Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SignTool Error with .app Files Using New Code Signing Certificate #3712

Open
ivandjordjevic opened this issue Oct 9, 2024 · 4 comments
Open
Assignees

Comments

@ivandjordjevic
Copy link

I encountered a problem with signing .app files using signtool.exe after switching to a new code signing certificate. Previously, I used a .pfx file locally, but since transitioning to the new setup, signtool successfully signs .dll and other file types, but fails with .app files.

I am using the Install-NAVSipCryptoProviderFromNavContainer to get the NavSip.dll file but still get the same issue. I've also updated the ContainerHelper library and tried with different versions of SDK.

Scripts used

# Define variables
$containerName = "dev2"
$signtoolPath = "C:\Program Files (x86)\Windows Kits\10\bin\10.0.20348.0\x86\signtool.exe"
$timestampUrl = "http://ts.ssl.com"
$certThumbprint = "[CERTIFICATE THUMBRINT]"
$appFilePath = "C:\temp\sign\test.app"

# Step 1: Install the required NAVSipCryptoProvider from the specified container
Install-NAVSipCryptoProviderFromNavContainer -containername $containerName

# Step 2: Use Invoke-Expression to run signtool.exe with the defined variables
Invoke-Expression "& '$signtoolPath' sign /fd sha256 /tr $timestampUrl /td sha256 /sha1 $certThumbprint '$appFilePath'"

Full output of scripts

Copy SIP crypto provider from container dev2
Copy from container dev2 (C:\Windows\System32\NavSip.dll) to C:\Windows\System32\NavSip.dll
Copy from container dev2 (C:\Windows\SysWow64\NavSip.dll) to C:\Windows\SysWow64\NavSip.dll
Cannot find path 'C:\Windows\SysWow64\NavSip.dll' because it does not exist.

Container Free Physical Memory: 15.4Gb
Disk C: Free 121Gb from 127Gb

Services in container dev2:
C:\Windows\SysWow64\NavSip.dll doesn't exist.
C:\Windows\System32\NavSip.dll successfully registered.
Done Adding Additional Store

Number of errors: 1

signtool.exe : SignTool Error: This file format cannot be signed because it is not recognized.
At line:1 char:1
+ & 'C:\Program Files (x86)\Windows Kits\10\bin\10.0.20348.0\x86\signto ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (SignTool Error:...not recognized.:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
 
SignTool Error: An error occurred while attempting to sign: C:\temp\sign\test.app
...

The dev2 container is using insider version BC 24.6.24915.0.

@ivandjordjevic
Copy link
Author

This issue is similar to #3089 but I don't see any follow-up or resolution there

@freddydk
Copy link
Contributor

freddydk commented Oct 13, 2024

You should instead use dotnet sign to sign your app (like we do in AL-Go for GitHub).

Installing dotnet sign like here: https://github.com/microsoft/AL-Go/blob/e5f2df3b796102c8ef4b018e797550e974b5554a/Actions/Sign/Sign.psm1#L7

and signing like this: https://github.com/microsoft/AL-Go/blob/e5f2df3b796102c8ef4b018e797550e974b5554a/Actions/Sign/Sign.psm1#L60

The dotnet sign tool automatically gets the NAVSip from a nuget package

@ivandjordjevic
Copy link
Author

@freddydk - I don't think we have that option of signing by using the certificates from Azure Key Vault with SSL.com after our renewal:
https://www.ssl.com/how-to/code-signing-with-azure-key-vault/

Their recommendation for .app files is to use signtool.exe once the Business Central is installed. However, even with both BC installed and copied NavSip.dll using Install-NAVSipCryptoProviderFromNavContainer, I'm still getting the '.app format is not recognized'.
https://www.ssl.com/how-to/automate-ev-code-signing-with-signtool-or-certutil-esigner/#ftoc-heading-28

@freddydk
Copy link
Contributor

If you have the certificate in Azure KeyVault - you can use dotnet sign.
You can also use signtool - but none of these options are (or will be) supported from BcContainerHelper.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants