1. Glenn Scamman
  2. PowerBuilder
  3. Wednesday, 11 October 2023 17:53 PM UTC

Hello,

We utilize PB2021 and deploy our application to our customers using PowerClient. We must code-sign our application to avoid warning messages when a customer downloads our application and to help our application from being flagged by antivirus programs.  The PowerClient build process worked fine when we could save the code-signing certificate as a .pfx file, store it on the development machine hard drive and configure the PowerClient project to point to the pfx file, and provide the password to unlock/validate/use the certificate.  But with new certificate security standards, our new code-signing certificate is on a hardware security module (HSM), i.e. a fancy USB device, and doesn't allow the certificate to be exported to a .pfx file.

I was hoping I could create a code signing script for the "Use your own signing script" option of the PowerClient project, but I've tried many different versions, and none work. No helpful error messages are provided, but my guess is the issue is one or all of these.

  • 1. it can't utilize a prompt to enter the certificate password.
  • 2. signtool doesn't allow you to script in the password unless you are telling it the cert is in a .pfx file
  • 3. The executable to sign doesn't have the proper path (the build process doesn't ever show you where the executable is created before it is then sucked into the installer exe or zip file.

The normal suggested workaround for signing issues is to just sign the executable after the build process is complete.  But with PowerClient, this is very tricky and might not even be possible?  The project either produces an installer exe, or a zip file where the executable is inside the archive, but itself has a .zip extension and cannot be extracted.  Some sort of encryption?  It does this even if you configure the project to not encrypt the p-code files. All the files on the webserver after running the installer are typically compressed and encrypted.

Is it possible to get a version of the application executable in a non-compressed, non-encrypted form so that it can be signed (from the command line, which does work), and then moved back out to the deployment server, presumably after having to encrypt or compress again?

Hoping there is a solution to this critical issue.

Thanks, Glenn

Accepted Answer
Mora Wang @Appeon Accepted Answer Pending Moderation
  1. Friday, 13 October 2023 11:25 AM UTC
  2. PowerBuilder
  3. # Permalink

Hi Glenn,

Please try the following methods to see if they can solve your urgent problem:
After the PowerClient or PowerrServer project is successfully deployed, sign and replace App.exe on the webServer side. The following is an example of publishing salesdemo_local to IIS Server:


1) Successfully deploy salesdemo_local to the IIS site directory C:\inetpub\wwwroot\salesdemo_local.
2) Copy C:\inetpub\wwwroot\salesdemo_local\1.01\salesdemo_local.exe.zip to C:\test\salesdemo_local.exe.zip (or any directory) , and rename salesdemo_local.exe.zip to salesdemo_local.exe .
3) Sign C:\test\salesdemo_local.exe and make sure the signature is correct.
4) Start cmd with run as administrator and execute the following command lines:
     cd “C:\inetpub\wwwroot\salesdemo_local\1.01”
     dotnet CustomizeDeploy.dll -src="C:\test\salesdemo_local.exe" -dest=".\salesdemo_local.exe.zip"
5) Run sales_local App and check whether the App can run normally.


Please note:
a) Please redo the aforementioned exe signing and replacement work after each deployment of PowerServer or PowerClient.
b) If the App has changed other than exe signature, you need to re-deploy the app and redo the exe signing and replacement work mentioned above.

In addition, can you provide details of the signing certificate you using or provide a file in .cmd format to send privately to us (the privacy and security content in .cmd can be replaced by fake code)? So that we can check and see if there is a better solution.

Thanks & Regards

Mora

Comment
  1. Mora Wang @Appeon
  2. Monday, 16 October 2023 08:52 AM UTC
Hi Glenn,



I'm happy to hear your issue has been resolved!

We will conduct analysis and research on the new signature certificate in the future to see if we can make better optimizations.



Thanks & Regards,

Mora





  1. Helpful
  1. mike S
  2. Tuesday, 17 October 2023 19:02 PM UTC
  1. Helpful 2
  1. Mora Wang @Appeon
  2. Wednesday, 18 October 2023 05:35 AM UTC
Hi Mike,

Thank you very much for this very valuable information. We will conduct further analysis and research for this purpose, and we will notify you of any progress as soon as possible.

Thanks & Regards,

Mora
  1. Helpful
There are no comments made yet.
Armeen Mazda @Appeon Accepted Answer Pending Moderation
  1. Thursday, 12 October 2023 00:55 AM UTC
  2. PowerBuilder
  3. # 1

You can sign the .EXE after the PowerClient app is compiled just like a traditional C/S PB app.

Comment
  1. Glenn Scamman
  2. Thursday, 12 October 2023 13:32 PM UTC
Armeen, that is what I'm hoping is true. But I may need additional guidance on how. The exe produced by the Power Client build is never available in its normal form. It is either compressed or encrypted into an installer executable or a zip file. Even inside the zip file, it is not extractable. It shows up as another zip file that I haven't been able to unzip. When you install onto your deployment webserver, it apparently remains in this compressed state until the user downloads it to their machine via the cloud app launcher, and that is too late.
  1. Helpful
There are no comments made yet.
Chris Pollach @Appeon Accepted Answer Pending Moderation
  1. Wednesday, 11 October 2023 20:08 PM UTC
  2. PowerBuilder
  3. # 2

Hi Glenn;

  That is all baked into the PC Project. For example:

HTH

Regards ... Chris

Comment
  1. Glenn Scamman
  2. Thursday, 12 October 2023 13:14 PM UTC
Not that I can tell. This type of device doesn't show up like an additional drive like a normal USB drive does. I'm hoping someone else has been through this same issue and found a solution.
  1. Helpful
  1. Glenn Scamman
  2. Thursday, 12 October 2023 13:22 PM UTC
If it helps any, the certificate is on a SafeNet hardware token.



Here are some links that suggest how to sign an exe, and doing these from the command line works, but trying to get it into the PC project build does not...yet.



https://www.sslmarket.com/blog/code-signing-certificates-on-a-token-no-worries

https://www.digicert.com/kb/code-signing/ev-authenticode-certificates.htm
  1. Helpful
  1. Chris Pollach @Appeon
  2. Thursday, 12 October 2023 14:08 PM UTC
Hi Glenn;

You CANNOT sign a PC App EXE as it's deployed to the Web Server with control information about it's current state (signed or unsigned).

You must have an external certificate to point to in the PC project and let the PC "Build & Deploy" complete the signing.

I would contact the HSM certificate vendor to see what they can do for you in this respect.

Regards ... Chris
  1. Helpful
There are no comments made yet.
  • Page :
  • 1


There are no replies made for this question yet.
However, you are not allowed to reply to this question.