Start a new topic

Can smallstep generate certificates for code signing?

Yes, it should work with X.509 certificates issued from our platform.

A leaf (used for signing the code) would need to have the right key usage in its properties. The default X.509 leaf template doesn’t have those, so a custom leaf template must be specified.This is a template that has been used in the past to generate a code signing certificate. One of our engineers tested it with codesign, the macOS equivalent tool for signing blobs:

     "subject": {{ toJson .Subject }},
     "sans": {{ toJson .SANs }},
     "keyUsage": ["digitalSignature"],
     "extKeyUsage": ["codeSigning"]

That template can of course be customized if they need more properties to be set.

On the verification side, of course the root CA needs to be trusted to verify the signature. It may also be necessary to have the intermediate in the Windows certificate store. We're not sure if the osslsigncode tool includes the intermediate with the signature. If it does, then the intermediate is probably not required to be available on the Windows client performing the verification; if it doesn’t then, the Windows client needs to know the intermediate too.

Login or Signup to post a comment