code-signing-final/All/Sign Using OV Cert.md

7.6 KiB
Raw Blame History

Purpose

We're going to be looking at how to create a server setup file that doesn't trigger any prompts that aren't user friendly. This setup file will contain another signed file that will launch a basic web server. The setup file will create the server file and a firewall rule for the server file. We will be building two files (setup.go and server.go) separately .

The Server File

We're creating our web server file, building it and signing the application.

Creating the Server File

First of all, you'll want to install Golang: https://golang.org/dl/ and Git for Windows: https://git-scm.com/download/win

Then you'll want to install goversioninfo by running the following in a command prompt:

go get github.com/josephspurrier/goversioninfo/cmd/goversioninfo

This will allow us to set the name of the program, version, publisher name, etc.

Download server.go by running the following in a command prompt:

# Download the server file.
powershell -Command Invoke-WebRequest -OutFile server.go https://git.rootprojects.org/josh/code-signing-final/raw/branch/master/All/server.go

Custom Port

If you want the server to listen on a port other than port 80, you can edit this line in the server.go file:

port := flag.String("p", "80", "port to serve on")

Change "80" to whatever port you want to use.

Version Info

# Download a pre-made config file for goversioninfo:

powershell -Command Invoke-WebRequest -OutFile versioninfo.json https://git.rootprojects.org/josh/code-signing-final/raw/branch/master/All/versioninfo.json

This will create a configuration file named versioninfo.json in the current directory. There are three things you will want to edit: 1. The version of the application, 2. The "publisher" or company name and 3. The product name.

Near the top of the file, you will see FileVersion and ProductVersion. You can set normal major, minor, patch and build versions for those values. The FileVersion is the version of the file and ProductVersion is the version of the application as a whole. You can most likely use the same version for both unless you're doing something unusual. You will set the same values again under StringFileInfo.

Next, you can set the "publisher name" by filling in the CompanyName value with the name of your organization.

Lastly, you can give your application a name, like "Go Web Server" under the ProductName value.

# Generate the info goversioninfo needs by running the following in a command prompt:
go generate
# Next, build your server app.
go build -o server.exe -ldflags "-s -w -H=windowsgui"

You will want to sign your application, the next section will show you how.

Signing the Setup File

Getting a Code Signing Certificate

Be aware that you will likely need to create a Dun & Bradstreet listing to get an "organization" code-signing certificate: https://www.dandb.com/businessdirectory/products/ (this is free)

You can purchase a code-signing certificate here: https://cheapsslsecurity.com/comodo/codesigningcertificate.html The validation process will take 1-3 business days if your information is correct and you give them your D-U-N-S (Dun & Bradstreet) number. After you receive an email containing a link to the certificate, follow these directions in the exact same browser as the one you used to request the certificate : https://cheapsslsecurity.com/downloads.aspx?ispdf=true&iscs=true&filenm=Comodo_Code_Signing_Collection_Guide.pdf

Put this certificate in the same folder as your server.exe file.

Signing the File

Next, you will need to install Visual Studio. You can download Visual Studio here: https://visualstudio.microsoft.com/thank-you-downloading-visual-studio/?sku=Community

In the install process, you will be greeted with this screen:

Choose the "Universal Windows Platform Development" workload. After you have finished installing Visual Studio, open a "Developer Command Prompt for VS". Navigate to the folder your server.exe file is in.

# Sign a file with your certificate. Replace the code-signing certificate and password values with your own.
SignTool sign /t http://timestamp.comodoca.com /f codesigning.p12 /p <Password> server.exe

You should see something like this:

The Setup File

Now we're going to create the setup file that will create the firewall rule we need and "create" the server file for us.

# Download the server file.
powershell -Command Invoke-WebRequest -OutFile setup.go https://git.rootprojects.org/josh/code-signing-final/raw/branch/master/All/setup.go
# And the manifest file to allow it to have administrator privileges.
powershell -Command Invoke-WebRequest -OutFile setup.exe.manifest https://git.rootprojects.org/josh/code-signing-final/raw/branch/master/All/setup.exe.manifest

Rename server.go to server.go_

Put the Server File In the Setup File

We need to install fileb0x to be able to store our server file server.exe in our setup file setup.exe.

# Install fileb0x
go get -u github.com/UnnoTed/fileb0x

Download a pre-made configuration file by running this in the command prompt:

# Download the config file.
powershell -Command Invoke-WebRequest -OutFile b0x.json https://git.rootprojects.org/josh/code-signing-final/raw/branch/master/All/b0x.json
# Create a fileb0x
fileb0x b0x.json

This will create a folder named static with a file in it. You will then need to copy that folder to your $GOPATH/src/ (usually C:\Users\<Username>\go\src\).

# Use the right config for goversioninfo
go generate
# Build the setup application.
go build -o setup.exe -ldflags "-s -w -H=windowsgui"

Refer back to the instructions on How to Sign a File to sign your setup file as well. Then you're done! Just run setup.exe wherever you want it will setup your server for you. If you ever more server.exe, you will need to run setup.exeagain to setup a new firewall rule at a new location.

Changing the Password on a Signing File

If you want to change your password on a code-signing file you can use keystore in Linux like this:

keytool -importkeystore \
    -srckeystore "${SRCFILE}" -srcstoretype PKCS12 -srcstorepass:file ssp \
    -destkeystore "${DSTFILE}" -deststoretype PKCS12 -deststorepass:file dsp -destkeypass:file dsp

SRCFILE is the file you want to change your password on, DSTFILE is what the new file with the new password will be called. ssp is the password of the current file stored in a file. dsp is the password of the new file stored in a file. You will see something like this:

Importing keystore rootgroup.p12 to rootgroup2.p12...
Entry for alias the root group, llcs sectigo limited id successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled

You can find more information about how this works at the source: https://stackoverflow.com/a/50900084

Service

# Download the task file.
powershell -Command Invoke-WebRequest -OutFile Server.xml https://git.rootprojects.org/josh/code-signing-final/raw/branch/master/All/Server.xml

To change what file will be launched as administrator on boot, edit this line of the Server.xml file and replace the path in quotes.

<Command>"C:\Users\Josh\Downloads\server.exe"</Command>

Run a command prompt as administrator, then run:

# Create task based off the XML.
SCHTASKS /create /XML "Server.xml" /tn "Task Name"

You're done! It will launch your program as administrator by default on boot.