signer/HOWTO
/*
* *****************************************************************************
* Contributions to this work were made on behalf of the GÉANT project, a
* project that has received funding from the European Union’s Framework
* Programme 7 under Grant Agreements No. 238875 (GN3) and No. 605243 (GN3plus),
* Horizon 2020 research and innovation programme under Grant Agreements No.
* 691567 (GN4-1) and No. 731122 (GN4-2).
* On behalf of the aforementioned projects, GEANT Association is the sole owner
* of the copyright in all material which was developed by a member of the GÉANT
* project. GÉANT Vereniging (Association) is registered with the Chamber of
* Commerce in Amsterdam with registration number 40535155 and operates in the
* UK as a branch of GÉANT Vereniging.
*
* Registered office: Hoekenrode 3, 1102BR Amsterdam, The Netherlands.
* UK branch address: City House, 126-130 Hills Road, Cambridge CB2 1PQ, UK
*
* License: see the web/copyright.inc.php file in the file structure or
* <base_url>/copyright.php after deploying the software
*/
In order to configure signing based on scripts in this directory, you must start
with requesting a software signing certificate from a publickly reconisable certificate provider.
You should also obtain and install the osslsigncode package (http://osslsigncode.sourceforge.net/)
If you are using a PFX (P12) file - xxx.pfx start with step 1
If you have separate certificate and key in PEM format, go to step 2
Your goal is to produce certificate/key pairs
xxx_cert.spc xxx_key.der - these are for Windows signing
xxx_cert.pem xxx_key.pem - these are for Apple mobileconfig signing
for Apple you will also need certificates of all trust path in a CAs.pem file
You can change those names of course, but if you keep them, the you will not have to modify
the scripts
Prepare certificates
~~~~~~~~~~~~~~~~~~~~
1. Extract PEM certificate and ke files. The key file cannot be password protected
openssl pkcs12 -in xxx.pfx -nokeys -out xxx_cert.pem
openssl pkcs12 -in xxx.pfx -nocerts -nodes -out xxx_key.pem
2. convert the key from PEM to DER format
openssl rsa -in xxx_key.pem -out xxx_key.der -outform der
3. prepare an SPC file - you will need PEM certificates of all CAs up to the root CA and your code signing certificate
the order of certificate files is irrelevant.
openssl crl2pkcs7 -nocrl -certfile xxx_cert.pem -certfile CA1.pem -certfile CA2.pem -certfile CA3.pem -outform DER -out xxx.spc
4. Prepare a CAs.pem file by concatenating all CA files:
cat CA1.pem CA2.pem CA3.pem > CAs.pem
5. Copy xxx_cert.spc xxx_key.der xxx_cert.pem xxx_key.pem CAs.pem to the appropriate directory
Beware that this directory must be protected against the WEB download, otherwise your keys may be compromised.
The directory must be accessible by the Apache process
Prepare Scripts
~~~~~~~~~~~~~~~
Copy the template scripts to your working copies:
cp mobileconfig_sign-template mobileconfig_sign
cp ms_windows_sign-template ms_windows_sign
Modify both scripts by setting MY_PATH pointing to the directory where you store your keys and certificates.
ms_windows_sign will require defining URL and NAME values
When you an an exe on version Windows as administrator, you will see a warning window
with some information about the exe. This window will show you the program name,
this is the string taken from the NAME, and the O of the certificate.
Not sure when the URL can get used, but we suggest uou define it anyway.
for instance you might define
URL=http://www.eduroam.org
NAME="eduroam configurator"
CAT installers run in admin mode only if they need to install SecureW2, so normally you
do not see this warning window, but you can force the administrator mode and then you will see.
If you have kept the certificate file names as in this HOWTO then nothing else needs to be modified,
otherwise you need to set file names to their proper values.
Both scripts should be readable and executable (but not writeable) by the Apache process.
Enable signing
~~~~~~~~~~~~~~
edit devices/devices.php and change the sign option value form 0 to 1