- Require "Code Signing" extended key usage for authenticode verification.
- Only check for the X509_PURPOSE_CRL_SIGN purpose in CRL verification.
- Only require one valid signature for a nested signature.
By default the non-trusted time embedded in the signature is the
current time of the machine. This means that adding a signature
prevents from creating reproducible/deterministic binaries.
This patch resolves that by introducing the -st <unix-time> option
where a custom time can be supplied and which will be used in the
signature. By using a point in time bound to the package (e.g.
release date or timestamp of a specific file in the source package
- or just 0 to suppress the current time), it makes it possible to
create signed binaries with reproducible/deterministic, IOW
identical signatures, regardless of when the build was done. It
also makes osslsigncode behaviour closer to signtool.exe, which by
default creates deterministic signatures (by include no
non-trusted time at all.)
The patch has been used live for the last year to build curl-for-win
binaries:
https://github.com/curl/curl-for-win/blob/master/osslsigncode.patch
It also resolves this osslsigncode bug:
https://sourceforge.net/p/osslsigncode/bugs/8/#a59a
The orginal code handles ASN1_SET improperly, which results in INVALID
page hash SpcLink.
This commit fixes the bug. osslsigncode can now generate valid
signatures with -ph (page hash) option.
