VSoft Technologies Blogs

rss

VSoft Technologies Blogs - posts about our products and software development.

Introducing Signotaur - Remote Code Signing Server

Over the last few years, code signing has changed somewhat. With the requirement that private keys be secured, many developers have run into the issues that USB tokens present, or the limitations and costs associated with cloud-based signing solutions. Gone are the days of sharing a PFX file around the dev team or with the CI server (unless you managed to snag a 3-year renewal just before the new requirements were enforced).

Signotaur

Signotaur is a self-hosted code signing server that makes sharing certificates simple, all whilst maintaining the security of your private keys. Signing can be done (using the client) from any machine that has network access to the server.

Secure Code Signing

Private keys never leave the server, or the USB token or HSM for that matter. The client/server both support TLS (and can generate a self-signed certificate during the install), and administrators can configure access controls to limit who can use certificates for signing. Signing uses API keys rather than passwords, so no more dreaded SafeNet or YubiKey password prompts!

Supported Certificates

We have tested with PFX files, SafeNet and YubiKey USB tokens, and Windows certificate stores. Signotaur may work with other USB tokens or HSMs that have 64-bit PKCS#11 drivers.

Lightweight

Signotaur Server uses very little memory, CPU, or disk space. It uses SQLite for its database. Installing Signotaur takes a few minutes at most.

Signotaur Client is a single native Windows executable (around 15MB). It's installed with the server and can be downloaded from the server's home. The command-line interface is very similar to SignTool.

How does it work

In simple terms, the client calculates a digest of the files you want to sign, sends that to the server, which then uses the private key to create the signature and sends that back to the client. The client then writes the signatures to the files.

Supported Platforms

For this initial release, Signotaur (client and server) runs on 64-bit Windows 10+, Windows Server 2016, or later. Linux support for the server is in development.

Affordable

Unlike cloud-based services, we don't charge per signing, and the price isn't "available on application" like some "enterprise" products. The introductory price is USD $199 per server, and with the Black Friday Sale extended to midnight 8th December, that makes it USD $119.40 (discount applied at checkout). The price includes 12 months of updates and support. Renewals after 12 months are 30% of the new purchase price.

Download it here. After installation, login and browse to the admin\licenses page and request a 14 day trial license key.

Related Posts


  • Delphi Code Coverage with Continua CI

    Generate code coverage reports for your Delphi projects using Continua CI.

  • Code Signing with USB Tokens

    Big changes are coming for OV (Organisation Validation) code signing certificates - from (1 June 2023, extended from 15 November 2022), new and reissued publicly trusted organization validation (OV) and individual validation (IV) code signing certificates will have to be issued or stored on preconfigured secure hardware by the issuing certificate authority (CA) and the device must meet FIPS 140 Level 2, Common Criteria EAL 4+ or equivalent security standards.

  • Continuous Integration Server performance

    Continuous Integration Servers are often underspecified when it comes to hardware. In the early days of Automated Builds, the build server was quite often that old pc in the corner of the office, or an old server in the data center that no one else wanted. Developers weren't doing many builds per day, so it worked, it was probably slow but that didn't seem to matter much. Fast forward 20 years, and the CI server is now a critical service. The volume and frequency of builds has increased dramatically, and a slow CI server can be a real problem in an environment where we want fast feedback on that code we just committed (even though it "worked on my machine"). Continuous Deployment only adds to the workload of the CI server. In this post I'm going to cover off some ideas to hopefully improve the performance of your CI server.

  • Code Signing Changes for 2016

    The use of SHA1 is digital certificates (codesigning, SSL etc) is being phased out in 2016, it's time to update your code signing certificate.

  • FinalBuilder and Team Foundation Server 2013

    In this post I go into how to integrate FinalBuilder into your TFS build process.

  • Automating Code Signing

    Matthew Jones has a great article on the basics of Code Signing. And, of course, To actually sign the code, I used FinalBuilder
BYOK, Code Signing, Digicert, EV Certificates, Pkcs#11, Safenet, Self-Hosted, Signotaur, USB Token, Yubikey
Showing 5 Comments
Avatar
Arthur Hoornweg last week

Hi Vincent,

I also tried VNC last week (several versions; UltraVNC server and TightVNC server) but neither of these works well with our "headless" Windows 11 server. Quite often the vnc desktop background stays completely black or refreshes only partially. It works as soon as I plugin a physical monitor but that's unacceptable in our server room. The computer has only displayport connectors so unfortunately I can't plugin a monitor emulator (= a 15-pin vga connector with some resistors).


Avatar
Vincent Parrett 2 weeks ago

Thanks for the kudo Arthur!

FWIW - another way around the RDP limitations (which is intentional, not a bug) is to use something like VNC.

Avatar
Arthur Hoornweg 2 weeks ago

I can confirm that Signotaur works. Kudos to the Finalbuilder team for this solution!

If you use this product with Finalbuilder, make sure you have the latest release of Finalbuilder (8.0.0.3406 or higher).


Here's a little tip for those of you who use a Digicert/Thales USB token with the Safenet software. It took me hours to figure this one out. Please be aware that you can't use the Safenet GUI application inside a RDP session! It simply won't detect the USB token. You need to logon to a local console and then it'll work.

Avatar
Vincent Parrett 2 weeks ago

It's a perpetual license, the product will continue to work whether you buy renewal or not.

Avatar
Thomas Mueller 2 weeks ago

<blockquote>The price includes 12 months of updates and support.</blockquote>
So what happens after these 12 months? Does the server continue working or does it stop until I buy a renewal?

your Comment will be showing after administrator's approval







b i u quote



Save Comment