Signing the Run-time Environment Installer

Digital signatures allow administrators and end users who are installing the Run-time Environment (RTE) to know that the software is provided by a legitimate publisher. Certain Windows operating systems, for example, enforce the use of digital signatures for some types of code. In these cases, installing unsigned software requires a higher authorization level.

Thales highly recommends that you apply your digital signature to the RTE installer to simplify RTE installation by end users and increase their confidence in your software.

For details on generating a Run-­time Environment (RTE) Installer that is customized with your Vendor Codes, see Sentinel LDK Installation Guide.

Windows

After generating the RTE installer (.exe), you apply your digital signature as follows:

1.Obtain a digital signature from one of the certification authority providers.

2.Prepare a batch (.bat) file that contains the following command:

signtool.exe sign /v /p <password> /f <pfxSignatureFile> /n "<subject>" /t http://timestamp.verisign.com/scripts/timestamp.dll <rteInstallerExe>

where:

•password—password for opening the .PFX signature file

•pfxSignatureFile—path and name of your signature file

•subject—name of the subject of the signing certificate

•rteInstallerExe—name of the RTE installer file

For example:

signtool.exe sign /v /p pwN#%12A /f abcsoft.pfx /n "ABC Software Inc." /t http://timestamp.verisign.com/scripts/timestamp.dll haspdinst.exe

3.Place the batch file in the same directory as the signtool.exe program and the RTE installer.

4.Run the batch file.

NOTE   The signtool.exe program is provided by Microsoft as part of the Windows SDK.

For more information about driver signing, go to: https://docs.microsoft.com/en-us/windows/win32/seccrypto/using-signtool-to-sign-a-file

Mac

Customized RTE Installers are generated on a non-Mac machine. Therefore, before you distribute the RTE installer to your customers, you must code sign and notarize the RTE Installer for Mac as follows:

1. Code sign the RTE Installer either bundled with your application or separately as a standalone application. If you are code signing the RTE Installer separately, make sure to use:

•your Apple Developer ID Application certificate.

•a secure timestamp.

• "hardened runtime".

•an Apple entitlements file that includes the required connections, such as USB devices and incoming and outgoing network connections. For example:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.security.device.usb</key>
	<true/>
	<key>com.apple.security.network.client</key>
	<true/>
	<key>com.apple.security.network.server</key>
	<true/>
</dict>
</plist>

2.Notarize the RTE installer by submitting one of the following as a PKG, DMG, or archive file (such as, TAR, XZ, or ZIP) to Apple's notary service:

•The code-­signed RTE Installer as a stand­alone application.

•A bundle that includes both your application and the code-­signed RTE Installer.

For more information on code signing and notarization, go to: https://developer.apple.com/support/code-signing/ and https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution