0

I am looking for a solution that would allow me to sign windows executables without having access to the certificates from the build machine.

Imagine that you are building a branded version of your software and you must sign the code with a certificate to which you do not have access.

Is there anything already implemented that can do this? Like a HTTPS service where you can upload unsigned binaries and download them signed?

sorin
  • 161,544
  • 178
  • 535
  • 806

1 Answers1

0

You need to configure your build process to sign the final exe after it has been built. The process you use will depend on what build system you use. The build machine (and its admin) will need access to the signing certificate. Developers who check in code will not need access to the certificate.

Imagine that you are building a branded version of your software and you must sign the code with a certificate to which you do not have access.

This is a hypothetical case and defeats the purpose of signing the executable - which is to establish trust in the executable as coming from the signed source. Signing the executable implies you are saying to the world the executable comes from the signatory, you or your company must therefore own (and therefore have access to) the certificate used to sign the executable.

Ali
  • 1,462
  • 2
  • 17
  • 32
  • That's clearly not a hypothetical case, I worked in places there this was already implemented. Is a security issue, not willing to risk keeping the certificates on the build machines. Any solution would require you to upload them for signing on another machine, probably via HTTP. I am looking for a solution that involved this. This must be part of the build process, the build is not finished until you have everything signed. – sorin Nov 27 '15 at 17:33