6

I have a digital cert bought from a third-party CA and I wanted to use it to sign software with a large number of library files/packages (.bpl). However, signing them one by one takes a lot of time and I am wondering is there any ways to allow me to use a shorter time to sign all the files?

The current command I am using to sign the files is as below:
signtool.exe sign /tr http://timestamp.sectigo.com /td sha256 /fd sha256 /a "Insert_path_to_the_file_you_wish_to_sign"

Leong
  • 229
  • 2
  • 11
  • 1
    `signtool` accepts wildcards for filenames. If your target fileset can be represented with a wildcard (like `*.bpl`) then pass that to `signtool` in place of `"Insert_path_to_the_file_you_wish_to_sign"`. – dxiv Feb 01 '21 at 01:26
  • Oh, I see..., Thanks – Leong Feb 01 '21 at 01:35
  • Just curious, if I have 1000 .bpl files to sign, the command will still sign one by one right? Is there any chance that there is a way to sign multiple files at one time? – Leong Feb 01 '21 at 01:35
  • The files have to be signed individually no matter what, but they will be all batched in one "session", with only one connection to your provider. That's normally faster than running `signtool` separately for each file, though some providers may "throttle" the signing process if receiving many requests in a row. – dxiv Feb 01 '21 at 01:40
  • even if I launched a few cmd and run the ```signtool``` to sign different files, it will still sign it one by one right? – Leong Feb 01 '21 at 09:19
  • Codesigning a binary requires modifying it to insert the digital certificates, so that part has to be done one by one no matter what. In my experience batching the files in one and the same `signtool` run is noticeably faster than running `signtool` for each file individually, but I can't speak for your environment so you'll need to try it and see how it works there. – dxiv Feb 01 '21 at 18:27
  • I tried to launch a few cmd and sign a different batch of files and it seems like it is signing the files one by one and not simultaneously – Leong Feb 02 '21 at 03:34

1 Answers1

2

I was signing multiple files using the signtool in a parallel loop. It seemed to work, but I noticed that our certificate provider (DigiCert) recommends that you avoid concurrent requests. https://dev.digicert.com/best-practices/

So instead, I'm now using the signtool in one command - passing in all the files in one command line argument. According to Microsoft's documentation, you can use an '|' between each file.

signtool [command] [options] [file_name | ...]

https://learn.microsoft.com/en-us/dotnet/framework/tools/signtool-exe

And maybe useful for someone, Digicert's DigiCertUtil uses '*' between each file.

Filenames is a list of files to be code signed. To specify more then one file, seperate each filename or file path with the asterisk character *. Enclose the file path with quotes if it contains spaces.

example: DigiCertUtil.exe sign /kernelDriverSigning "example.exedriver.sys" example: DigiCertUtil.exe sign /sha1 "054D9508B364A02A068FA5C6153847B6" "example.exedriver.sys"

Based on the recommendation to avoid concurrent requests, I'm assuming that even when specifying multiple files in either the SignTool or DigiCertUtil, the files will still be signed one at a time.

Ryan
  • 21
  • 3
  • 2
    In `signtool` you **don't** need pipeline. Just concatenate the files with a **space** in between. for example: `signtool sign /tr servername.com /td sha256 /f pfxFile.pfx /p password /fd sha256 file1.dll file2.dll file3.dll file4.dll 'file with spaces.dll'`. Another note: I suspect that some servers has a file limit - mine was around ~300 files. – itsho Sep 14 '21 at 14:30
  • @itsho where can I find this limit? – HellBaby Feb 08 '22 at 16:04
  • @HellBaby I wish I knew. I found it out in the hard way - trial and error. one more thing to notice - avoid the full path and run the command on the same directory to have the shortest possible command - it also helped for unknown reason. – itsho Feb 08 '22 at 21:57
  • @itsho if that will be an option... I want to apply this from an Azure DevOps pipeline, which has a lot of entry points projects; so the relative path is not really an option. – HellBaby Feb 09 '22 at 14:48
  • @HellBaby I do exactly that by using PowerShell task – itsho Feb 10 '22 at 06:49
  • @itsho Do you know if sign tool makes 1 call to server or multiple? I tried to sign 20 files and it took 1 minute. I wonder, where time is spent.? – T.S. Sep 01 '23 at 02:27