Backup Client Codesigning
Last updated
Last updated
All Authenticode certificates must be provisioned in an HSM or equivalent secure storage. It will no longer be possible to purchase new File (PKCS#12) certificates.
We recommend enabling code signing for the backup client, especially for businesses handling sensitive customer data. Code signing ensures your customers receive authentic software free from tampering or security warnings during installation, enhancing trust and providing an added layer of protection.
You can configure your Backup Server to automatically sign your branded client installer using the Azure Key Vault cloud HSM.
Signing the installer should reduce the "SmartScreen" / "unknown publisher" prompts when installing the software, and improve compatibility with some antivirus (AV) software.
Without a codesigning certificate: the Windows software will download in the form of a zip file, containing a small loader .exe and a data file.
With a codesigning certificate: When you have configured the client branding options with a codesigning certificate, the Windows software download is in the form of a zip file containing a single signed .exe.
Azure Key Vault is currently the only method available, as it is not possible to attach a physical HSM to the hosted server.
Azure Key Vault is a cloud service provided by Microsoft Azure designed to securely store and manage sensitive information such as cryptographic keys, secrets (like API keys or passwords), and certificates. It helps safeguard data by providing controlled access and the ability to perform operations like encryption and decryption directly within the vault without exposing the keys.
Several Authenticode certificate providers can provision new Authenticode certificates to your Azure Key Vault. We reccomend working with Digicert for the best overall experience and excellent customer support.
First, create the HSM inside Azure Key Vault, create a CSR, arrange to have the CSR signed by the CA, and then import the CA-signed certificate into the Azure Key Vault. The following options are then required in Comet Server:
Azure Key Vault name
The specified name of the entire Key Vault in Azure
Certificate name
The specified name of the single certificate from the Certificates section in Azure Key Vault
Application ID
You must register a new Azure application in Azure Active Directory > "App registrations" screen. Then in the Azure Key Vault settings, you can choose either the "Vault access policy" or "Azure role-based access control" permission models, and then follow the specific authorization steps outlined below to grant the new application access to perform signing with certificates inside this Key Vault.
Application Secret
In the Azure application settings, you must generate an Application Secret that Comet Server can use to authenticate as this configured Application
Tenant ID
The Azure or Office 365 Tenant ID that describes your company organization
To allow the Backup Server to access and use the certificates, the following permissions are required:
When using Azure role-based access controls (RBAC), assign the application you previously registered the following roles:
Key Vault Certificates Officer
Key Vault Crypto Officer
When using access policies, assign the application the following permissions:
Key Management Operations: all permissions other than "Delete"
Cryptographic Operations: all permissions
Certificate Management Operations: all permissions other than "Delete"
Codesigning for macOS requires a certificate signed by Apple. To get one, you must first register for Apple's developer program. This requires a DUNS number (for organisations) and payment of a 99USD fee. You may be required to accept any Apple Developer license agreements in App Store Connect. Once you have enrolled in the Apple Developer program, visit https://developer.apple.com/account/ and click "Certificates, IDs & Profiles" in the left-hand menu to generate and download certificates. You should create both a "Developer ID Installer" and a "Developer ID Application" certificate.
Level
The Level can be one of the following options:
Sign only
Fastest, lowest compatibility. Does not work with macOS 10.15+ after February 2020. Only the "Developer ID Installer" certificate is required. The Apple ID or App Store Connect keys are not required.
Sign and notarise
Fast, good compatibility. The customer's Mac will make one network request to Apple servers when first installed
Sign, notarise, and staple
Slowest (Expect a long delay of 10 minutes or more on first client download). This options offers the best compatibility. The codesigning will work offline without any prompting. The Backup Server will wait until notarisation has completed before serving the generated client installer; this has the additional benefit that any notarisation validation issues will appear in the Backup Server logs.
Upload method (recommended)
To sign the package, upload your "Developer ID Application" and "Developer ID Installer" certificates in PKCS12 (*.pfx / *.p12) file format to the Backup Server. If you created the Apple developer certificates on macOS, use the "Keychain Access" app to export your certificates including the private key.
To notarize the package, there is an additional requirement:
Create an App Store Connect API key from https://appstoreconnect.apple.com/access/api and get its Issuer, Key ID, and Key file.
