What is the recommended approach to sign the executable in a Chocolatey package?
My organization has implemented AppLocker in their new Windows 10 regime. Though I understand the why the regime is in place, I'm not sure how to implement it in custom Chocolatey packages we put into our package feed. Nor am I sure if I need to sign both the installation file as well as the executable file. If any non-signed executable tries to run, the AppLocker stops the execution.
Chocolatey mention a bit about signing in their security section
https://github.com/chocolatey/choco/wiki/Security
Roadmap: https://chocolatey.org/docs/roadmap
The guide "Code signing a windows application" (https://mkaz.blog/code/code-signing-a-windows-application/)
However, I don't know where to start.
Background
There are a couple of binaries in Chocolatey provided packages (packagebuilder.exe, packageuploader.exe) that are not currently authenticode signed.
It is something we've identified recently and have on the list to get taken care of.
In the meantime, let's get your question answered properly.
How To Authenticode Sign
To be honest, the blog post you linked is very straightforward. However, I will validate a couple of WTFs you might have had.
Requirements for Windows
signtool.exe.How to Sign
Basically you are going to make a call similar to:
"C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Bin\signtool.exe" sign /t "http://timestamp.digicert.com" /fd [SHA1|SHA256|SHA512] /f C:\path\to\authenticode.certificate.pfx /p [YOURPASSWORD] /a "C:\path\to\the\file.exe"The path to sign tool might be slightly different based on what SDK you have installed. Also like the article mentioned, you might want to stick with
SHA1for most compatibility, but you can go higher if you would like to.The above was adapted out of the Chocolatey (choco) codebase and you can inspect that at https://github.com/chocolatey/choco/blob/54ddf11fa025e97e071ae884c738ef8456b60b76/.build.custom/codeSign.step#L42-L48).
References