Skip to content

Windows signing

In order to do windows signing following actions/configurations are required

  • Product is created with a configuration which support windows signing.
  • Windows Signing certificate is issued from external root
    • For production signing get a code signing certificate from trusted Certificate Authority

Product configuration

Windows signing is using a certificate from the external Certificate authority.

Because of that setting up a windows singing product includes following steps:

  1. Create product for windows signing.
    1. Check a chapter: Windows Signing under Product usage guide chapter.
  2. Download a csr from the signing service
  3. Issue a code signing certificate from certificate authority
    1. For production signing use trusted certificate authority
    2. details for this are not covered on this guide.
  4. Upload a code signing certificate chain to windows product on signing service

Download a CSR for windows signing

CSR information is included on the product details you can fetch a product details from following JSON path cainfo.[0]csr:

GET urlpath: api/v1/products/

Response example:

{
    "caInfo": [
        {
            "certificateType": "ENDENTITY",
            "cn": "Windows signing only",
            "crlDistributionPoints": null,
            "csr": "MIICZDCCAUwCAQAwHzEdMBsGA1UEAxMUV2luZG93cyBzaWduaW5nIG9u...",
            "description": "End-Entity certificate for Windows codesigning",
            "id": "144135d3-5a8b-4d9e-9392-fcaa6107a687",
            "keyType": "RSA2048",
            "leafs": [],
            "policyIdentifiers": null,
            "profileID": "a7ac3fea-c545-4ab3-adcf-e0734210e0d3",
            "state": 256,
            "useCase": "WinSigning"
        }
    ],
    "description": "Windows endentity signing for year 2025",
    "externalRequestID": "12e592ee-de02-d9f0-edb0-a4c5b119c53a",
    "id": "25e45354-69cb-486d-8de5-c870a21fddf4",
    "name": "Windows signing only",
    "productConfigItems": [],
    "productOperations": [
        {
            "approvalRule": {
                "allowedGroups": [
                    "e31fba5e-c266-4493-ac9b-eee85fc8d668"
                ],
                "approvalGroups": [
                    "76c9e42b-3f20-47f0-8d99-7c682cdf50fb"
                ],
                "blanketGroups": [
                    ""
                ],
                "description": "Rule used for testing for Windows signing only",
                "name": "approval rule"
            },
            "description": "Sign Windows",
            "id": "485cbe52-ce5f-4972-8915-2840cd1031e2",
            "name": "Windows signing",
            "operationType": "SignWindowsBinary",
            "profileID": "00000000-0000-0000-0000-000000000000"
        }
    ],
    "productType": "Production",
    "rndKeys": [],
    "state": 16
}

Upload code signing certificate chain to signing service

After a code signing certificate is issued it needs to be uploaded to the signing service.

When uploading, the full certificate chain up to the root needs to be included in the submission.

You need following information for the chain upload.

  1. CAID from the product details path cainfo.[0]id
  2. Full certificate chain in pem format combined to single file including a code signing certificate

Base64 encode certificate chain file for upload body:

base64 -w0 combined_chain.pem

Upload code signing certificate to the signing service.

PATCH urlpath: api/v1/cas/cas/

Body:

{
    "chain": "c3ViamVjdD1DTiA9IFdpbmRvd3Mgc2lnbmluZwppc3N1ZXI..."
}

Input data for Windows signing

The input is a tar.gz file containing a request.json file and an input file for signing, denoted by the fileName variable in the request.json.

request.json:

{
 "fileName": "putty.exe",
 "hashAlg": "SHA256", <===SHA256 by default, SHA1, SHA256 supported>
 "name": "Test signed putty", <===This field will go into the signature structure as the Name>
 "URL": "https://appsigning.test.com", <===This field will do into the signature structure as the URL>
 "type": "PE", <===PE/CAB/MSI supported>,
 "timestamp": true, <===Set to true to enable timestamping, false by default>
 "nestSignature": false <===Set to true to append the signature instead of replacing, false by default>
}

hashAlg, URL and timestamp fields may be omitted.

The type field has a few underlying mechanisms which are documented below:

  • MSI: Enables -add-msi-dse flag for signing the package which applies some additional signatures for the package
  • CAB: Enables support for correctly calculating signatures for CAB archives containing Java files

You may sign an MSI-file without the additional flag by setting the type to PE in the request.

Example of putty.tar.gz file contents

$ tar -tvf putty.tar.gz 
-rw-rw-r-- xzr/xzr      524288 2015-02-28 17:42 putty.exe
-rw-rw-r-- xzr/xzr         169 2022-04-11 11:28 request.json