How to programmatically sign an HCK claim with an extended validation certificate
We have a small application written in C # that we use to sign * .hckx files before they are sent to Microsoft for signing.
Application code looks +/- like this:
var workDirectory = new System.IO.DirectoryInfo(args[0]);
var filesToSign = from item in workDirectory.GetFiles("*.hckx", System.IO.SearchOption.TopDirectoryOnly) select item.FullName;
X509Certificate2 certificate = getCerticifate();
foreach (var item in filesToSign)
{
Console.WriteLine("Signing: {0}", item);
Microsoft.Windows.Kits.Hardware.ObjectModel.Submission.PackageManager.Sign(item, certificate);
Console.WriteLine("Signing finished");
var manager = new Microsoft.Windows.Kits.Hardware.ObjectModel.Submission.PackageManager(item);
Console.WriteLine("Verifying the signature.");
var signResult = manager.VerifySignature();
if (signResult != System.IO.Packaging.VerifyResult.Success)
{
throw new Exception(String.Format("Verification failed. Expected: {0}, but the result was: {1}.", System.IO.Packaging.VerifyResult.Success, signResult));
}
}
This code works with the previous, "regular" certificate.
With the new EV certificate, an additional window will appear that asks for the PIN code in the certificate.
So the question is: is there an interface / class that allows you to programmatically make a full mark with an EV certificate?
I would suggest that PackageManager.Sign is a method with the ability to provide a PIN as a parameter.
source to share
This works for us: our system has an EV certificate associated with the USB token associated with authentication, and there, in the client advanced settings, there is an option for "single sign-on" so that the agent only prompts for the USB token password once and saves the password until the desktop session is closed. For the desktop, also check that no screensaver is covering the open desktop. There is also an additional timer setting for "auto logout" in the agent settings. We set it to "never". We need to re-enter the EV token password if we need to remove the token and attach it back to the system. Then we just run a little script to make a test token and give the password in the open dialog.
source to share