nhyatt/osslsigncode
1
0
Fork 0
mirror of https://github.com/mtrojnar/osslsigncode.git synced 2025-04-05 09:08:04 -05:00
Code Issues Projects Releases Wiki Activity

Merge pull request #36 from olszomal/cabverify

Browse Source 
CAB files support
- Extracting, attaching, removing and verifying the signature
- Signing with the nested signature
- Enable tests for CAB files
This commit is contained in:
Michał Trojnara 2020-03-27 06:24:48 +01:00 committed by GitHub
commit 2830ab5795
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
22 changed files with 1094 additions and 338 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1038
osslsigncode.c
View File

File diff suppressed because it is too large Load Diff

20
tests/recipes/11_sign_nest
View File

@ -27,7 +27,25 @@ if test -s "test.exe"
fi fi
# CAB file # CAB file
# Error: -nest option is only valid for PE/MSI files test_name="112. Sign a CAB file with the nest flag"
printf "\n%s\n" "$test_name"
if test -s "test.ex_"
then
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "test.ex_" -out "test_112_signed.ex_"
../../osslsigncode sign -h sha512 \
-nest \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "test_112_signed.ex_" -out "test_112.ex_"
verify_signature "$?" "112" "ex_" "success" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "ASCII" "SHA512" "UNUSED_PATTERN"
test_result "$?" "$test_name"
else
printf "Test skipped\n"
fi
# MSI file # MSI file
test_name="113. Sign a MSI file with the nest flag" test_name="113. Sign a MSI file with the nest flag"

27
tests/recipes/31_extract_signature
View File

@ -1,5 +1,5 @@
#!/bin/sh #!/bin/sh
# Extract the signature from the PE/MSI file. # Extract the signature from the PE/CAB/MSI file.
. $(dirname $0)/../test_library . $(dirname $0)/../test_library
script_path=$(pwd) script_path=$(pwd)
@ -23,20 +23,35 @@ if test -s "test.exe"
fi fi
# CAB file # CAB file
# Command is not supported for non-PE/non-MSI files test_name="312. Extract the signature from the CAB file"
printf "\n%s\n" "$test_name"
if [ -s "test.ex_" ]
then
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "test.ex_" -out "test_312.ex_" && \
../../osslsigncode extract-signature -pem \
-in "test_312.ex_" -out "sign_cab.pem"
verify_signature "$?" "312" "ex_" "success" "@2019-09-01 12:00:00" \
"sha256sum" "ASCII" "osslsigncode" "UNUSED_PATTERN"
test_result "$?" "$test_name"
else
printf "Test skipped\n"
fi
# MSI file # MSI file
test_name="312. Extract the signature from the MSI file" test_name="313. Extract the signature from the MSI file"
printf "\n%s\n" "$test_name" printf "\n%s\n" "$test_name"
if test -s "sample.msi" if test -s "sample.msi"
then then
../../osslsigncode sign -h sha256 \ ../../osslsigncode sign -h sha256 \
-st "1556668800" \ -st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "sample.msi" -out "test_312.msi" && \ -in "sample.msi" -out "test_313.msi" && \
../../osslsigncode extract-signature -pem \ ../../osslsigncode extract-signature -pem \
-in "test_312.msi" -out "sign_msi.pem" -in "test_313.msi" -out "sign_msi.pem"
verify_signature "$?" "312" "msi" "success" "@2019-09-01 12:00:00" \ verify_signature "$?" "313" "msi" "success" "@2019-09-01 12:00:00" \
"sha256sum" "ASCII" "osslsigncode" "UNUSED_PATTERN" "sha256sum" "ASCII" "osslsigncode" "UNUSED_PATTERN"
test_result "$?" "$test_name" test_result "$?" "$test_name"
else else

23
tests/recipes/32_attach_signature
View File

@ -1,5 +1,5 @@
#!/bin/sh #!/bin/sh
# Attach the signature to the PE/MSI file. # Attach the signature to the PE/CAB/MSI file.
. $(dirname $0)/../test_library . $(dirname $0)/../test_library
script_path=$(pwd) script_path=$(pwd)
@ -21,18 +21,31 @@ if test -s "test.exe"
fi fi
# CAB file # CAB file
# Command is not supported for non-PE/non-MSI files test_name="322. Attach the signature to the CAB file"
printf "\n%s\n" "$test_name"
if [ -s "test.ex_" ]
then
../../osslsigncode attach-signature -sigin "sign_cab.pem" \
-CAfile "${script_path}/../certs/CACert.pem" \
-CRLfile "${script_path}/../certs/CACertCRL.pem" \
-in "test.ex_" -out "test_322.ex_"
verify_signature "$?" "322" "ex_" "success" "@2019-09-01 12:00:00" \
"sha256sum" "ASCII" "osslsigncode" "UNUSED_PATTERN"
test_result "$?" "$test_name"
else
printf "Test skipped\n"
fi
# MSI file # MSI file
test_name="322. Attach the signature to the MSI file" test_name="323. Attach the signature to the MSI file"
printf "\n%s\n" "$test_name" printf "\n%s\n" "$test_name"
if test -s "sample.msi" if test -s "sample.msi"
then then
../../osslsigncode attach-signature -sigin "sign_msi.pem" \ ../../osslsigncode attach-signature -sigin "sign_msi.pem" \
-CAfile "${script_path}/../certs/CACert.pem" \ -CAfile "${script_path}/../certs/CACert.pem" \
-CRLfile "${script_path}/../certs/CACertCRL.pem" \ -CRLfile "${script_path}/../certs/CACertCRL.pem" \
-in "sample.msi" -out "test_322.msi" -in "sample.msi" -out "test_323.msi"
verify_signature "$?" "322" "msi" "success" "@2019-09-01 12:00:00" \ verify_signature "$?" "323" "msi" "success" "@2019-09-01 12:00:00" \
"sha256sum" "ASCII" "osslsigncode" "UNUSED_PATTERN" "sha256sum" "ASCII" "osslsigncode" "UNUSED_PATTERN"
test_result "$?" "$test_name" test_result "$?" "$test_name"
else else

27
tests/recipes/33_remove_signature
View File

@ -1,5 +1,5 @@
#!/bin/sh #!/bin/sh
# Remove the signature from the PE/MSI file. # Remove the signature from the PE/CAB/MSI file.
. $(dirname $0)/../test_library . $(dirname $0)/../test_library
script_path=$(pwd) script_path=$(pwd)
@ -23,20 +23,35 @@ if test -s "test.exe"
fi fi
# CAB file # CAB file
# Command is not supported for non-PE/non-MSI files test_name="332. Remove the signature from the CAB file"
printf "\n%s\n" "$test_name"
if [ -s "test.ex_" ]
then
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "test.ex_" -out "test_332_signed.ex_" && \
../../osslsigncode remove-signature \
-in "test_332_signed.ex_" -out "test_332.ex_"
verify_signature "$?" "332" "ex_" "fail" "@2019-09-01 12:00:00" \
"sha256sum" "UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN"
test_result "$?" "$test_name"
else
printf "Test skipped\n"
fi
# MSI file # MSI file
test_name="332. Remove the signature from the MSI file" test_name="333. Remove the signature from the MSI file"
printf "\n%s\n" "$test_name" printf "\n%s\n" "$test_name"
if test -s "sample.msi" if test -s "sample.msi"
then then
../../osslsigncode sign -h sha256 \ ../../osslsigncode sign -h sha256 \
-st "1556668800" \ -st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "sample.msi" -out "test_332_signed.msi" && \ -in "sample.msi" -out "test_333_signed.msi" && \
../../osslsigncode remove-signature \ ../../osslsigncode remove-signature \
-in "test_332_signed.msi" -out "test_332.msi" -in "test_333_signed.msi" -out "test_333.msi"
verify_signature "$?" "332" "msi" "fail" "@2019-09-01 12:00:00" \ verify_signature "$?" "333" "msi" "fail" "@2019-09-01 12:00:00" \
"sha256sum" "UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN" "sha256sum" "UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN"
test_result "$?" "$test_name" test_result "$?" "$test_name"
else else

15
tests/recipes/35_varia_sha256sum
View File

@ -22,6 +22,21 @@ if test -s "test.exe"
skip=$(($skip+1)) skip=$(($skip+1))
fi fi
if test -s "test.ex_"
then
if test $(cat "sha256sum_ex_.log" | cut -d' ' -f1 | uniq | wc -l) -ne 1
then
res=1
cat "sha256sum_ex_.log" >> "results.log"
printf "Non-unique SHA256 message digests found\n" >> "results.log"
else
rm -f test_3[1-4]*[1-2]*.ex_
fi
rm -f "sha256sum_ex_.log"
else
skip=$(($skip+1))
fi
if test -s "sample.msi" if test -s "sample.msi"
then then
if test $(cat "sha256sum_msi.log" | cut -d' ' -f1 | uniq | wc -l) -ne 1 if test $(cat "sha256sum_msi.log" | cut -d' ' -f1 | uniq | wc -l) -ne 1

28
tests/recipes/36_add_signature_blob
View File

@ -1,5 +1,5 @@
#!/bin/sh #!/bin/sh
# Add an unauthenticated blob to the PE/MSI file. # Add an unauthenticated blob to the PE/CAB/MSI file.
. $(dirname $0)/../test_library . $(dirname $0)/../test_library
script_path=$(pwd) script_path=$(pwd)
@ -24,21 +24,37 @@ if test -s "test.exe"
fi fi
# CAB file # CAB file
# Command is not supported for non-PE/non-MSI files test_name="362. Add an unauthenticated blob to the CAB file"
printf "\n%s\n" "$test_name"
if test -s "test.ex_"
then
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "test.ex_" -out "test_362_signed.ex_"
../../osslsigncode add \
-addUnauthenticatedBlob \
-in "test_362_signed.ex_" -out "test_362.ex_"
verify_signature "$?" "362" "ex_" "success" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "ASCII" "BEGIN_BLOB" "MODIFY"
test_result "$?" "$test_name"
else
printf "Test skipped\n"
fi
# MSI file # MSI file
test_name="362. Add an unauthenticated blob to the MSI file" test_name="363. Add an unauthenticated blob to the MSI file"
printf "\n%s\n" "$test_name" printf "\n%s\n" "$test_name"
if test -s "sample.msi" if test -s "sample.msi"
then then
../../osslsigncode sign -h sha256 \ ../../osslsigncode sign -h sha256 \
-st "1556668800" \ -st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "sample.msi" -out "test_362_signed.msi" -in "sample.msi" -out "test_363_signed.msi"
../../osslsigncode add \ ../../osslsigncode add \
-addUnauthenticatedBlob \ -addUnauthenticatedBlob \
-in "test_362_signed.msi" -out "test_362.msi" -in "test_363_signed.msi" -out "test_363.msi"
verify_signature "$?" "362" "msi" "success" "@2019-09-01 12:00:00" \ verify_signature "$?" "363" "msi" "success" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "ASCII" "BEGIN_BLOB" "MODIFY" "UNUSED_PATTERN" "ASCII" "BEGIN_BLOB" "MODIFY"
test_result "$?" "$test_name" test_result "$?" "$test_name"
else else

28
tests/recipes/37_add_signature_timestamp
View File

@ -1,5 +1,5 @@
#!/bin/sh #!/bin/sh
# Add an authenticode timestamp to the PE/MSI file. # Add an authenticode timestamp to the PE/CAB/MSI file.
. $(dirname $0)/../test_library . $(dirname $0)/../test_library
script_path=$(pwd) script_path=$(pwd)
@ -24,21 +24,37 @@ if test -s "test.exe" && ! grep -q "no libcurl available" "results.log"
fi fi
# CAB file # CAB file
# Command is not supported for non-PE/non-MSI files test_name="372. Add an authenticode timestamp to the CAB file"
printf "\n%s\n" "$test_name"
if test -s "test.ex_" && ! grep -q "no libcurl available" "results.log"
then
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "test.ex_" -out "test_372_signed.ex_" && \
../../osslsigncode add \
-t http://time.certum.pl/ \
-in "test_372_signed.ex_" -out "test_372.ex_"
verify_signature "$?" "372" "ex_" "success" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "ASCII" "Unizeto" "UNUSED_PATTERN"
test_result "$?" "$test_name"
else
printf "Test skipped\n"
fi
# MSI file # MSI file
test_name="372. Add an authenticode timestamp to the MSI file" test_name="373. Add an authenticode timestamp to the MSI file"
printf "\n%s\n" "$test_name" printf "\n%s\n" "$test_name"
if test -s "sample.msi" && ! grep -q "no libcurl available" "results.log" if test -s "sample.msi" && ! grep -q "no libcurl available" "results.log"
then then
../../osslsigncode sign -h sha256 \ ../../osslsigncode sign -h sha256 \
-st "1556668800" \ -st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "sample.msi" -out "test_372_signed.msi" && \ -in "sample.msi" -out "test_373_signed.msi" && \
../../osslsigncode add \ ../../osslsigncode add \
-t http://time.certum.pl/ \ -t http://time.certum.pl/ \
-in "test_372_signed.msi" -out "test_372.msi" -in "test_373_signed.msi" -out "test_373.msi"
verify_signature "$?" "372" "msi" "success" "@2019-09-01 12:00:00" \ verify_signature "$?" "373" "msi" "success" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "ASCII" "Unizeto" "UNUSED_PATTERN" "UNUSED_PATTERN" "ASCII" "Unizeto" "UNUSED_PATTERN"
test_result "$?" "$test_name" test_result "$?" "$test_name"
else else

28
tests/recipes/38_add_signature_rfc3161
View File

@ -1,5 +1,5 @@
#!/bin/sh #!/bin/sh
# Add an RFC 3161 timestamp to signed PE/MSI file. # Add an RFC 3161 timestamp to signed PE/CAB/MSI file.
. $(dirname $0)/../test_library . $(dirname $0)/../test_library
script_path=$(pwd) script_path=$(pwd)
@ -24,21 +24,37 @@ if test -s "test.exe" && ! grep -q "no libcurl available" "results.log"
fi fi
# CAB file # CAB file
# Command is not supported for non-PE/non-MSI files test_name="382. Add RFC 3161 timestamp to signed CAB file"
printf "\n%s\n" "$test_name"
if test -s "test.ex_" && ! grep -q "no libcurl available" "results.log"
then
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "test.ex_" -out "test_382_signed.ex_"
../../osslsigncode add \
-ts http://time.certum.pl/ \
-in "test_382_signed.ex_" -out "test_382.ex_"
verify_signature "$?" "382" "ex_" "success" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "ASCII" "Unizeto" "UNUSED_PATTERN"
test_result "$?" "$test_name"
else
printf "Test skipped\n"
fi
# MSI file # MSI file
test_name="382. Add RFC 3161 timestamp to signed MSI file" test_name="383. Add RFC 3161 timestamp to signed MSI file"
printf "\n%s\n" "$test_name" printf "\n%s\n" "$test_name"
if test -s "sample.msi" && ! grep -q "no libcurl available" "results.log" if test -s "sample.msi" && ! grep -q "no libcurl available" "results.log"
then then
../../osslsigncode sign -h sha256 \ ../../osslsigncode sign -h sha256 \
-st "1556668800" \ -st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \ -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "sample.msi" -out "test_382_signed.msi" -in "sample.msi" -out "test_383_signed.msi"
../../osslsigncode add \ ../../osslsigncode add \
-ts http://time.certum.pl/ \ -ts http://time.certum.pl/ \
-in "test_382_signed.msi" -out "test_382.msi" -in "test_383_signed.msi" -out "test_383.msi"
verify_signature "$?" "382" "msi" "success" "@2019-09-01 12:00:00" \ verify_signature "$?" "383" "msi" "success" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "ASCII" "Unizeto" "UNUSED_PATTERN" "UNUSED_PATTERN" "ASCII" "Unizeto" "UNUSED_PATTERN"
test_result "$?" "$test_name" test_result "$?" "$test_name"
else else

16
tests/recipes/40_verify_leaf_hash
View File

@ -1,5 +1,5 @@
#!/bin/sh #!/bin/sh
# Compare the leaf certificate hash against specified SHA256 message digest for the PE/MSI file # Compare the leaf certificate hash against specified SHA256 message digest for the PE/CAB/MSI file
. $(dirname $0)/../test_library . $(dirname $0)/../test_library
script_path=$(pwd) script_path=$(pwd)
@ -20,7 +20,19 @@ if test -s "test.exe"
fi fi
# CAB file # CAB file
# Command is not supported for non-PE/non-MSI files test_name="402. Compare the leaf certificate hash against specified SHA256 message digest for the CAB file"
printf "\n%s\n" "$test_name"
if test -s "test.ex_"
then
../../osslsigncode sign -h sha256 \
-st "1556668800" \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.der" \
-in "test.ex_" -out "test_402.ex_"
verify_leaf_hash "$?" "402" "ex_" "@2019-05-01 00:00:00"
test_result "$?" "$test_name"
else
printf "Test skipped\n"
fi
# MSI file # MSI file
test_name="403. Compare the leaf certificate hash against specified SHA256 message digest for the MSI file" test_name="403. Compare the leaf certificate hash against specified SHA256 message digest for the MSI file"

18
tests/recipes/51_verify_time
View File

@ -1,5 +1,5 @@
#!/bin/sh #!/bin/sh
# Verify PE/MSI file signature after the cert has been expired. # Verify PE/CAB/MSI file signature after the cert has been expired.
. $(dirname $0)/../test_library . $(dirname $0)/../test_library
@ -21,7 +21,21 @@ if test -s "test.exe"
fi fi
# CAB file # CAB file
# Command is not supported for non-PE/non-MSI files test_name="512. Verify CAB file signature after the cert has been expired"
printf "\n%s\n" "$test_name"
if test -s "test.ex_"
then
TZ=GMT faketime -f '@2019-05-01 00:00:00' /bin/bash -c '
script_path=$(pwd)
../../osslsigncode sign -h sha256 \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-in "test.ex_" -out "test_512.ex_" 2>> "results.log" 1>&2'
verify_signature "$?" "512" "ex_" "fail" "@2025-01-01 12:00:00" \
"UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN"
test_result "$?" "$test_name"
else
printf "Test skipped\n"
fi
# MSI file # MSI file
test_name="513. Verify MSI file signature after the cert has been expired" test_name="513. Verify MSI file signature after the cert has been expired"

19
tests/recipes/52_verify_timestamp
View File

@ -1,5 +1,5 @@
#!/bin/sh #!/bin/sh
# Verify PE/MSI file signature with Authenticode timestamping after the cert has been expired. # Verify PE/CAB/MSI file signature with Authenticode timestamping after the cert has been expired.
. $(dirname $0)/../test_library . $(dirname $0)/../test_library
@ -22,7 +22,22 @@ if test -s "test.exe" && ! grep -q "no libcurl available" "results.log"
fi fi
# CAB file # CAB file
# Command is not supported for non-PE/non-MSI files test_name="522. Verify CAB file signature with timestamping after the cert has been expired"
printf "\n%s\n" "$test_name"
if test -s "test.ex_" && ! grep -q "no libcurl available" "results.log"
then
TZ=GMT faketime -f '@2019-05-01 00:00:00' /bin/bash -c '
script_path=$(pwd)
../../osslsigncode sign -h sha256 \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-t http://time.certum.pl/ \
-in "test.ex_" -out "test_522.ex_" 2>> "results.log" 1>&2'
verify_signature "$?" "522" "ex_" "success" "@2025-01-01 12:00:00" \
"UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN"
test_result "$?" "$test_name"
else
printf "Test skipped\n"
fi
# MSI file # MSI file
test_name="523. Verify MSI file signature with timestamping after the cert has been expired" test_name="523. Verify MSI file signature with timestamping after the cert has been expired"

19
tests/recipes/53_verify_rfc3161
View File

@ -1,5 +1,5 @@
#!/bin/sh #!/bin/sh
# Verify PE/MSI file signature with RFC3161 timestamping after the cert has been expired. # Verify PE/CAB/MSI file signature with RFC3161 timestamping after the cert has been expired.
. $(dirname $0)/../test_library . $(dirname $0)/../test_library
@ -22,7 +22,22 @@ if test -s "test.exe" && ! grep -q "no libcurl available" "results.log"
fi fi
# CAB file # CAB file
# Command is not supported for non-PE/non-MSI files test_name="532. Verify CAB file signature with RFC3161 after the cert has been expired"
printf "\n%s\n" "$test_name"
if test -s "test.ex_" && ! grep -q "no libcurl available" "results.log"
then
TZ=GMT faketime -f '@2019-05-01 00:00:00' /bin/bash -c '
script_path=$(pwd)
../../osslsigncode sign -h sha256 \
-certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
-ts http://time.certum.pl/ \
-in "test.ex_" -out "test_532.ex_" 2>> "results.log" 1>&2'
verify_signature "$?" "532" "ex_" "success" "@2025-01-01 12:00:00" \
"UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN"
test_result "$?" "$test_name"
else
printf "Test skipped\n"
fi
# MSI file # MSI file
test_name="533. Verify MSI file signature with RFC3161 after the cert has been expired" test_name="533. Verify MSI file signature with RFC3161 after the cert has been expired"

19
tests/recipes/54_verify_expired
View File

@ -1,5 +1,5 @@
#!/bin/sh #!/bin/sh
# Verify PE/MSI file signed with the expired cert. # Verify PE/CAB/MSI file signed with the expired cert.
. $(dirname $0)/../test_library . $(dirname $0)/../test_library
@ -22,7 +22,22 @@ if test -s "test.exe" && ! grep -q "no libcurl available" "results.log"
fi fi
# CAB file # CAB file
# Command is not supported for non-PE/non-MSI files test_name="542. Verify CAB file signed with the expired cert"
printf "\n%s\n" "$test_name"
if test -s "test.ex_" && ! grep -q "no libcurl available" "results.log"
then
TZ=GMT faketime -f '@2019-05-01 00:00:00' /bin/bash -c '
script_path=$(pwd)
../../osslsigncode sign -h sha256 \
-certs "${script_path}/../certs/expired.pem" -key "${script_path}/../certs/key.pem" \
-t http://time.certum.pl/ \
-in "test.ex_" -out "test_542.ex_" 2>> "results.log" 1>&2'
verify_signature "$?" "542" "ex_" "fail" "@2025-01-01 12:00:00" \
"UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN"
test_result "$?" "$test_name"
else
printf "Test skipped\n"
fi
# MSI file # MSI file
test_name="543. Verify MSI file signed with the expired cert" test_name="543. Verify MSI file signed with the expired cert"

19
tests/recipes/55_verify_revoked
View File

@ -1,5 +1,5 @@
#!/bin/sh #!/bin/sh
# Verify PE/MSI file signed with the revoked cert. # Verify PE/CAB/MSI file signed with the revoked cert.
. $(dirname $0)/../test_library . $(dirname $0)/../test_library
@ -22,7 +22,22 @@ if test -s "test.exe" && ! grep -q "no libcurl available" "results.log"
fi fi
# CAB file # CAB file
# Command is not supported for non-PE/non-MSI files test_name="552. Verify CAB file signed with the revoked cert"
printf "\n%s\n" "$test_name"
if test -s "test.ex_" && ! grep -q "no libcurl available" "results.log"
then
TZ=GMT faketime -f '@2019-05-01 00:00:00' /bin/bash -c '
script_path=$(pwd)
../../osslsigncode sign -h sha256 \
-certs "${script_path}/../certs/revoked.pem" -key "${script_path}/../certs/key.pem" \
-ts http://time.certum.pl/ \
-in "test.ex_" -out "test_552.ex_" 2>> "results.log" 1>&2'
verify_signature "$?" "552" "ex_" "fail" "@2019-09-01 12:00:00" \
"UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN"
test_result "$?" "$test_name"
else
printf "Test skipped\n"
fi
# MSI file # MSI file
test_name="553. Verify MSI file signed with the revoked cert" test_name="553. Verify MSI file signed with the revoked cert"

1
tests/sources/a Normal file
View File

@ -0,0 +1 @@
aaa

1
tests/sources/b Normal file
View File

@ -0,0 +1 @@
bbb

1
tests/sources/c Normal file
View File

@ -0,0 +1 @@
ccc

0
tests/myapp.c → tests/sources/myapp.c
View File

0
tests/sample.wxs → tests/sources/sample.wxs
View File

61
tests/test_library
View File

@ -74,13 +74,8 @@ search_pattern() {
printf "Failed: $4 not found\n" printf "Failed: $4 not found\n"
elif test "$5" = "MODIFY" elif test "$5" = "MODIFY"
then then
if test "$2" != "ex_" modify_blob "$1" "$2" "$4"
then result=$?
modify_blob "$1" "$2" "$4"
result=$?
else
printf "MODIFY is not supported for CAB files\n"
fi
fi fi
return "$result" return "$result"
@ -101,21 +96,16 @@ verify_signature() {
printf "" > "verify.log" printf "" > "verify.log"
if test "$1" -eq 0 if test "$1" -eq 0
then then
if test "$3" != "ex_" cp "test_$2.$3" "test_tmp.tmp"
then TZ=GMT faketime -f "$5" /bin/bash -c '
cp "test_$2.$3" "test_tmp.tmp" printf "Verify time: " >> "verify.log" && date >> "verify.log" && printf "\n" >> "verify.log"
TZ=GMT faketime -f "$5" /bin/bash -c ' script_path=$(pwd)
printf "Verify time: " >> "verify.log" && date >> "verify.log" && printf "\n" >> "verify.log" ../../osslsigncode verify \
script_path=$(pwd) -CAfile "${script_path}/../certs/CACert.pem" \
../../osslsigncode verify \ -CRLfile "${script_path}/../certs/CACertCRL.pem" \
-CAfile "${script_path}/../certs/CACert.pem" \ -in "test_tmp.tmp" 2>> "verify.log" 1>&2'
-CRLfile "${script_path}/../certs/CACertCRL.pem" \ result=$?
-in "test_tmp.tmp" 2>> "verify.log" 1>&2' rm -f "test_tmp.tmp"
result=$?
rm -f "test_tmp.tmp"
else
printf "VERIFY is not supported for CAB files\n"
fi
if test "$result" -eq 0 -a "$7" != "UNUSED_PATTERN" -a "$8" != "UNUSED_PATTERN" if test "$result" -eq 0 -a "$7" != "UNUSED_PATTERN" -a "$8" != "UNUSED_PATTERN"
then then
search_pattern "$2" "$3" "$7" "$8" "$9" search_pattern "$2" "$3" "$7" "$8" "$9"
@ -159,22 +149,17 @@ verify_leaf_hash() {
printf "" > "verify.log" printf "" > "verify.log"
if test "$1" -eq 0 if test "$1" -eq 0
then then
if test "$3" != "ex_" cp "test_$2.$3" "test_tmp.tmp"
then TZ=GMT faketime -f "$4" /bin/bash -c '
cp "test_$2.$3" "test_tmp.tmp" printf "Verify time: " >> "verify.log" && date >> "verify.log" && printf "\n" >> "verify.log"
TZ=GMT faketime -f "$4" /bin/bash -c ' script_path=$(pwd)
printf "Verify time: " >> "verify.log" && date >> "verify.log" && printf "\n" >> "verify.log" ../../osslsigncode verify \
script_path=$(pwd) -CAfile "${script_path}/../certs/CACert.pem" \
../../osslsigncode verify \ -CRLfile "${script_path}/../certs/CACertCRL.pem" \
-CAfile "${script_path}/../certs/CACert.pem" \ -require-leaf-hash SHA256:$(sha256sum "${script_path}/../certs/cert.der" | cut -d" " -f1) \
-CRLfile "${script_path}/../certs/CACertCRL.pem" \ -in "test_tmp.tmp" 2>> "verify.log" 1>&2'
-require-leaf-hash SHA256:$(sha256sum "${script_path}/../certs/cert.der" | cut -d" " -f1) \ result=$?
-in "test_tmp.tmp" 2>> "verify.log" 1>&2' rm -f "test_tmp.tmp"
result=$?
rm -f "test_tmp.tmp"
else
printf "VERIFY is not supported for CAB files\n"
fi
if test "$result" -eq 0 if test "$result" -eq 0
then then
rm -f "test_$2.$3" rm -f "test_$2.$3"

24
tests/testall.sh
View File

@ -54,22 +54,24 @@ if test "$result" -ne 0
exit $result exit $result
fi fi
# PE and CAB files support # PE files support
if test -n "$(command -v x86_64-w64-mingw32-gcc)" if test -n "$(command -v x86_64-w64-mingw32-gcc)"
then then
x86_64-w64-mingw32-gcc "../myapp.c" -o "test.exe" 2>> "results.log" 1>&2 x86_64-w64-mingw32-gcc "../sources/myapp.c" -o "test.exe" 2>> "results.log" 1>&2
if test -n "$(command -v gcab)"
then
gcab -c "test.ex_" "test.exe" 2>> "results.log" 1>&2
else
printf "%s\n" "gcab not found in \$PATH"
printf "%s\n" "tests for CAB files skipped, please install gcab package"
fi
else else
printf "%s\n" "x86_64-w64-mingw32-gcc not found in \$PATH" printf "%s\n" "x86_64-w64-mingw32-gcc not found in \$PATH"
printf "%s\n" "tests for PE files skipped, please install mingw64-gcc package" printf "%s\n" "tests for PE files skipped, please install mingw64-gcc package"
fi fi
# CAB files support
if test -n "$(command -v gcab)"
then
gcab -c "test.ex_" "../sources/a" "../sources/b" "../sources/c" 2>> "results.log" 1>&2
else
printf "%s\n" "gcab not found in \$PATH"
printf "%s\n" "tests for CAB files skipped, please install gcab package"
fi
# MSI files support # MSI files support
if grep -q "no libgsf available" "results.log" if grep -q "no libgsf available" "results.log"
then then
@ -78,7 +80,7 @@ if grep -q "no libgsf available" "results.log"
if test -n "$(command -v wixl)" if test -n "$(command -v wixl)"
then then
touch FoobarAppl10.exe touch FoobarAppl10.exe
cp "../sample.wxs" "sample.wxs" 2>> "results.log" 1>&2 cp "../sources/sample.wxs" "sample.wxs" 2>> "results.log" 1>&2
wixl -v "sample.wxs" 2>> "results.log" 1>&2 wixl -v "sample.wxs" 2>> "results.log" 1>&2
else else
printf "%s\n" "wixl not found in \$PATH" printf "%s\n" "wixl not found in \$PATH"
@ -100,7 +102,7 @@ if test -n "$(command -v faketime)"
make_tests make_tests
result=$? result=$?
rm -f "test.exe" "test.ex_" "sample.msi" "sample.wxs" "FoobarAppl10.exe" rm -f "test.exe" "test.ex_" "sample.msi" "sample.wxs" "FoobarAppl10.exe"
rm -f "sign_pe.pem" "sign_msi.pem" "verify.log" rm -f "sign_pe.pem" "sign_cab.pem" "sign_msi.pem" "verify.log"
else else
printf "%s\n" "xxd not found in \$PATH" printf "%s\n" "xxd not found in \$PATH"
printf "%s\n" "tests skipped, please install vim-common package" printf "%s\n" "tests skipped, please install vim-common package"