Re[4]: Re[2]: Re[2]: Automating EV Signing (Windows Attestation)

Mark,

Yeah, sounds like some Symantec specific fault. For DigiCert, we
purchased 1 certificate which is our EV cert and I use it to locally
sign binaries using signtool.

Pete


Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295

------ Original Message ------
From: “Mark Roddy”
To: “Windows System Software Devs Interest List”
Sent: 4/26/2017 9:38:42 AM
Subject: Re: Re[2]: [ntdev] Re[2]: Re[2]: Automating EV Signing (Windows
Attestation)

>With the Symantec dongle, there is a checkbox down in the settings page
>of the utility to indicate to only request the password once after a
>user logs into the system. After that you continue to be asked for the
>password, defeating automation. If I had a day or two I would enter the
>hell that is symantec customer support and learn why I am doing it all
>wrong and need to do some other thing first that they didn’t document.
>As my actual signing needs are rare, I’ve just put up with ev signing
>is manual. As ev signing is also really not needed except in some
>cases, I’d really like my ev cert to cough up its non-ev cousin so I
>could release sign everything like I used too.
>
>
>Mark Roddy
>
>On Tue, Apr 25, 2017 at 9:20 AM, PScott
>wrote:
>>
>>Mark,
>>
>>With the DigiCert dongle, there is a checkbox down in the settings
>>page of the utility to indicate to only request the password once
>>after a user logs into the system. After that you are good to go, no
>>more requesting it.
>>
>>Pete
>>
>>–
>>Kernel Drivers
>>Windows File System and Device Driver Consulting
>>www.KernelDrivers.com
>>866.263.9295 tel:
>>
>>
>>
>>------ Original Message ------
>>From: “Mark Roddy”
>>To: “Windows System Software Devs Interest List”
>>Sent: 4/24/2017 1:31:21 PM
>>Subject: Re: [ntdev] Re[2]: Re[2]: Automating EV Signing (Windows
>>Attestation)
>>
>>>No what has me confused is
>>>that anyone thinks the dongle-thing doesn’t require manual
>>>intervention every time you try to sign something; and that somehow
>>>a non-ev cert magically appears from an ev cert and that this non-ev
>>>cert can be used as in the past by installing it on a secure build
>>>system and having the secure build system automatically release sign
>>>things without humans having to type shit in.
>>>I think I have to go buy a second non-ev sha2 cert for (2) but would
>>>love to have it 'splained otherwise, and at least with the Symantec
>>>dongle there doesn’t appear to be any way to avoid humans with
>>>fingers, but I would also like to know that some humanoid has managed
>>>to convince the Symantec dongle to be amenable to automation.
>>>
>>>Mark Roddy
>>>
>>>On Mon, Apr 24, 2017 at 9:20 AM, wrote:
>>>>Mark,
>>>>
>>>>If it’s the multiple dongle thing that has you confused. Our EV cert
>>>>(it might be different for others, but I understand that this is the
>>>>EV standard) has the private key on the smart card (dongle). This
>>>>dongle is linked to a specific machine. Moving it around from
>>>>machine to machine is a hassle. Moving it to another machine
>>>>deactivates the first machine and you have to go though a process to
>>>>get it registered with that other machine. Rather then do that I’m
>>>>told (from DigiCert) that you can obtain multiple dongles for the
>>>>same cert. This allows you to register them with multiple machines.
>>>>Ultimately so you can sign with the EV cert on more then one
>>>>machine.
>>>>
>>>>On the Developer Portal Attestation Signing: it’s my experience that
>>>>Microsoft only allows you to store one EV cert on their portal for
>>>>them to acknowledge submissions by. According to Peter he was able
>>>>to convince Microsoft to register a non-EV cert (correct me if I’m
>>>>wrong here Peter) in order to get around the extra security of
>>>>signing a file with an EV cert.
>>>>
>>>>—
>>>>NTDEV is sponsored by OSR
>>>>
>>>>Visit the list online at:
>>>>http:>>>>http:>
>>>>
>>>>MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>>>>software drivers!
>>>>Details at http:
>>>>
>>>>To unsubscribe, visit the List Server section of OSR Online at
>>>>http:>>>>http:>
>>>
>>>— NTDEV is sponsored by OSR Visit the list online at: MONTHLY
>>>seminars on crash dump analysis, WDF, Windows internals and software
>>>drivers! Details at To unsubscribe, visit the List Server section of
>>>OSR Online at
>>
>>—
>>NTDEV is sponsored by OSR
>>
>>Visit the list online at:
>>http:>>http:>
>>
>>MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>>software drivers!
>>Details at http:
>>
>>To unsubscribe, visit the List Server section of OSR Online at
>>http:>>http:>
>
>— NTDEV is sponsored by OSR Visit the list online at: MONTHLY
>seminars on crash dump analysis, WDF, Windows internals and software
>drivers! Details at To unsubscribe, visit the List Server section of
>OSR Online at</http:></http:></http:></http:></http:></http:></http:></http:></http:></http:></tel:>