Feb 15, 2024

Download and Install Code Signing on Rutoken 3.0

Introduction

This article will walk you through the process of downloading and installing the Code Signing and EV Code Signing Certificate on Rutoken 3.0.
If this is not the solution you are looking for, please search for your solution in the search bar above.

Step-by-step Guidelines

1. Install the Rutoken drivers from this link:
   https://www.rutoken.ru/support/download/windows/
2. Install the Fortify app from this link:
   https://fortifyapp.com/
3. Once your order has been approved, vetted, and you have your USB token, open the pickup link from your pickup email in Google Chrome.
   Note: Rutoken does not support IE the installation method.
4. You can watch the following video for a tutorial.
   Note: Rutoken default password: 12345678. Admin password: 87654321.
   
   

Using Code Signing and EV Code Signing (Rutoken, driver version 4.17.0.0 and above)

Prerequisites

1. GlobalSign Code Signing Certificate downloaded and installed onto a hardware token.
2. Windows Software Development Kit (SDK) for Windows 8.1
3. SHA-256 orders additionally use the R1-R3 Cross Certificate, – default March 31, 2014 and after. (The R1-R3 Cross Certificate will need to be installed on the signing computer but not specified as an additional certificate during the signing procedure.)

Important SignTool Options

1. /ac - Specify an Additional Certificate.
2. /a - Automatically selects the best certificate to sign the file from your Windows Certificate Store.
3. /n "Certificate Common Name" Specifies the certificate to sign the file from your Windows Certificate Store using the certificate common name.
4. /fd SHA256 - Specify the file digest algorithm used in creating file signatures.
5. /t - Specify a Microsoft Authenticode-compatible time stamp server.
6. /tr - Specify an RFC 3161 compliant trusted time stamp server. *Recommended*
7. /td SHA256 - Must be called after "/tr", this command specifies the TimeStamp digest algorithm. *Recommended*

Note: Timestamping your Code is extremely important and is highly recommended for every piece of code that you sign. This timestamp will allow the file that you sign to remain valid long after the certificate itself has expired.

TimeStamp URLs: SHA-2 based: http://timestamp.globalsign.com/tsa/r6advanced1

Procedure

1. You can either sign files out of a working directory or you can place them in your Windows SDK\bin folder.
2. Open the Command Prompt: Windows 7: Start > Run > cmd, or for Windows 8 - 10, press the Windows Key, then type cmd and press enter.
3. Navigate to the directory with signtool.exe.
4. Use the following command to sign your file:
   signtool sign /a /tr http://timestamp.globalsign.com/tsa/r6advanced1 /td SHA256 /fd SHA256 c:/path/to/your/file.exe
5. Enter your Token Password. If the signing is successful, you will see a prompt informing you so.
6. To verify the successful signature, use the following commands:
   Authenticode: signtool verify /v /pa
   Kernel Driver Signing: signtool verify /v /kp

You may also verify the signature within the properties of the file, under the Digital Signatures tab.

Using Code Signing and EV Code Signing (Rutoken, Driver version below 4.17.0.0)

1. Install the latest java. (jdk and jre). Note: It’s required for keytool and signing a file.
2. Search where the file is located: "rtPKCS11ECP.dll", f.i.. C:\Windows\System32\rtPKCS11ECP.dll
   Note: You can get it from the SDK website: https://www.rutoken.ru/developers/sdk
3. Download the latest release of jsign from this link and add the file to the library (java jdk bin folder): https://github.com/ebourg/jsign/releases/download/5.0/jsign-5.0.jar  
4. Create a file called "eToken.cfg". Add the path to the library and the number of the slot into which the token is connected (if there is one on the machine, then most likely on the zero slot), as shown below, and add the file to the library (java jdk bin folder):
   
   name = OpenSC-PKCS11
   description = SunPKCS11 via OpenSC
   library = C:\Windows\System32\rtPKCS11ECP.dll
   slotListIndex = 0
5. Run CMD (Command Prompt) as Administrator and specify the path to the Java jdk bin folder.
6. Get a list of Certificates on your token by using this command:
   
   keytool -list -v -keystore NONE -storetype PKCS11 -storepass 12345678 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg eToken.cfg
   
   Whereas, "-storepass 12345678" is the password for your token.
7. You need a certificate field: "Alias name" (f.i.., Alias name: RSA)
8. Sign the file "File.exe":
   
   java -jar jsign-5.0.jar --keystore eToken.cfg --alias "RSA" --storetype PKCS11 --storepass 12345678 --alg SHA-256 --tsaurl
   http://timestamp.globalsign.com/tsa/r6advanced1 --tsmode RFC3161 File.exe