Community

Add-In code signing and timestamps

3838
11
01-10-2011 10:44 AM
JeffreyHamblin
by
New Contributor III
‎01-10-2011 10:44 AM
I have used 1-year term code signing certificates for several years. Typically, when I sign software (not Add-Ins) using Microsoft's signtool.exe utility, I specify a timestamp server. Timestamping ensures that the signed file will not expire when the certificate expires. Without using the timestamping option during the signing process, the signed file would expire and have to be re-signed with a new cert each year.

My question is whether the ESRISignAddIn.exe utility does any sort of timestamping, or uses some other method, so that signed Add-Ins do not expire annually.

-Jeff
0 Kudos
11 Replies
JeffreyHamblin
by
New Contributor III
‎01-25-2011 09:54 AM
I just found out the answer, because my 1-year code signing certifcate expired a few days ago.

The ESRISignAddIn.exe utility DOES NOT timestamp the digital signature, and therefore once valid dates for the signing cert are exceeded, Add-ins will, at best, show an expired and untrusted digital signature; and worse, if the security setting for Add-ins is set to "Require Add-Ins to be digitally signed by a trusted publisher" -- the Add-In will no longer be loaded.

Frankly, this behavior will lead to a deployment nightmare. Having software fail in the field just because the original signing cert expires is not typical. And neither is having to re-sign ALL previously completed, signed and released software.

I am hoping ESRI can comment, and possibly provide a work around.

Additionally, I just noticed that one can't simply re-run the ESRISignAddIn.exe utility on an Add-In that was previously signed, to re-sign it with a new certificate -- doing that crashes the utility. It must be run on an un-signed version of the Add-In.

-Jeff
0 Kudos
JeffreyHamblin
by
New Contributor III
‎01-26-2011 12:23 PM
Just an update for anyone following this thread:

I submitted a report to ESRI technical support. I will report back here any replies.

-Jeff
0 Kudos
XiaolingYang
by Esri Contributor
Esri Contributor
‎02-02-2011 02:11 PM
Hi Jeff,
  Thank you for your feedback. We have fixed this issue by validating add-in's digital signature using time stamp and the fix will be in the coming ArcGIS 10.0 SP2.
  You also got a crash when re-running ESRISignAddIn.exe on a previously signed add-in. We'd like to know your steps since we couldn't reproduce this issue.

Thanks!
Xiaoling
0 Kudos
JeffreyHamblin
by
New Contributor III
‎02-03-2011 10:14 AM
Hi Jeff,
  Thank you for your feedback. We have fixed this issue by validating add-in's digital signature using time stamp and the fix will be in the coming ArcGIS 10.0 SP2.
  You also got a crash when re-running ESRISignAddIn.exe on a previously signed add-in. We'd like to know your steps since we couldn't reproduce this issue.

Thanks!
Xiaoling


Thank you for the good news, Xiaoling. I thought I would be lucky to see a resolution in 10.1, so getting it in SP2 is fantastic!

I have attached a screenshot and a text file with the steps to reproduce the SignAddIn utility crash.

-Jeff
Preview file
26 KB
SignAddIn_crash_info.TXT.zip
0 Kudos
SteveVan_Esch
by Esri Contributor
Esri Contributor
‎02-07-2011 09:28 AM
Thanks for reporting this Jeff, this is indeed a problem with 10.0 Service Pack 1. Service pack 1 didn't install the correct version of a file that affects only resigining. As a workaround, can you move ESRISignAddIn.exe to your ArcGIS/bin directory, it should work fine there? We'll get this addressed in service pack 2. 

Thanks again,
Steve
0 Kudos
JeffreyHamblin
by
New Contributor III
‎02-07-2011 10:01 AM
Hi Steve,

Thanks for the workaround. It works 🙂

Just a note for anyone else wanting to use the workaround:

Move the ESRISignAddIn.exe file
From: \Program Files\Common Files\ArcGIS\bin
To: \Program Files\ArcGIS\Desktop10.0\Bin

(on 64-bit systems that will be \Program Files (x86)\ )

-Jeff
0 Kudos
MeToo
by
New Contributor
‎07-29-2011 04:55 PM
Hi Jeff & Xiaoling:

I am brand new to code signing.

Where do you specify the timestamping server when using the ESRISignAddIn.exe utility?

Thanks,
Dennis
0 Kudos
JeffreyHamblin
by
New Contributor III
‎07-29-2011 07:32 PM
Hi Dennis,

The current version of the ESRI Digital Signature Wizard (as of 10.0 SP2) does not implement the use of a timestamping server to write a signed timestamp into the signature, nor does the code in ArcGIS that validates Add-Ins look for one and handle it. Both only use the simple signing date of the signing machine. So all you specify on the wizard is the file to be signed and the certificate with which to sign it.

As of 10.0 SP2, a signature is validated by ArcGIS as Authenticated if the Add-In was signed on a date before the code-signing cert expired. However it will still be noted as an expired cert in the Add-In Installer after the cert's expiration date.

It would be more secure to implement true timestamping via server, and more compliant with typical code-signing practice to not display signatures as expired that include a valid timestamp signature.
0 Kudos
DiegoLlamas
by Esri Contributor
Esri Contributor
‎03-13-2012 10:53 AM
Hi

Where can I download the ESRISignAddIn.exe file, I cant find it anywhere!


Thanks
0 Kudos