At the command prompt, as administrator, I can sign a file with signtool.exe. 15063.137. However, I am signing a file from within in app, and when I execute the same command from within the app, the command fails with an exit code of 1. I'm not 100% sure it's a permissions problem, but I'm guessing that it is. How can I give permission to the user that the app is running under to sign a file.
Do, I need to give the user special permission to use the certificate I am using?
PS: I've tried importing the certificate in to Trusted Publishers for the computer account, but for some reason, the certificate doesn't show up there in mmc.
I run signtool with just a normal-rights command box and I do not see a UAC prompt.
But this is with the certificate exported as a pfx file, for example:
"C:\Program Files (x86)\Windows Kits\10\App Certification Kit\SignTool.exe" sign /f c:\folder\cert.pfx /p PASSWORD /as /fd sha256 /tr http://sha256timestamp.ws.symantec.com/sha256/timestamp /v "c:\folder\sub folder\file.exe"
Related
In the SignTool documentation it is said:
/d Specifies a description of the signed content.
Where can I find that description?
One significant place, where the description is shown, is on the UAC prompt, when running a signed application (typically an installer) that needs Administrator privileges:
I'm trying to make a .msi installation package using CMake, CPack, and Wix. The issue is I'm trying to sign the executables and DLLs that are going to be installed.
Currently I am trying to use a custom cmake script by setting CPACK_INSTALL_SCRIPTS
SET( CPACK_INSTALL_SCRIPTS "${CMAKE_CURRENT_LIST_DIR}/signcert.cmake")
And inside signcert.cmake is where I run into issue. I want to use signtool to sign:
execute_process(
COMMAND cmd /c signtool sign /debug /v /sm /fd sha256 /tr http://timestamp.comodoca.com /td sha256 /sha1 ${THUMBPRINT} "${CMAKE_INSTALL_PREFIX}applications/bin/*"
)
The signtool command execute properly when done in a VS Command Console (vcvarsall.bat), however the wild card does not expand properly in the execute_process, it says cannot find *.
How can I find a list of files in a particular directory and store it in a CMake variable? For example ${CMAKE_INSTALL_PREFIX}applications/bin/* ?
This issue is likely caused by the fact that your signcert.cmake script will not know the path for CMAKE_INSTALL_PREFIX. It is not forwarded from the main CMake invocation.
To get around this, you can make a script template signcert.cmake.in, and use configure_file to insert the CMAKE_INSTALL_PREFIX path into your script.
Within your script, one option to more safely obtain and pass a list of files is to use file(GLOB ...) to get a list of files in the directory, before calling execute_process. Here's what your script could look like (note the #CMAKE_INSTALL_PREFIX# marked for variable substitution):
file(GLOB MY_FILES_TO_SIGN
LIST_DIRECTORIES false
#CMAKE_INSTALL_PREFIX#applications/bin/*)
# Pass MY_FILES_TO_SIGN variable to execute_process.
execute_process(
COMMAND cmd /c signtool sign /debug /v /sm /fd sha256 /tr http://timestamp.comodoca.com /td sha256 /sha1 ${THUMBPRINT} ${MY_FILES_TO_SIGN}
)
In your main CMake project, configure this file using the following, which will generate signcert.cmake with the value of CMAKE_INSTALL_PREFIX substituted inside:
configure_file(signcert.cmake.in ${CMAKE_CURRENT_LIST_DIR}/signcert.cmake #ONLY)
I am trying to use a script to restore a backed-up folder that was created before upgrading a user's computer to windows 10.
The script asks for the subfolder that the user's home folder is located under and the user's username. Once it has both of those, it inputs the values of those variables into a network path, and then maps that network path to the H drive of the admin account used to open CMD.
However, after entering the users credentials when the script attempts to access the specified folder, I get this error:
"System error 1312 has occurred. A specified logon session does not exist. It may already have been terminated."
Here is my script:
#echo off
:main
set /p location=Please enter the location of the user (These can be located at \\<domain>\root\HOMES):
set /p usern=Please enter the username:
net use H: \\<domain>\root\HOMES\%location%\%usern%\win10backup
echo Before proceeding, please confirm that the backup folder is named "win10backup" (without quotes)
set /p input=Enter 'y' to continue:
xcopy H:\win10backup C:\Users\%username%\ /O /X /E /H /K
Note: is my companies domain. Removed for security reasons.
Any help would be greatly appreciated.
I want that, when my program runs, it adds itself to Windows startup (if it doesn't exist there).
I tried this:
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v mycompany /d C:\ProgramFiles\mycompany\demo.exe /f
I also tried to copy the shortcut of the program to C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
But, I need administrator privileges for both. What should I do?
I need administrator privileges for both. What should I do?
If you want your app to run for all users with a single installation, you need to install it as an admin so you can update the global users profile. So either make a separate installer that runs with admin rights, or make your app run an elevated copy of itself so it can gain temporary admin rights when it needs to access the global profile.
The only way to avoid that is to have each user run the app separately so it can install itself into each individual user's profile. You don't need admin rights for that.
You can change to:
REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v mycompany /d C:\ProgramFiles\mycompany\demo.exe /f
Which should be able to write to that part of the registry
The HKLM key has read access for standard users by default. Whereas the HKCU key has write access for the currently logged in user.
If you want the program to run for all users then you could run a setup program with administrator privileges. Usually, you would run installers as administrator or equivalent on Windows.
When using the signtool to digitally sign a catalog file (*.cat), what does the /s option actually do?
Example:
signtool sign /s SomeStore c:/someCAT.cat
What does the SomeStore parameter for the /s option do? How does one confirm that this parameter is correct?
I have checked the Microsoft signtool documentation here: https://msdn.microsoft.com/en-us/library/8s9b9yaz(v=vs.110).aspx#sign, but it does not seem to provide this information.
The /s option refers to the Certificate Store from which the signtool will be obtaining the data (credentials) necessary to sign the catalog file. See the following:
Digital Certificates: https://msdn.microsoft.com/en-us/library/windows/desktop/aa381975(v=vs.85).aspx
Certificate Stores: https://msdn.microsoft.com/en-us/library/windows/desktop/aa386971(v=vs.85).aspx
Running the signtool with the verify command provides feed back on whether the store specified with the /s option was valid.
Example:
signtool verify /pa /v c:\someCAT.cat
where the /pa and /v are described here: https://msdn.microsoft.com/en-us/library/windows/desktop/aa387764(v=vs.85).aspx