code-signing-final/All/Sign Using OV Cert.md

182 lines
7.6 KiB
Markdown
Raw Normal View History

2019-11-10 00:01:31 +00:00
# Purpose
2019-11-10 04:30:11 +00:00
We're going to be looking at how to create a server setup file that doesn't trigger any prompts that aren't user friendly. This setup file will contain another signed file that will launch a basic web server. The setup file will create the server file and a firewall rule for the server file. We will be building two files (`setup.go` and `server.go`) separately .
2019-11-10 00:01:31 +00:00
2019-11-10 04:30:11 +00:00
# The Server File
2019-11-10 00:01:31 +00:00
2019-11-10 04:30:11 +00:00
We're creating our web server file, building it and signing the application.
2019-11-10 00:01:31 +00:00
2019-11-10 04:30:11 +00:00
## Creating the Server File
2019-11-10 00:01:31 +00:00
2019-11-12 22:42:26 +00:00
First of all, you'll want to install Golang: https://golang.org/dl/ and Git for Windows: https://git-scm.com/download/win
2019-11-12 22:49:17 +00:00
2019-11-10 04:30:11 +00:00
Then you'll want to install [goversioninfo](https://github.com/josephspurrier/goversioninfo) by running the following in a command prompt:
```
go get github.com/josephspurrier/goversioninfo/cmd/goversioninfo
```
This will allow us to set the name of the program, version, publisher name, etc.
Download `server.go` by running the following in a command prompt:
2019-11-10 04:30:11 +00:00
```
# Download the server file.
powershell -Command Invoke-WebRequest -OutFile server.go https://git.rootprojects.org/josh/code-signing-final/raw/branch/master/All/server.go
2019-11-15 21:52:10 +00:00
```
### Custom Port
If you want the server to listen on a port other than port 80, you can edit this line in the `server.go` file:
```
port := flag.String("p", "80", "port to serve on")
```
Change "80" to whatever port you want to use.
2019-11-15 21:52:10 +00:00
## Version Info
```
2019-11-12 22:49:17 +00:00
# Download a pre-made config file for goversioninfo:
2019-11-12 22:53:18 +00:00
powershell -Command Invoke-WebRequest -OutFile versioninfo.json https://git.rootprojects.org/josh/code-signing-final/raw/branch/master/All/versioninfo.json
2019-11-10 04:30:11 +00:00
```
This will create a configuration file named `versioninfo.json` in the current directory. There are three things you will want to edit: 1. The version of the application, 2. The "publisher" or company name and 3. The product name.
![](versioninfo.png)
Near the top of the file, you will see `FileVersion` and `ProductVersion`.
You can set normal major, minor, patch and build versions for those values. The `FileVersion` is the version of the file and `ProductVersion` is the version of the application as a whole. You can most likely use the same version for both unless you're doing something unusual. You will set the same values again under `StringFileInfo`.
Next, you can set the "publisher name" by filling in the `CompanyName` value with the name of your organization.
Lastly, you can give your application a name, like "Go Web Server" under the `ProductName` value.
```
2019-11-12 22:53:18 +00:00
# Generate the info goversioninfo needs by running the following in a command prompt:
go generate
2019-11-10 04:30:11 +00:00
# Next, build your server app.
2019-11-12 01:10:00 +00:00
go build -o server.exe -ldflags "-s -w -H=windowsgui"
2019-11-10 04:30:11 +00:00
```
You will want to sign your application, the next section will show you how.
# Signing the Setup File
2019-11-10 04:30:11 +00:00
### Getting a Code Signing Certificate
Be aware that you will likely need to create a Dun & Bradstreet listing to get an "organization" code-signing certificate: https://www.dandb.com/businessdirectory/products/ (this is free)
You can purchase a code-signing certificate here: https://cheapsslsecurity.com/comodo/codesigningcertificate.html The validation process will take 1-3 business days if your information is correct and you give them your D-U-N-S (Dun & Bradstreet) number. After you receive an email containing a link to the certificate, follow these directions in the **exact same** browser as the one you used to request the certificate : https://cheapsslsecurity.com/downloads.aspx?ispdf=true&iscs=true&filenm=Comodo_Code_Signing_Collection_Guide.pdf
2019-11-12 23:50:59 +00:00
Put this certificate in the same folder as your `server.exe` file.
2019-11-10 04:30:11 +00:00
### Signing the File
2019-11-12 04:24:15 +00:00
Next, you will need to install Visual Studio. You can download Visual Studio here: https://visualstudio.microsoft.com/thank-you-downloading-visual-studio/?sku=Community
2019-11-10 04:30:11 +00:00
In the install process, you will be greeted with this screen:
![](windowsdev.png)
2019-11-12 23:50:59 +00:00
Choose the "Universal Windows Platform Development" workload. After you have finished installing Visual Studio, open a "Developer Command Prompt for VS". Navigate to the folder your `server.exe` file is in.
2019-11-10 00:01:31 +00:00
![](developerprompt.png)
```
2019-11-12 23:50:59 +00:00
# Sign a file with your certificate. Replace the code-signing certificate and password values with your own.
SignTool sign /t http://timestamp.comodoca.com /f codesigning.p12 /p <Password> server.exe
2019-11-10 00:01:31 +00:00
```
![](signfile.png)
You should see something like this:
![](donesigning.png)
2019-11-10 04:30:11 +00:00
# The Setup File
2019-11-10 00:01:31 +00:00
2019-11-10 04:30:11 +00:00
Now we're going to create the setup file that will create the firewall rule we need and "create" the server file for us.
2019-11-10 00:01:31 +00:00
```
# Download the server file.
powershell -Command Invoke-WebRequest -OutFile setup.go https://git.rootprojects.org/josh/code-signing-final/raw/branch/master/All/setup.go
# And the manifest file to allow it to have administrator privileges.
powershell -Command Invoke-WebRequest -OutFile setup.exe.manifest https://git.rootprojects.org/josh/code-signing-final/raw/branch/master/All/setup.exe.manifest
2019-11-10 00:01:31 +00:00
```
2019-11-10 04:30:11 +00:00
Rename `server.go` to `server.go_`
2019-11-12 01:10:00 +00:00
## Put the Server File In the Setup File
2019-11-13 00:02:46 +00:00
We need to install `fileb0x` to be able to store our server file `server.exe` in our setup file `setup.exe`.
2019-11-12 01:10:00 +00:00
```
# Install fileb0x
go get -u github.com/UnnoTed/fileb0x
```
Download a pre-made configuration file by running this in the command prompt:
2019-11-12 01:10:00 +00:00
```
2019-11-12 03:46:57 +00:00
# Download the config file.
powershell -Command Invoke-WebRequest -OutFile b0x.json https://git.rootprojects.org/josh/code-signing-final/raw/branch/master/All/b0x.json
2019-11-12 01:10:00 +00:00
```
```
# Create a fileb0x
fileb0x b0x.json
```
This will create a folder named `static` with a file in it. You will then need to copy that folder to your `$GOPATH/src/` (usually `C:\Users\<Username>\go\src\`).
2019-11-12 01:10:00 +00:00
2019-11-10 04:30:11 +00:00
```
2019-11-12 22:03:24 +00:00
# Use the right config for goversioninfo
go generate
2019-11-10 04:30:11 +00:00
# Build the setup application.
go build -o setup.exe -ldflags "-s -w -H=windowsgui"
```
2019-11-13 00:06:12 +00:00
Refer back to the instructions on [How to Sign a File](#signing-the-file) to sign your setup file as well. Then you're done! Just run `setup.exe` wherever you want it will setup your server for you. If you ever more `server.exe`, you will need to run `setup.exe`again to setup a new firewall rule at a new location.
# Changing the Password on a Signing File
If you want to change your password on a code-signing file you can use `keystore` in Linux like this:
```
keytool -importkeystore \
-srckeystore "${SRCFILE}" -srcstoretype PKCS12 -srcstorepass:file ssp \
-destkeystore "${DSTFILE}" -deststoretype PKCS12 -deststorepass:file dsp -destkeypass:file dsp
```
`SRCFILE` is the file you want to change your password on, `DSTFILE` is what the new file with the new password will be called. `ssp` is the password of the current file stored in a file. `dsp` is the password of the new file stored in a file. You will see something like this:
```
Importing keystore rootgroup.p12 to rootgroup2.p12...
Entry for alias the root group, llcs sectigo limited id successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
```
You can find more information about how this works at the source: https://stackoverflow.com/a/50900084
2019-11-15 21:52:10 +00:00
## Service
2019-11-10 00:01:31 +00:00
```
2019-11-15 21:52:10 +00:00
# Download the task file.
powershell -Command Invoke-WebRequest -OutFile Server.xml https://git.rootprojects.org/josh/code-signing-final/raw/branch/master/All/Server.xml
```
2019-11-15 21:52:10 +00:00
To change what file will be launched as administrator on boot, edit this line of the `Server.xml` file and replace the path in quotes.
```
<Command>"C:\Users\Josh\Downloads\server.exe"</Command>
```
Run a command prompt as administrator, then run:
```
# Create task based off the XML.
SCHTASKS /create /XML "Server.xml" /tn "Task Name"
```
2019-11-15 21:52:10 +00:00
You're done! It will launch your program as administrator by default on boot.