Appx CMS Signer
ENTERPRISE
The signer has the fully qualified class name: org.signserver.module.msauthcode.signer.AppxCMSSigner.
Overview
The Appx CMS signer is a special-purpose version of the extended CMS signer, allowing producing CMS signatures for Microsoft APPX packages. This is intended for use with client-side hashing, where a client does the hashing of the original file and requests this hash to be signed by SignServer, producing a signature which is then inserted into the resulting output file by the client.
This signer has all the properties of the Extended CMS Signer and includes the Appx-specific properties of the Appx Signer. Note however that the Appx CMS signer does not support specifying the content OID (using the CONTENTOID property) or overriding the content OID to use (by enabling the ALLOW_CONTENTOID_OVERRIDE property) since the content OID is set according to the Authenticode specification.
The signdocument
command can be used with client-side hashing and construction to sign an APPX package by hashing on the client-side, signing the hash server-side using this signer, and finally assembling the final signed binary or installer on the client-side. For more information, see Client-Side Hashing.
The Appx CMS signer only supports RFC#3161 timestamps.
Available Properties
Property | Description |
---|---|
PROGRAM_NAME | Program name to embed in the signature. Optional, default: none. |
ALLOW_PROGRAM_NAME_OVERRIDE | If the requestor should be able to override the program name by supplying it as a request metadata property. Optional, default: false. |
PROGRAM_URL | Program URL to embed in the signature. Optional, default: none. |
ALLOW_PROGRAM_URL_OVERRIDE | If the requestor should be able to override the program URL by supplying it as a request metadata property. Optional, default: false. |
Request Properties
This worker can accept the following request metadata properties, given that they are configured to be allowed:
Field | Description |
---|---|
FILE_TYPE | The file type for which the signature should be used in. Currently supported values are PE (for portable executables, such as Windows .exe and .dll files), or MSI (for Windows installers). This affects the layout of the content in the CMS structure. If not specified, PE is assumed. |
PROGRAM_NAME | Program name text to use instead of the configured one (if any). Specifying an empty value removes the configured program name. Without ALLOW_PROGRAM_NAME_OVERRIDE configured in the worker request, including this request property will not be allowed. |
PROGRAM_URL | Program URL to use instead of the configured one (if any). Specifying an empty value removes the configured program URL. Without ALLOW_PROGRAM_URL_OVERRIDE configured in the worker request, including this request property will not be allowed. |