1

What is the recommended approach to sign the executable in a Chocolatey package?

My organization has implemented AppLocker in their new Windows 10 regime. Though I understand the why the regime is in place, I'm not sure how to implement it in custom Chocolatey packages we put into our package feed. Nor am I sure if I need to sign both the installation file as well as the executable file. If any non-signed executable tries to run, the AppLocker stops the execution.

Chocolatey mention a bit about signing in their security section

https://github.com/chocolatey/choco/wiki/Security

Roadmap: https://chocolatey.org/docs/roadmap

The guide "Code signing a windows application" (https://mkaz.blog/code/code-signing-a-windows-application/)

However, I don't know where to start.

ferventcoder
  • 11,952
  • 3
  • 57
  • 90
Harald S. Hanssen
  • 364
  • 9
  • 23
  • For the roadmap item, we are talking about authenticode signing and verification of the packages themselves (nupkg files), not just the contents within. – ferventcoder Nov 19 '19 at 17:13

2 Answers2

1

Background

There are a couple of binaries in Chocolatey provided packages (packagebuilder.exe, packageuploader.exe) that are not currently authenticode signed.

It is something we've identified recently and have on the list to get taken care of.

In the meantime, let's get your question answered properly.

How To Authenticode Sign

To be honest, the blog post you linked is very straightforward. However, I will validate a couple of WTFs you might have had.

Requirements for Windows

  • The primary prerequisite is that you will need an Authenticode certificate (about $200+ per year). Yes, you will really need this - and it really requires verification of an organization (or person if you can go that route).
  • Secondarily you'll need the Windows SDK which has signtool.exe.

How to Sign

Basically you are going to make a call similar to:

"C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Bin\signtool.exe" sign /t "http://timestamp.digicert.com" /fd [SHA1|SHA256|SHA512] /f C:\path\to\authenticode.certificate.pfx /p [YOURPASSWORD] /a "C:\path\to\the\file.exe"

The path to sign tool might be slightly different based on what SDK you have installed. Also like the article mentioned, you might want to stick with SHA1 for most compatibility, but you can go higher if you would like to.

The above was adapted out of the Chocolatey (choco) codebase and you can inspect that at https://github.com/chocolatey/choco/blob/54ddf11fa025e97e071ae884c738ef8456b60b76/.build.custom/codeSign.step#L42-L48).

References

ferventcoder
  • 11,952
  • 3
  • 57
  • 90
  • 1
    Thank you for the detailed answer :) I asked some colleagues of mine who does this for a living, only response I got was "we use signtool and it's in the Windows SDK" without much added details. – Harald S. Hanssen Nov 20 '19 at 08:49
0

This will not help you though. The next problem you will face is that Chocolatey will not run in constrained language mode powershell

Jobobo
  • 1
  • 1