root
/
code-signing-final
2
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
code-signing-final/All/Sign Using OV Cert.md

182 lines
7.6 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Purpose
We're going to be looking at how to create a server setup file that doesn't trigger any prompts that aren't user friendly. This setup file will contain another signed file that will launch a basic web server. The setup file will create the server file and a firewall rule for the server file. We will be building two files (`setup.go` and `server.go`) separately .
# The Server File
We're creating our web server file, building it and signing the application.
## Creating the Server File
First of all, you'll want to install Golang: https://golang.org/dl/ and Git for Windows: https://git-scm.com/download/win
Then you'll want to install [goversioninfo](https://github.com/josephspurrier/goversioninfo) by running the following in a command prompt:
```
go get github.com/josephspurrier/goversioninfo/cmd/goversioninfo
```
This will allow us to set the name of the program, version, publisher name, etc.
Download `server.go` by running the following in a command prompt:
```
# Download the server file.
powershell -Command Invoke-WebRequest -OutFile server.go https://git.rootprojects.org/josh/code-signing-final/raw/branch/master/All/server.go
```
### Custom Port
If you want the server to listen on a port other than port 80, you can edit this line in the `server.go` file:
```
port := flag.String("p", "80", "port to serve on")
```
Change "80" to whatever port you want to use.
## Version Info
```
# Download a pre-made config file for goversioninfo:
powershell -Command Invoke-WebRequest -OutFile versioninfo.json https://git.rootprojects.org/josh/code-signing-final/raw/branch/master/All/versioninfo.json
```
This will create a configuration file named `versioninfo.json` in the current directory. There are three things you will want to edit: 1. The version of the application, 2. The "publisher" or company name and 3. The product name.
![](versioninfo.png)
Near the top of the file, you will see `FileVersion` and `ProductVersion`.
You can set normal major, minor, patch and build versions for those values. The `FileVersion` is the version of the file and `ProductVersion` is the version of the application as a whole. You can most likely use the same version for both unless you're doing something unusual. You will set the same values again under `StringFileInfo`.
Next, you can set the "publisher name" by filling in the `CompanyName` value with the name of your organization.
Lastly, you can give your application a name, like "Go Web Server" under the `ProductName` value.
```
# Generate the info goversioninfo needs by running the following in a command prompt:
go generate
# Next, build your server app.
go build -o server.exe -ldflags "-s -w -H=windowsgui"
```
You will want to sign your application, the next section will show you how.
# Signing the Setup File
### Getting a Code Signing Certificate
Be aware that you will likely need to create a Dun & Bradstreet listing to get an "organization" code-signing certificate: https://www.dandb.com/businessdirectory/products/ (this is free)
You can purchase a code-signing certificate here: https://cheapsslsecurity.com/comodo/codesigningcertificate.html The validation process will take 1-3 business days if your information is correct and you give them your D-U-N-S (Dun & Bradstreet) number. After you receive an email containing a link to the certificate, follow these directions in the **exact same** browser as the one you used to request the certificate : https://cheapsslsecurity.com/downloads.aspx?ispdf=true&iscs=true&filenm=Comodo_Code_Signing_Collection_Guide.pdf
Put this certificate in the same folder as your `server.exe` file.
### Signing the File
Next, you will need to install Visual Studio. You can download Visual Studio here: https://visualstudio.microsoft.com/thank-you-downloading-visual-studio/?sku=Community
In the install process, you will be greeted with this screen:
![](windowsdev.png)
Choose the "Universal Windows Platform Development" workload. After you have finished installing Visual Studio, open a "Developer Command Prompt for VS". Navigate to the folder your `server.exe` file is in.
![](developerprompt.png)
```
# Sign a file with your certificate. Replace the code-signing certificate and password values with your own.
SignTool sign /t http://timestamp.comodoca.com /f codesigning.p12 /p <Password> server.exe
```
![](signfile.png)
You should see something like this:
![](donesigning.png)
# The Setup File
Now we're going to create the setup file that will create the firewall rule we need and "create" the server file for us.
```
# Download the server file.
powershell -Command Invoke-WebRequest -OutFile setup.go https://git.rootprojects.org/josh/code-signing-final/raw/branch/master/All/setup.go
# And the manifest file to allow it to have administrator privileges.
powershell -Command Invoke-WebRequest -OutFile setup.exe.manifest https://git.rootprojects.org/josh/code-signing-final/raw/branch/master/All/setup.exe.manifest
```
Rename `server.go` to `server.go_`
## Put the Server File In the Setup File
We need to install `fileb0x` to be able to store our server file `server.exe` in our setup file `setup.exe`.
```
# Install fileb0x
go get -u github.com/UnnoTed/fileb0x
```
Download a pre-made configuration file by running this in the command prompt:
```
# Download the config file.
powershell -Command Invoke-WebRequest -OutFile b0x.json https://git.rootprojects.org/josh/code-signing-final/raw/branch/master/All/b0x.json
```
```
# Create a fileb0x
fileb0x b0x.json
```
This will create a folder named `static` with a file in it. You will then need to copy that folder to your `$GOPATH/src/` (usually `C:\Users\<Username>\go\src\`).
```
# Use the right config for goversioninfo
go generate
# Build the setup application.
go build -o setup.exe -ldflags "-s -w -H=windowsgui"
```
Refer back to the instructions on [How to Sign a File](#signing-the-file) to sign your setup file as well. Then you're done! Just run `setup.exe` wherever you want it will setup your server for you. If you ever more `server.exe`, you will need to run `setup.exe`again to setup a new firewall rule at a new location.
# Changing the Password on a Signing File
If you want to change your password on a code-signing file you can use `keystore` in Linux like this:
```
keytool -importkeystore \
-srckeystore "${SRCFILE}" -srcstoretype PKCS12 -srcstorepass:file ssp \
-destkeystore "${DSTFILE}" -deststoretype PKCS12 -deststorepass:file dsp -destkeypass:file dsp
```
`SRCFILE` is the file you want to change your password on, `DSTFILE` is what the new file with the new password will be called. `ssp` is the password of the current file stored in a file. `dsp` is the password of the new file stored in a file. You will see something like this:
```
Importing keystore rootgroup.p12 to rootgroup2.p12...
Entry for alias the root group, llcs sectigo limited id successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
```
You can find more information about how this works at the source: https://stackoverflow.com/a/50900084
## Service
```
# Download the task file.
powershell -Command Invoke-WebRequest -OutFile Server.xml https://git.rootprojects.org/josh/code-signing-final/raw/branch/master/All/Server.xml
```
To change what file will be launched as administrator on boot, edit this line of the `Server.xml` file and replace the path in quotes.
```
<Command>"C:\Users\Josh\Downloads\server.exe"</Command>
```
Run a command prompt as administrator, then run:
```
# Create task based off the XML.
SCHTASKS /create /XML "Server.xml" /tn "Task Name"
```
You're done! It will launch your program as administrator by default on boot.
Reference in New Issue View Git Blame Copy Permalink