forked from dmcgowan/osslsigncode
-
Notifications
You must be signed in to change notification settings - Fork 2
Fork of https://sourceforge.net/projects/osslsigncode/
License
Unknown, GPL-3.0 licenses found
Licenses found
Unknown
LICENSE
GPL-3.0
COPYING
larskanis/osslsigncode
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
osslsigncode ============ == WHAT IS IT? osslsigncode is a small tool that implements part of the functionality of the Microsoft tool signtool.exe - more exactly the Authenticode signing and timestamping. But osslsigncode is based on OpenSSL and cURL, and thus should be able to compile on most platforms where these exist. == WHY? Why not use signtool.exe? Because I don't want to go to a Windows machine every time I need to sign a binary - I can compile and build the binaries using Wine on my Linux machine, but I can't sign them since the signtool.exe makes good use of the CryptoAPI in Windows, and these APIs aren't (yet?) fully implemented in Wine, so the signtool.exe tool would fail. And, so, osslsigncode was born. == WHAT CAN IT DO? It can sign and timestamp PE (EXE/SYS/DLL/etc), CAB and MSI files. It supports the equivalent of signtool.exe's "-j javasign.dll -jp low", i.e. add a valid signature for a CAB file containing Java files. It supports getting the timestamp through a proxy as well. It also supports signature verification, removal and extraction. == INSTALLATION Make sure dependent libraries are installed: * On Ubuntu-18.04 to 22.10: sudo apt install libssl-dev autoconf build-essential automake libtool libcurl4-openssl-dev libengine-pkcs11-openssl Then download, build and install: git clone https://github.com/larskanis/osslsigncode sh autogen.sh ./configure make make install == USAGE Before you can sign a file you need a Software Publishing Certificate (spc) and a corresponding private key as file, on smart card or a HSM. This article provides a good starting point as to how to do the signing with the Microsoft signtool.exe: http://www.matthew-jones.com/articles/codesigning.html To sign with osslsigncode you need the certificate file mentioned in the article above, in SPC or PEM format, and you will also need the private key which must be a key file in DER, PEM format or PVK format. Alternatively this version of osslsigncode supports private keys stored on high security modules (HSM) through OpenSSL engines. To sign a PE or MSI file you can now do: osslsigncode sign -certs <cert-file> -key <der-key-file> \ -n "Your Application" -i http://www.yourwebsite.com/ \ -in yourapp.exe -out yourapp-signed.exe or if you are using a PEM or PVK key file with a password together with a PEM certificate: osslsigncode sign -certs <cert-file> \ -key <key-file> -pass <key-password> \ -n "Your Application" -i http://www.yourwebsite.com/ \ -in yourapp.exe -out yourapp-signed.exe or if you want to add a timestamp as well: osslsigncode sign -certs <cert-file> -key <key-file> \ -n "Your Application" -i http://www.yourwebsite.com/ \ -t http://timestamp.verisign.com/scripts/timstamp.dll \ -in yourapp.exe -out yourapp-signed.exe You can use a certificate and key stored in a PKCS#12 container: osslsigncode sign -pkcs12 <pkcs12-file> -pass <pkcs12-password> \ -n "Your Application" -i http://www.yourwebsite.com/ \ -in yourapp.exe -out yourapp-signed.exe To use a key stored on a HSM or a smart card, you need a OpenSSL engine compatible shared library for operations on the private key. Since most HSMs don't support the OpenSSL engine interface directly but the more common standard PKCS#11, it's necessary to use a bridge called engine-pkcs11. It can be installed like: sudo apt install libengine-pkcs11-openssl Furthermore you can make use the pkcs11 library of the OpenSC project, which is compatible to many smart cards. It can be installed like: sudo apt install opensc To sign a PE file with private key stored on smart card and interactive prompt for the PIN code: osslsigncode sign -certs <cert-file> -askpass \ -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-3/libpkcs11.so \ -pkcs11module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so \ -in yourapp.exe -out yourapp-signed.exe Use `/usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so` on a OpenSSL-1.1 based distribution instead. The certificate has to be provided as a file. It is currently not supported to read the certificate from the smard card directly. Some smart card vendors provide their own PKCS#11 library, which can be used alternatively instead of opensc-pkcs11.so. To sign a CAB file containing java class files: osslsigncode sign -certs <cert-file> -key <key-file> \ -n "Your Application" -i http://www.yourwebsite.com/ \ -jp low \ -in yourapp.cab -out yourapp-signed.cab Only the 'low' parameter is currently supported. You can check that the signed file is correct by right-clicking on it in Windows and choose Properties --> Digital Signatures, and then choose the signature from the list, and click on Details. You should then be presented with a dialog that says amongst other things that "This digital signature is OK". == CONVERTING FROM PVK TO DER (This guide was written by Ryan Rubley) If you've managed to finally find osslsigncode from some searches, you're most likely going to have a heck of a time getting your SPC and PVK files into the formats osslsigncode wants. On the computer where you originally purchased your certificate, you probably had to use IE to get it. Run IE and select Tools/Internet Options from the menu, then under the Content tab, click the Certificates button. Under the Personal tab, select your certificate and click the Export button. On the second page of the wizard, select the PKCS #7 Certificate (.P7B) format. This file you export as a *.p7b is what you use instead of your *.spc file. It's the same basic thing, in a different format. For your PVK file, you will need to download a little utility called PVK.EXE. This can currently be downloaded at http://support.globalsign.net/en/objectsign/PVK.zip Run: pvk -in foo.pvk -nocrypt -out foo.pem This will convert your PVK file to a PEM file. From there, you can copy the PEM file to a Linux box, and run: openssl rsa -outform der -in foo.pem -out foo.der This will convert your PEM file to a DER file. You need the *.p7b and *.der files to use osslsigncode, instead of your *.spc and *.pvk files. == BUGS, QUESTIONS etc. Send an email to [email protected] BUT, if you have questions related to generating spc files, converting between different formats and so on, *please* spend a few minutes searching on google for your particular problem since many people probably already have had your problem and solved it as well.
About
Fork of https://sourceforge.net/projects/osslsigncode/
Resources
License
Unknown, GPL-3.0 licenses found
Licenses found
Unknown
LICENSE
GPL-3.0
COPYING
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published
Languages
- C 62.4%
- Shell 33.1%
- Python 2.1%
- M4 1.8%
- Other 0.6%