Skip to content

GoodKey desktop guide (Windows)

Jump to bottom
OlhaPeculiar edited this page Dec 2, 2024 · 8 revisions

Downloading and Installing the GoodKey Client

To begin using the GoodKey desktop client, download the latest version from the official GitHub releases page:

You may receive a warning from SmartScreen. Click More info and then Run anyway.

Note

Important: When installing or updating the GoodKey application, it is recommended to close any applications that interact with it, such > as Adobe Acrobat, Fortify, and others, to avoid potential conflicts.

Setting the environment variable you can look at this part

The GoodKey application supports working with different servers. By default, it operates with the production server. To use the canary server, you need to set a global environment variable GOODKEY_ENV with the value canary.

Downloading the Windows SDK

You need to have the Windows SDK installed. You can download the Windows SDK from the official Microsoft website:

Listing Certificates in the My Store

To ensure that the GoodKey application is installed and configured correctly, you can list all certificates available in the My store, including those from the GoodKey server, using the following PowerShell command:

Get-ChildItem -Path Cert:\CurrentUser\My

Example Output:

PS C:\Users\micro\github\pv\goodkey-service-app> Get-ChildItem -Path Cert:\CurrentUser\My

  PSParentPath: Microsoft.PowerShell.Security\Certificate::CurrentUser\My

Thumbprint                                Subject
----------                                -------
F8AF4D207C1D3745B5DB8BF390E3C6438614DC3E  C=US, O=GoodKey, CN=Code Signing EC P-256
C628BEF7CAA5220C8F5D7D632B62ACA303EDFFF1  C=US, O=GoodKey, CN=Code Signing RSA 2048
970951B167FD919C5548B9D128FC8352184D8556  CN=localhost
086A6D22D7D41776AE3DF8553D0B9E1D2EB71307  CN=3cf91281-5803-43af-92a0-7b90c3f43a87

Note

Note:** The certutil -store -user My command does not display certificates from the GoodKey provider.

Setting Up the GoodKey Client

If You Don't Have an Account:

  1. Go to the Login Page
    Visit the page: https://goodkey.pp.ua/ and login using your email or Google account.

  2. Create an Organization
    After logging in, create an organization within the platform.

  3. Create a Key in Your Organization
    Navigate to your newly created organization and generate a key.

  4. Generate a Certificate Signing Request (CSR)

    • Go to the "Certificates" section.
    • Use the key you just created to generate a Certificate Signing Request (CSR).

  5. Generate a Certificate

  6. Import the Certificate

    • Copy the generated certificate in PEM format.
    • Return to the "Certificates" section and import the certificate.

If an Organization already exists:

  1. Create a Key and an Associated Certificate
    • Within your existing organization, generate a new key.
    • Use this key to generate a certificate as described above (steps 4–6).

Create and copy the Token

  • Navigate to your organization and create a token.
  • During the token creation process, link it to the key and certificate you created.
  • Once the token is created, copy it for use in your applications.

To verify if the GoodKey client is authenticated, open your terminal or command prompt and run:

gkutils auth status

Expected Output if Not Authenticated:

rpc error: code = Unknown desc = Client for GoodKey Server is not initialized. Run 'gkutils auth register' to authenticate.

Client Registration

Note

You can register the client using one of two methods: with a token or via a browser. Below are the details for both options.

Option 1: Register the Client with a Token

gkutils auth register -t <YourAccessToken> -e canary

Replace with your actual token.

Option 2: Register the Client via Browser

You can also use registering the Client via browser, but before that you need to go through GoodKey configuring server environment

  1. Initiate the Registration Process:
gkutils auth register
  1. Authenticate via Browser:
  • A browser window will open automatically.
  • Log in to your GoodKey account.
  • Authorize the client when prompted.
  • Approve any prompts to open the application from the browser.
  1. Complete Registration:
  • Return to the terminal.
  • The client should now be registered and authenticated.

Verifying Authentication

After registration, check the authentication status again:

gkutils auth status

Expected Output:

Authenticated as:
  ID:         fc02a79e-280e-4e8e-aacc-81b1cf37ccdb
  First Name: Stepan
  Last Name:  Miroshin
  Email:      microshine@peculiarventures.com

Managing Keys and Certificates

Once authenticated, you can manage your cryptographic assets using the GoodKey client.

Listing Available Keys To view all keys associated with your account:

gkutils key list

Sample Output:

Keys:
  ID:      021c9cf9-c9f3-4da6-b948-ae2c501b9fbd
  Name:    RSA 2048
  Type:    rsa2048
  Status:  active

  ID:      22db28de-ef40-4d10-8f0d-013750883ce9
  Name:    EC P-256
  Type:    ecP256
  Status:  active

Listing Available Certificates To view all certificates associated with your account:

gkutils cert list

Sample Output:

Certificates:
  ID:      0ab05e8a-abba-46e7-8145-056b28985863
  Type:    x509
  Name:    Self-Signed for EC P-256
  Has Key: true

  ID:      88b78152-1065-49f2-a1be-9aee11e9e46a
  Type:    x509
  Name:    Self-Signed for RSA 2048
  Has Key: true

Signing Files with signtool

To use signtool, you need valid certificates that have code signing capabilities.

Note

Important: To ensure the certificate is trusted, it must be in the list of trusted certificates. If it is not, install it in the trusted certificates store.

GoodKey certificates in the My store can be used with signtool to sign files.

  • Adding signtool to the PATH Environment Variable

If the signtool utility is not recognized in the terminal, you need to add its path to the PATH environment variable. The path depends on the installed version of the Windows Kit. For example:

$env:PATH += ";C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64"

Note

Note: Adjust the version number (10.0.22621.0) to match the installed version of the Windows Kit on your system. Important: If you run the signing command from the Visual Studio Developer Command Prompt, the utility may not detect certificates from the GoodKey provider.

  • Creating a Demo File for Signing

To create a demo file named data.ps1 for signing, follow these steps:

  1. Open a Text Editor:
  • You can use any text editor, such as Notepad.
  1. Create the File:
  • Add the following content to the file: 
    # Sample PowerShell script
Write-Output "This is a sample script for signing."
  1. Save the File:
  • Save the file with the name data.ps1.

Now you have a demo file data.ps1 that you can use for signing with signtool.

  • Signing an Executable File

Use the following command to sign an executable file:

signtool sign /sha1 <SHA1_Thumbprint> /fd SHA256 /tr http://timestamp.digicert.com /td SHA256 /v .\data.ps1

Replace <SHA1_Thumbprint> with the SHA-1 thumbprint of your GoodKey certificate (e.g., f8af4d207c1d3745b5db8bf390e3c6438614dc3e). You can obtain the thumbprint from the list of certificates in the terminal or from the GoodKey website. This command signs the file data.ps1 with SHA-256 and adds a timestamp from the specified URL.

  • Verifying a Signature

To verify the signature on a file, use the following command:

signtool verify /pa /v data.ps1

This command verifies the signature on data.ps1 using the certificate chain in the My store.

Clone this wiki locally