the company that sold you the USB dongle is not giving you the token password. You can have a look at what is inside the token, and find that there is indeed a certificate at your name. You can only export its public key, not the private part. When signing, the SafeNet software will prompt you for a password. That is not the token admin password, but a "PIN" specific to the certificate. This one you can change.

So, by default, EACH time you sign a file, you get that dialog box from the SafeNet Authentification Client that asks you for the PIN of the certificate. EACH time. But that's not all, if you enter the wrong PIN 3 times, then you just bricked your dongle. This happens really quick... you type too fast once, the second time fails and then you realize your keyboard has switched to qwerty, and now you're already at your last chance then you start to sweat for the last chance) (according to what Sectigo told me, they can un-brick the dongle, so it is not completely bricked, but it is still a massive loss of time).

There is a setting in SafeNet to control the number of tries, but it cannot be changed by me, the 'master' password of the dongle is required, I think. Fortunately it is possible to change a setting so that it asks for the password only once per session instead of every time (until logged out, or until the screen is locked) (url)

Still, even with this setting, you have to enter the password once each time the computer reboots, and windows computer do reboot quite often..

There is no official way to enter the token password from command-line. It has to be typed, from you physical keyboard with your little fingers into that stupid dialog box from SafeNet. So it is not possible to automate builds. Fortunately, people have figured some hacks around this, they are ugly and a bit dangerous since the dongle is locked after three unsuccessful attempts:

  • having an application watching the list of windows displayed, if one window title is "Token Logon", it sends it the password (url)
  • using an undocumented feature of signtool (url) . It works great, but for how long ? What happens when the CA/Browser people find out that people can work around their stupid requirements ?

I saw, after buying that SafeNet USB key, that some providers (not Sectigo) do offer "cloud signing" solutions. Of course it is more expensive, these poor guys have to run servers etc.. I guess in the end, for them, these new requirement from the CA/Browser forum are very good for the business, they will sell both usb keys and cloud signing solutions. For everybody else it is just a TOTAL waste of time. Also, in the end, security will be downgraded instead of improved because everybody will have a script that enters the password automatically when the dialog box appears, and will run it on a Windows boxes with auto-login enabled, because it does not work if the user is not logged on. And then this box will connect to the internet with some half-finished python script so that other machines can connect to it to sign binaries.

A final remark : isn't that strange that I can sign my macOS/iOS binaries from any of my macs, without any stupid Thalès USB dongle plugged in my mac ? If that is safe enough for Apple, why does Microsoft enforce this dongle on us, for a more expensive price, and with a much worse service (the SmartScreen malware warning that appears while the 'reputation' is being built is not what I call a great service) ?

In conclusion: fuck the CA/Browser forum, we were fine with the pkcs12 files.