Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Call getCertificatePublisher only when publisher not set #155

Closed
wants to merge 1 commit into from
Closed

Call getCertificatePublisher only when publisher not set #155

wants to merge 1 commit into from

Conversation

zobo
Copy link

@zobo zobo commented Oct 24, 2022

When trying to sign MSIX with a certificate from the certificate store and not from PFX file, we can achieve this by setting our own signtool_options like this:

msix_config:
  display_name: Flutter App
  publisher_display_name: Company Name
  identity_name: company.suite.flutterapp
  msix_version: 1.0.0.0
  logo_path: C:\path\to\logo.png
  capabilities: internetClient, location, microphone, webcam
  signtool_options: /v /fd SHA256 /a /sha1 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx /tr http://timestamp.digicert.com
  install_certificate: false

However when running msix:create an error will be thrown:
Get-PfxData : The system cannot find the file specified. 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)

Turns out the code tries to get the Certificate Publisher from a PFX - not set.

This patch mitigates the issue by taking the publisher from the config - if it is set.

msix_config:
  ...
  publisher: CN=Company, O=Company,...

I will try to prepare an alternative patch, that will allow alternative certificate selection method

@YehudaKremer
Copy link
Owner

Hello @zobo

I will think of a solution for this bug, thank you 👍

@zobo
Copy link
Author

zobo commented Oct 25, 2022

One thing I wanted to suggest was to create another config variable. You could either use certificatePath and certificatePassword or a new certificateThumbprint. To find the certificate with a (sha1) Thumbprint you can run a Powershell like this:
dir -Recurse cert: | where {$_.Thumbprint -eq "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"} | Format-List -Property Subject

@zobo
Copy link
Author

zobo commented Oct 25, 2022

Yet another suggestion. If the user has a .crt file (only the public part - and thus no certificatePassword set) one could use something like this.

$crt=new-object System.Security.Cryptography.X509Certificates.X509Certificate2("file.crt")
$crt | fl -Property Subject

I think passing only the public part to signtool via /f option is also valid. The system will find the private key alone.

I think the whole thing is important as certificates should not lie around on the file system in PFX format. For EV code signing cert you can't even get the private key. You get a pre-populated certificate hardware token mailed to you, and cloud signing is very much a thing today.
In all cases, you do not have a PFX.

I can provide a patch with these ideas.

@YehudaKremer YehudaKremer mentioned this pull request Oct 29, 2022
Merged
@YehudaKremer
Copy link
Owner

Moving related work to #156.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@zobo @YehudaKremer