Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Signing HLKX Packages #175

Open
cedricvanrompay-datadog opened this issue Sep 18, 2023 · 7 comments
Open

Signing HLKX Packages #175

cedricvanrompay-datadog opened this issue Sep 18, 2023 · 7 comments

Comments

@cedricvanrompay-datadog
Copy link

cedricvanrompay-datadog commented Sep 18, 2023

How easy/likely is it that JSign supports signing HLKX packages someday soon?

I was not able to find any specification for HLKX signing, the closest thing I found to a specification is this: https://learn.microsoft.com/en-us/windows-hardware/test/hlk/user/hlk-signing-with-an-hsm

Plus a bit of documentation:

@ebourg
Copy link
Owner

ebourg commented Sep 18, 2023

If this format is usually signed with signtool then it's a good candidate to have it supported by Jsign.

I have never seen an HLK file, but according to the documentation it's based on the OPC format, so it's probably similar to the APPX format already supported by Jsign.

Do you know where I can download a signed HLKX file? If you have one you can send it to [email protected] and I'll investigate it.

@ebourg
Copy link
Owner

ebourg commented Sep 19, 2023

There is a fork of OpenOpcSignTool by @monrapps supporting HLKX files, that may give some hints on how to implement it in Jsign.

I struggle to find examples of HLKX files, if someone could send two such files, signed and unsigned, to [email protected] I'll get a look.

@ebourg
Copy link
Owner

ebourg commented Sep 19, 2023

Actually the HLKX files are signed by the HLK controller (hlk.exe sign on the command line) and not by signtool.

Supporting this format in Jsign is likely to be similar to implementing NuGet signing (#162).

I don't have the time to look into this right now, but if someone wants to implement it I'll review and merge the changes.

@cedricvanrompay-datadog
Copy link
Author

Sorry for the delay.

Yes, HLKX packages are signed by "HLK Studio" and not by SignTool. See https://learn.microsoft.com/en-us/windows-hardware/test/hlk/user/digitally-sign-an-hlkx-package

I'll try to get you some HLKX samples, both signed and unsigned.

@monrapps
Copy link

The fork of OpenOpcSignTool was created just to make it possible to sign HLKX files using keys stored in Azure Key Vault, which is not possible using "HLK Studio"

@JohnAZoidberg
Copy link

I see that appx and nuget is supported now.
I'm trying to sign an hlkx file with a yubikey and I'm unable to find any program that can do so.
HLK studio does not want to, signtool does not support it, ...

It seems the problem with HLK Studio is that it doesn't support ECDSA keys with SHA384 hash.
Does jsign suppor this?

@ebourg
Copy link
Owner

ebourg commented Jan 21, 2025

@JohnAZoidberg HLKX files aren't supported yet. I still need sample files, both signed and unsigned to investigate further.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants