root
/
code-signing-final
2
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
How to use a code signing certificate for Windows 10 so that the UAC prompts don't show warnings.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3 Commits
1 Branch
0 Tags
446 KiB
 
Tree: ca1e8b730a
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'ca1e8b730a'
${ noResults }
code-signing-final/All/Sign Using OV Cert.md

6.6 KiB
Raw Blame History

Purpose

We're going to be looking at how to create a server setup file that doesn't trigger any prompts that aren't user friendly. This setup file will contain another signed file that will launch a basic web server. The setup file will create the server file and a firewall rule for the server file. We will be building two files (setup.go and server.go) separately .

The Server File

We're creating our web server file, building it and signing the application.

Creating the Server File

Create a file named server.go and add the following:

//go:generate goversioninfo

package main

import (
	"flag"
	"log"
	"net/http"
)

func main() {

	port := flag.String("p", "8100", "port to serve on")
	directory := flag.String("d", ".", "the directory of static file to host")
	flag.Parse()

	http.Handle("/", http.FileServer(http.Dir(*directory)))

	log.Printf("Serving %s on HTTP port: %s\n", *directory, *port)
	log.Fatal(http.ListenAndServe(":"+*port, nil))
}

Windows 10 will happily create server.go.txt if you don't turn off hidden file extensions and leave you wondering what's wrong with your Go install.

First of all, you'll want to install Golang: https://golang.org/dl/ Then you'll want to install goversioninfo by running the following in a command prompt:

go get github.com/josephspurrier/goversioninfo/cmd/goversioninfo

This will allow us to set the name of the program, version, publisher name, etc.

# Add this to the top of your server go file.
//go:generate goversioninfo
# Then generate the configuration by running the following in a command prompt:
go generate

This will create a configuration file named versioninfo.json in the current directory. There are three things you will want to edit: 1. The version of the application, 2. The "publisher" or company name and 3. The product name.

Near the top of the file, you will see FileVersion and ProductVersion. You can set normal major, minor, patch and build versions for those values. The FileVersion is the version of the file and ProductVersion is the version of the application as a whole. You can most likely use the same version for both unless you're doing something unusual. You will set the same values again under StringFileInfo.

Next, you can set the "publisher name" by filling in the CompanyName value with the name of your organization.

Lastly, you can give your application a name, like "Go Web Server" under the ProductName value.

# Next, build your server app.
go build

You will want to sign your application, the next section will show you how.

Signing the Setup File

Getting a Code Signing Certificate

Be aware that you will likely need to create a Dun & Bradstreet listing to get an "organization" code-signing certificate: https://www.dandb.com/businessdirectory/products/ (this is free)

You can purchase a code-signing certificate here: https://cheapsslsecurity.com/comodo/codesigningcertificate.html The validation process will take 1-3 business days if your information is correct and you give them your D-U-N-S (Dun & Bradstreet) number. After you receive an email containing a link to the certificate, follow these directions in the exact same browser as the one you used to request the certificate : https://cheapsslsecurity.com/downloads.aspx?ispdf=true&iscs=true&filenm=Comodo_Code_Signing_Collection_Guide.pdf

Signing the File

[Screenshot] Next, you will need to install Visual Studio. You can download Visual Studio here: https://visualstudio.microsoft.com/thank-you-downloading-visual-studio/?sku=Community&rel=16

In the install process, you will be greeted with this screen:

Choose the "Universal Windows Platform Development" workload. After you have finished installing Visual Studio, open a "Developer Command Prompt for VS".

# Sign a file with your certificate.
SignTool sign /t http://timestamp.comodoca.com /f codesigning.p12 /p <Password> file.exe

You should see something like this:

The Setup File

Now we're going to create the setup file that will create the firewall rule we need and "create" the server file for us.

Firewall Rule

We are using Powershell to create the firewall rule, so we're going to install go-powershell.

# Install go-powershell
go get github.com/aquasecurity/go-powershell

Create a file named setup.go and include the following:

//go:generate goversioninfo -manifest=setup.exe.manifest
//Add a new firewall rule in Go.

package main

import (
	"os"
	"fmt"
	"log"
	"static" // Create fileb0x before this will work.
	"io/ioutil"
	ps "github.com/aquasecurity/go-powershell"
	"github.com/aquasecurity/go-powershell/backend"
)

func main() {

  // Grab files from virtual filesystem
	files, err := static.WalkDirs("", false)
	if err != nil {
		log.Fatal(err)
		log.Println("ALL FILES", files)
	}

  // here we'll read the file from the virtual file system
	b, err := static.ReadFile("server.exe")
	if err != nil {
		log.Fatal(err)
	}

  // Copy file from virtual filesystem to real filesystem
	err = ioutil.WriteFile("server.exe", b, 0644)
        if err != nil {
                fmt.Println("Error creating", "server.exe")
                fmt.Println(err)
                return
        }

	// choose a backend
	back := &backend.Local{}

	// start a local powershell process
	shell, err := ps.New(back)
	if err != nil {
		panic(err)
	}
	defer shell.Exit()

  // Set 'dir' to the current working directory.
	dir, err := os.Getwd()
	if err != nil {
		log.Fatal(err)
  }

	// Create the correct Poweshell rule with the working directory from 'dir'
	var cmd string = "-WindowStyle Hidden New-NetFirewallRule -DisplayName 'Name of Rule' -Direction Inbound -Program '" + dir + "\\server.exe' -Action Allow > NULL"
	// Run the command.
	stdout, stderr, err := shell.Execute(cmd)
		if err != nil {
			panic(err)
			fmt.Println(stderr)
		}
		fmt.Println(stdout)
}

Then create another file called setup.exe.manifest containing:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
    <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
        <security>
            <requestedPrivileges>
                <requestedExecutionLevel level="requireAdministrator" uiAccess="false"/>
            </requestedPrivileges>
        </security>
    </trustInfo>
</assembly>

Rename server.go to server.go_

# Build the setup application.
go build -o setup.exe -ldflags "-s -w -H=windowsgui"

Put Server File In Setup File

fileb0x