Go to file
2024-10-25 17:48:01 +02:00
.github/workflows Initial 2.10-dev commit 2024-06-29 21:58:55 +02:00
cmake Added the '-blobFile' option to specify a file containing the blob content 2024-09-04 17:51:35 +02:00
misc file format fixes 2018-12-04 22:06:35 +01:00
tests Refactor imports to use explicit submodule imports and organize class/function imports 2024-09-06 11:58:28 +02:00
.gitignore Remove an automake dependency 2023-01-24 10:09:35 +01:00
applink.c Squash applink.c compilation warnings 2022-07-21 12:21:19 +02:00
appx.c Added the '-blobFile' option to specify a file containing the blob content 2024-09-04 17:51:35 +02:00
cab.c Changed error output to stderr instead of stdout 2024-06-05 16:54:21 +02:00
cat.c Changed error output to stderr instead of stdout 2024-06-05 16:54:21 +02:00
CMakeLists.txt Missing part of 4dd836bab1 2024-09-05 11:43:25 +02:00
CMakeSettings.json add 64-bit Windows targets 2022-07-17 07:48:33 +02:00
code_signing_ca.pem Not only include Code Signing certificates 2024-06-04 13:25:51 +02:00
Config.h.in remove ENABLE_CURL macro from the config.h file 2022-08-12 20:45:31 +02:00
COPYING.txt file renames 2018-12-04 21:03:21 +01:00
Dockerfile Rewrite making test certificates (#393) 2024-05-22 18:59:53 +02:00
get_code_signing_ca.py Not only include Code Signing certificates 2024-06-04 13:25:51 +02:00
helpers.c Changed error output to stderr instead of stdout 2024-06-05 16:54:21 +02:00
helpers.h Simplify obtaining an existing signature and creating a new one 2024-01-23 19:00:22 +01:00
INSTALL.W32.md Rewrite making test certificates (#393) 2024-05-22 18:59:53 +02:00
LICENSE.txt use CMake instead of Makefile 2022-05-25 20:27:21 +02:00
msi.c Changed error output to stderr instead of stdout 2024-06-05 16:54:21 +02:00
NEWS.md Add the "-engineCtrl" option to control hardware and CNG engines (#405) 2024-09-08 19:23:38 +02:00
osslsigncode.bash Add bash completion script (#125) 2022-01-11 20:46:52 +01:00
osslsigncode.c Fixed conditional compilation for CURL and proxy support 2024-10-25 17:48:01 +02:00
osslsigncode.h Add the "-engineCtrl" option to control hardware and CNG engines (#405) 2024-09-08 19:23:38 +02:00
pe.c Changed error output to stderr instead of stdout 2024-06-05 16:54:21 +02:00
README.md Add the "-engineCtrl" option to control hardware and CNG engines (#405) 2024-09-08 19:23:38 +02:00
script.c Changed error output to stderr instead of stdout 2024-06-05 16:54:21 +02:00
TODO.md CRL support with new CRLfile global option (#28) 2020-01-25 08:25:48 +01:00
utf.c Initial script (text) format support 2024-02-12 10:54:18 +01:00
utf.h Initial script (text) format support 2024-02-12 10:54:18 +01:00
vcpkg.json Rewrite making test certificates (#393) 2024-05-22 18:59:53 +02:00

osslsigncode

BUILD STATUS

CI

WHAT IS IT?

osslsigncode is a small tool that implements part of the functionality of the Microsoft tool signtool.exe - more exactly the Authenticode signing and timestamping. But osslsigncode is based on OpenSSL and cURL, and thus should be able to compile on most platforms where these exist.

WHY?

Why not use signtool.exe? Because I don't want to go to a Windows machine every time I need to sign a binary - I can compile and build the binaries using Wine on my Linux machine, but I can't sign them since the signtool.exe makes good use of the CryptoAPI in Windows, and these APIs aren't (yet?) fully implemented in Wine, so the signtool.exe tool would fail. And, so, osslsigncode was born.

WHAT CAN IT DO?

It can sign and timestamp PE (EXE/SYS/DLL/etc), CAB, CAT and MSI files. It supports the equivalent of signtool.exe's "-j javasign.dll -jp low", i.e. add a valid signature for a CAB file containing Java files. It supports getting the timestamp through a proxy as well. It also supports signature verification, removal and extraction.

BUILDING

This section covers building osslsigncode for Unix-like operating systems. See INSTALL.W32.md for Windows notes. We highly recommend downloading a release tarball instead of cloning from a git repository.

Configure, build, make tests and install osslsigncode

  • Install prerequisites on a Debian-based distributions, such as Ubuntu:
  sudo apt update && sudo apt install cmake libssl-dev libcurl4-openssl-dev zlib1g-dev python3
  • Install prerequisites on macOS with Homebrew:
  brew install cmake pkg-config openssl@1.1
  export PKG_CONFIG_PATH="/usr/local/opt/openssl@1.1/lib/pkgconfig"

NOTE: osslsigncode requires CMake 3.17 or newer.

You may need to use cmake3 instead of cmake to complete the following steps on your system.

  • Navigate to the build directory and run CMake to configure the osslsigncode project and generate a native build system:
  mkdir build && cd build && cmake -S ..

optional CMake parameters:

  -DCMAKE_BUILD_TYPE=Debug
  -DCMAKE_C_COMPILER=clang
  -DCMAKE_PREFIX_PATH=[openssl directory];[curl directory]
  -DCMAKE_INSTALL_PREFIX=[installation directory]
  -DBASH_COMPLETION_USER_DIR=[bash completion installation directory]

  • Then call that build system to actually compile/link the osslsigncode project (alias make):
  cmake --build .
  • Make test:
  ctest -C Release
  • Make install:
  sudo cmake --install .
  • Make tarball (simulate autotools' make dist):
  cmake --build . --target package_source

USAGE

Before you can sign a file you need a Software Publishing Certificate (spc) and a corresponding private key.

This article provides a good starting point as to how to do the signing with the Microsoft signtool.exe:

http://www.matthew-jones.com/articles/codesigning.html

To sign with osslsigncode you need the certificate file mentioned in the article above, in SPC or PEM format, and you will also need the private key which must be a key file in DER or PEM format, or if osslsigncode was compiled against OpenSSL 1.0.0 or later, in PVK format.

To sign a PE or MSI file you can now do:

  osslsigncode sign -certs <cert-file> -key <der-key-file> \
    -n "Your Application" -i http://www.yourwebsite.com/ \
    -in yourapp.exe -out yourapp-signed.exe

or if you are using a PEM or PVK key file with a password together with a PEM certificate:

  osslsigncode sign -certs <cert-file> \
    -key <key-file> -pass <key-password> \
    -n "Your Application" -i http://www.yourwebsite.com/ \
    -in yourapp.exe -out yourapp-signed.exe

or if you want to add a timestamp as well:

  osslsigncode sign -certs <cert-file> -key <key-file> \
    -n "Your Application" -i http://www.yourwebsite.com/ \
    -t http://timestamp.digicert.com \
    -in yourapp.exe -out yourapp-signed.exe

You can use a certificate and key stored in a PKCS#12 container:

  osslsigncode sign -pkcs12 <pkcs12-file> -pass <pkcs12-password> \
    -n "Your Application" -i http://www.yourwebsite.com/ \
    -in yourapp.exe -out yourapp-signed.exe

To sign a CAB file containing java class files:

  osslsigncode sign -certs <cert-file> -key <key-file> \
    -n "Your Application" -i http://www.yourwebsite.com/ \
    -jp low \
    -in yourapp.cab -out yourapp-signed.cab

Only the 'low' parameter is currently supported.

If you want to use PKCS11 token, you should indicate PKCS11 engine and module. An example of using osslsigncode with SoftHSM:

  osslsigncode sign \
    -pkcs11engine /usr/lib64/engines-1.1/pkcs11.so \
    -pkcs11module /usr/lib64/pkcs11/libsofthsm2.so \
    -pkcs11cert 'pkcs11:token=softhsm-token;object=cert' \
    -key 'pkcs11:token=softhsm-token;object=key' \
    -in yourapp.exe -out yourapp-signed.exe

You can use a certificate and key stored in the Windows Certificate Store with the CNG engine version 1.1 or later. For more information, refer to

https://www.stunnel.org/cng-engine.html

A non-commercial edition of CNG engine is available for testing, personal, educational, or research purposes.

To use the CNG engine with osslsigncode, ensure that the cng.dll library is placed in the same directory as the osslsigncode.exe executable.

Below is an example of how to use osslsigncode with the CNG engine:

  osslsigncode sign \
    -pkcs11engine cng \
    -pkcs11cert osslsigncode_cert \
    -key osslsigncode_cert \
    -engineCtrl store_flags:0 \
    -engineCtrl store_name:MY \
    -engineCtrl PIN:yourpass \
    -in yourapp.exe -out yourapp-signed.exe

You can check that the signed file is correct by right-clicking on it in Windows and choose Properties --> Digital Signatures, and then choose the signature from the list, and click on Details. You should then be presented with a dialog that says amongst other things that "This digital signature is OK".

UNAUTHENTICATED BLOBS

The "-addUnauthenticatedBlob" parameter adds a 1024-byte unauthenticated blob of data to the signature in the same area as the timestamp. This can be used while signing, while timestamping, after a file has been code signed, or by itself. This technique (but not this project) is used by Dropbox, GoToMeeting, and Summit Route.

Example 1. Sign and add blob to unsigned file

osslsigncode sign -addUnauthenticatedBlob -pkcs12 yourcert.pfx -pass your_password -n "Your Company" -i https://YourSite.com/ -in srepp.msi -out srepp_added.msi

Example 2. Timestamp and add blob to signed file

osslsigncode.exe add -addUnauthenticatedBlob -t http://timestamp.digicert.com -in your_signed_file.exe -out out.exe

Example 3. Add blob to signed and time-stamped file

osslsigncode.exe add -addUnauthenticatedBlob -in your_signed_file.exe -out out.exe

WARNING

This feature allows for doing dumb things. Be very careful with what you put in the unauthenticated blob, as an attacker could modify this. Do NOT, under any circumstances, put a URL here that you will use to download an additional file. If you do do that, you would need to check the newly downloaded file is code signed AND that it has been signed with your cert AND that it is the version you expect.

BUGS, QUESTIONS etc.

Check whether your your question or suspected bug was already discussed on https://github.com/mtrojnar/osslsigncode/issues. Otherwise, open a new issue.

BUT, if you have questions related to generating spc files, converting between different formats and so on, please spend a few minutes searching on google for your particular problem since many people probably already have had your problem and solved it as well.