CEP Extension Digital Signing with PKCS#11

Hi!

I know there were similar topics, but none of them answered. Sorry for asking again, but this is a serious issue.

We develop .zxp extensions. They need to be updated from time to time. And new extension files need to be signed correctly. The problem is that ZXPSignCmd requires a .p12 file to sign the extension. It's not just another container format, the .p12 file contains a _key_ along with the signing certificate. The key is mandatory, without it you can't sign. And CAs don't seem to export signing keys anymore.

For this reason: https://knowledge.digicert.com/alerts/code-signing-changes-in-2023

If there is a CA that still exports .p12 files, please let us know. It would be a lifesaver. At least for a while. But in any case, ZXPSignCmd requires PKCS#11 support. Or its successor.

Or another option. The .zxp file contains a digitally signed XML file, which is a bit hard to replicate, but technically possible. I'm sure there are people skilled enough to create such a file. And pack it all into a zip archive with a .zxp extension. Maybe we can even do it ourselves, but would it be legally acceptable?

And if creating such XML files is acceptable, is there a way to check the compatibility of such extensions?

ZXPSignCmd of course has a built-in validator, but it is strict and expects a valid signature of the same type as the one it creates: <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>. That's SHA-1. I know that DigiCert won't allow such a signature to be created, since that algorithm is no longer considered secure. The DigiCert API simply says "No".

Do target applications require the same algorithm or do they accept, for example, SHA-256? Is there another way to verify extensions?