topic Re: Add-In code signing and timestamps in ArcObjects SDK Questions

Add-In code signing and timestamps

JeffreyHamblin — Mon, 10 Jan 2011 18:44:30 GMT

I have used 1-year term code signing certificates for several years. Typically, when I sign software (not Add-Ins) using Microsoft's signtool.exe utility, I specify a timestamp server. Timestamping ensures that the signed file will not expire when the certificate expires. Without using the timestamping option during the signing process, the signed file would expire and have to be re-signed with a new cert each year.

My question is whether the ESRISignAddIn.exe utility does any sort of timestamping, or uses some other method, so that signed Add-Ins do not expire annually.

-Jeff

Re: Add-In code signing and timestamps

JeffreyHamblin — Tue, 25 Jan 2011 17:54:18 GMT

I just found out the answer, because my 1-year code signing certifcate expired a few days ago.

The ESRISignAddIn.exe utility DOES NOT timestamp the digital signature, and therefore once valid dates for the signing cert are exceeded, Add-ins will, at best, show an expired and untrusted digital signature; and worse, if the security setting for Add-ins is set to "Require Add-Ins to be digitally signed by a trusted publisher" -- the Add-In will no longer be loaded.

Frankly, this behavior will lead to a deployment nightmare. Having software fail in the field just because the original signing cert expires is not typical. And neither is having to re-sign ALL previously completed, signed and released software.

I am hoping ESRI can comment, and possibly provide a work around.

Additionally, I just noticed that one can't simply re-run the ESRISignAddIn.exe utility on an Add-In that was previously signed, to re-sign it with a new certificate -- doing that crashes the utility. It must be run on an un-signed version of the Add-In.

-Jeff

Re: Add-In code signing and timestamps

JeffreyHamblin — Wed, 26 Jan 2011 20:23:50 GMT

Just an update for anyone following this thread:

I submitted a report to ESRI technical support. I will report back here any replies.

-Jeff

Re: Add-In code signing and timestamps

XiaolingYang — Wed, 02 Feb 2011 22:11:59 GMT

Hi Jeff,
Thank you for your feedback. We have fixed this issue by validating add-in's digital signature using time stamp and the fix will be in the coming ArcGIS 10.0 SP2.
You also got a crash when re-running ESRISignAddIn.exe on a previously signed add-in. We'd like to know your steps since we couldn't reproduce this issue.

Thanks!
Xiaoling

Re: Add-In code signing and timestamps

JeffreyHamblin — Thu, 03 Feb 2011 18:14:53 GMT

Hi Jeff,
Thank you for your feedback. We have fixed this issue by validating add-in's digital signature using time stamp and the fix will be in the coming ArcGIS 10.0 SP2.
You also got a crash when re-running ESRISignAddIn.exe on a previously signed add-in. We'd like to know your steps since we couldn't reproduce this issue.

Thanks!
Xiaoling

Thank you for the good news, Xiaoling. I thought I would be lucky to see a resolution in 10.1, so getting it in SP2 is fantastic!

I have attached a screenshot and a text file with the steps to reproduce the SignAddIn utility crash.

-Jeff

Re: Add-In code signing and timestamps

SteveVan_Esch — Mon, 07 Feb 2011 17:28:04 GMT

Thanks for reporting this Jeff, this is indeed a problem with 10.0 Service Pack 1. Service pack 1 didn't install the correct version of a file that affects only resigining. As a workaround, can you move ESRISignAddIn.exe to your ArcGIS/bin directory, it should work fine there? We'll get this addressed in service pack 2.

Thanks again,
Steve

Re: Add-In code signing and timestamps

JeffreyHamblin — Mon, 07 Feb 2011 18:01:57 GMT

Hi Steve,

Thanks for the workaround. It works 🙂

Just a note for anyone else wanting to use the workaround:

Move the ESRISignAddIn.exe file
From: \Program Files\Common Files\ArcGIS\bin
To: \Program Files\ArcGIS\Desktop10.0\Bin

(on 64-bit systems that will be \Program Files (x86)\ )

-Jeff

Re: Add-In code signing and timestamps

MeToo — Fri, 29 Jul 2011 23:55:36 GMT

Hi Jeff & Xiaoling:

I am brand new to code signing.

Where do you specify the timestamping server when using the ESRISignAddIn.exe utility?

Thanks,
Dennis

Re: Add-In code signing and timestamps

JeffreyHamblin — Sat, 30 Jul 2011 02:32:05 GMT

Hi Dennis,

The current version of the ESRI Digital Signature Wizard (as of 10.0 SP2) does not implement the use of a timestamping server to write a signed timestamp into the signature, nor does the code in ArcGIS that validates Add-Ins look for one and handle it. Both only use the simple signing date of the signing machine. So all you specify on the wizard is the file to be signed and the certificate with which to sign it.

As of 10.0 SP2, a signature is validated by ArcGIS as Authenticated if the Add-In was signed on a date before the code-signing cert expired. However it will still be noted as an expired cert in the Add-In Installer after the cert's expiration date.

It would be more secure to implement true timestamping via server, and more compliant with typical code-signing practice to not display signatures as expired that include a valid timestamp signature.

Re: Add-In code signing and timestamps

DiegoLlamas — Tue, 13 Mar 2012 17:53:40 GMT

Hi

Where can I download the ESRISignAddIn.exe file, I cant find it anywhere!

Thanks

Re: Add-In code signing and timestamps

MeToo — Tue, 13 Mar 2012 19:01:27 GMT

diegollamas:

On a 32-bit PC with a default ArcGIS for Desktop installation and the SDK for .NET installed, the ESRISignAddIn.exe utility can be found at C:\Program Files\Common Files\ArcGIS\bin.

I am not sure if the SDK is required or not, but if you can't find the utility, it may be the reason.

jeffhamblin has posted the location of this utility on 64-bit PCs in this thread as well.

Good luck,
Dennis

Re: Add-In code signing and timestamps

DiegoLlamas — Thu, 15 Mar 2012 16:58:05 GMT

diegollamas:

On a 32-bit PC with a default ArcGIS for Desktop installation and the SDK for .NET installed, the ESRISignAddIn.exe utility can be found at C:\Program Files\Common Files\ArcGIS\bin.

I am not sure if the SDK is required or not, but if you can't find the utility, it may be the reason.

jeffhamblin has posted the location of this utility on 64-bit PCs in this thread as well.

Good luck,
Dennis

Thanks Dennis I found it