nhyatt/osslsigncode
1
0
Fork 0
mirror of https://github.com/mtrojnar/osslsigncode.git synced 2025-04-04 17:00:11 -05:00
Code Issues Projects Releases Wiki Activity

file format fixes

Browse Source
This commit is contained in:
Michał Trojnara 2018-12-04 22:06:35 +01:00
parent 9b2df1c2fc
commit 6bc9105793
5 changed files with 97 additions and 103 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
CHANGELOG.md
View File

@ -1,4 +1,4 @@
=== 2.0 (2018-xx-xx)
### 2.0 (2018-xx-xx)
- ported to OpenSSL 1.1.x
- ported to SoftHSM2
@ -7,21 +7,21 @@
- improved error reporting of timestamping errors
(Patch from Carlo Teubner)
=== 1.7.1 (2014-07-11)
### 1.7.1 (2014-07-11)
- MSI: added -add-msi-dse option
(Patch from Mikkel Krautz)
- MSI: fix build when GSF_CAN_READ_MSI_METADATA defined
(Patch from Mikkel Krautz)
=== 1.7 (2014-07-10)
### 1.7 (2014-07-10)
- add support for nested signatures
(Patch from Mikkel Krautz)
- fix compilation problem with OpenSSL < 1.0.0
- added OpenSSL linkage exception to license
=== 1.6 (2014-01-21)
### 1.6 (2014-01-21)
- add support for reading password from file
- add support for asking for password (on systems that
@ -44,16 +44,16 @@
- PE/MSI: Implement -require-leaf-hash for verify.
(Patch from Mikkel Krautz)
=== 1.5.2 (2013-03-13)
### 1.5.2 (2013-03-13)
- added support for signing with SHA-384 and SHA-512
- added support for page hashing (-ph option)
=== 1.5.1 (2013-03-12)
### 1.5.1 (2013-03-12)
- forgot to bump version number...
=== 1.5 (2013-03-12)
### 1.5 (2013-03-12)
- added support for signing MSI files (patch from Marc-André Lureau)
- calculate correct PE checksum instead of setting it to 0
@ -66,8 +66,7 @@
- added support for reading certificates from PEM files
- renamed program option: -spc to -certs (old option name still valid)
=== 1.4 (2011-08-12)
### 1.4 (2011-08-12)
- improved build system (patch from Alon Bar-Lev)
- support reading cert+key from PKCS12 file (patch from Alon Bar-Lev)
@ -75,17 +74,17 @@
- added support for sha1/sha256 - default hash is now sha1
- added flag for commercial signing (default is individual)
=== 1.3.1 (2009-08-07)
### 1.3.1 (2009-08-07)
- support signing of 64-bit executables (fix from Paul Kendall)
=== 1.3 (2008-01-31)
### 1.3 (2008-01-31)
- fixed padding problem (fix from Ryan Rubley)
- allow signing of already signed files (fix from Ryan Rubley)
- added Ryan Rubley's PVK-to-DER guide into the README
=== 1.2 (2005-01-21)
### 1.2 (2005-01-21)
- autoconf:ed (Thanks to Roy Keene)
- added documentation
@ -94,6 +93,6 @@
- compiles without curl, which means no timestamping
- version number output
=== 1.1 (2005-01-19)
### 1.1 (2005-01-19)
- Initial release

3
LICENSE.txt
View File

@ -1,4 +1,3 @@
/*
OpenSSL based Authenticode signing for PE/MSI/Java CAB files.
Copyright (C) 2005-2014 Per Allansson <pallansson@gmail.com>
@ -29,5 +28,3 @@
do not wish to do so, delete this exception statement from your
version. If you delete this exception statement from all source
files in the program, then also delete it here.
*/

54
README.md
View File

@ -1,16 +1,14 @@
osslsigncode
============
== WHAT IS IT?
## WHAT IS IT?
osslsigncode is a small tool that implements part of the functionality
of the Microsoft tool signtool.exe - more exactly the Authenticode
signing and timestamping. But osslsigncode is based on OpenSSL and cURL,
and thus should be able to compile on most platforms where these exist.
== WHY?
## WHY?
Why not use signtool.exe? Because I don't want to go to a Windows
machine every time I need to sign a binary - I can compile and build
@ -19,8 +17,7 @@ since the signtool.exe makes good use of the CryptoAPI in Windows, and
these APIs aren't (yet?) fully implemented in Wine, so the signtool.exe
tool would fail. And, so, osslsigncode was born.
== WHAT CAN IT DO?
## WHAT CAN IT DO?
It can sign and timestamp PE (EXE/SYS/DLL/etc), CAB and MSI files. It supports
the equivalent of signtool.exe's "-j javasign.dll -jp low", i.e. add a
@ -28,17 +25,16 @@ valid signature for a CAB file containing Java files. It supports getting
the timestamp through a proxy as well. It also supports signature verification,
removal and extraction.
== INSTALLATION
## INSTALLATION
The usual way:
```
./configure
make
make install
```
== USAGE
## USAGE
Before you can sign a file you need a Software Publishing
Certificate (spc) and a corresponding private key.
@ -54,39 +50,39 @@ key which must be a key file in DER or PEM format, or if osslsigncode was
compiled against OpenSSL 1.0.0 or later, in PVK format.
To sign a PE or MSI file you can now do:
```
osslsigncode sign -certs <cert-file> -key <der-key-file> \
-n "Your Application" -i http://www.yourwebsite.com/ \
-in yourapp.exe -out yourapp-signed.exe
```
or if you are using a PEM or PVK key file with a password together
with a PEM certificate:
```
osslsigncode sign -certs <cert-file> \
-key <key-file> -pass <key-password> \
-n "Your Application" -i http://www.yourwebsite.com/ \
-in yourapp.exe -out yourapp-signed.exe
```
or if you want to add a timestamp as well:
```
osslsigncode sign -certs <cert-file> -key <key-file> \
-n "Your Application" -i http://www.yourwebsite.com/ \
-t http://timestamp.verisign.com/scripts/timstamp.dll \
-in yourapp.exe -out yourapp-signed.exe
```
You can use a certificate and key stored in a PKCS#12 container:
```
osslsigncode sign -pkcs12 <pkcs12-file> -pass <pkcs12-password> \
-n "Your Application" -i http://www.yourwebsite.com/ \
-in yourapp.exe -out yourapp-signed.exe
```
To sign a CAB file containing java class files:
```
osslsigncode sign -certs <cert-file> -key <key-file> \
-n "Your Application" -i http://www.yourwebsite.com/ \
-jp low \
-in yourapp.cab -out yourapp-signed.cab
```
Only the 'low' parameter is currently supported.
You can check that the signed file is correct by right-clicking
@ -95,9 +91,7 @@ and then choose the signature from the list, and click on
Details. You should then be presented with a dialog that says
amongst other things that "This digital signature is OK".
== CONVERTING FROM PVK TO DER
## CONVERTING FROM PVK TO DER
(This guide was written by Ryan Rubley)
@ -118,20 +112,22 @@ PVK.EXE. This can currently be downloaded at
http://support.globalsign.net/en/objectsign/PVK.zip
Run: pvk -in foo.pvk -nocrypt -out foo.pem
Run:
```
pvk -in foo.pvk -nocrypt -out foo.pem
```
This will convert your PVK file to a PEM file.
From there, you can copy the PEM file to a Linux box, and run:
```
openssl rsa -outform der -in foo.pem -out foo.der
```
This will convert your PEM file to a DER file.
You need the *.p7b and *.der files to use osslsigncode, instead of your
*.spc and *.pvk files.
== BUGS, QUESTIONS etc.
## BUGS, QUESTIONS etc.
Send an email to pallansson@gmail.com

5
README.unauthblob.md
View File

@ -1,7 +1,9 @@
# This is NOT the official repo for osslsigncode
This project was copied from osslsigncode 1.7.1 to apply some patches for compiling with cygwin and being able to add unauthenticated blobs. The official source for the project is at: http://sourceforge.net/projects/osslsigncode/
## Features added
Adds the argument "-addUnauthenticatedBlob" to add a 1024 byte unauthenticated blob of data to the signature in the same area as the timestamp. This can be used while signing, while timestamping (new `add` command added to allow just time-stamping, after a file has been code signed, or by itself.
Examples:
@ -34,10 +36,9 @@ This technique (but not this project) is used by Dropbox, GoToMeeting, and Summi
- https://tech.dropbox.com/2014/08/tech-behind-dropboxs-new-user-experience-for-mobile/
- http://blogs.msdn.com/b/ieinternals/archive/2014/09/04/personalizing-installers-using-unauthenticated-data-inside-authenticode-signed-binaries.aspx
## WARNING
The capability this adds can allow you to do dumb things. Be very careful with what you put in the unauthenticated blob, as an attacker could modify this. Do NOT under any circumstances put a URL here that you will use to download an additional file. If you do do that, you would need to check the newly downloaded file is code signed AND that it has been signed with your cert AND that it is the version you expect. You should consider using asymmetrical encryption for the data you put in the blob, such that the executable contains the public key to decrypt the data. Basically, be VERY careful.
The capability this adds can allow you to do dumb things. Be very careful with what you put in the unauthenticated blob, as an attacker could modify this. Do NOT under any circumstances put a URL here that you will use to download an additional file. If you do do that, you would need to check the newly downloaded file is code signed AND that it has been signed with your cert AND that it is the version you expect. You should consider using asymmetrical encryption for the data you put in the blob, such that the executable contains the public key to decrypt the data. Basically, be VERY careful.
## Compiling under cygwin

5
misc/softhsm-example-token/README.txt → misc/softhsm-example-token/README.md
View File

@ -1,3 +1,4 @@
# softhsm-example-token
This directory contains a basic setup for testing pkcs11-support. If you get
this to work you have a decent chance of using your real HSM or hardware token.
@ -10,9 +11,9 @@ You need the following packages (ubuntu/debian names):
Type 'make' to generate a softhsm token with a test-key on id a1b2 with PIN-code
"secret1". To use this token with osslsigncode try something like this (from this
directory):
```
../../osslsigncode sign \
-pkcs11engine /usr/lib/engines-1.1/pkcs11.so \
-pkcs11module /usr/lib/libsofthsm2.so -key a1b2 -certs test.crt ...
```
Use 'secret1' as the password at the prompt.