- Require "Code Signing" extended key usage for authenticode verification.
- Only check for the X509_PURPOSE_CRL_SIGN purpose in CRL verification.
- Only require one valid signature for a nested signature.
By default the non-trusted time embedded in the signature is the
current time of the machine. This means that adding a signature
prevents from creating reproducible/deterministic binaries.
This patch resolves that by introducing the -st <unix-time> option
where a custom time can be supplied and which will be used in the
signature. By using a point in time bound to the package (e.g.
release date or timestamp of a specific file in the source package
- or just 0 to suppress the current time), it makes it possible to
create signed binaries with reproducible/deterministic, IOW
identical signatures, regardless of when the build was done. It
also makes osslsigncode behaviour closer to signtool.exe, which by
default creates deterministic signatures (by include no
non-trusted time at all.)
The patch has been used live for the last year to build curl-for-win
binaries:
https://github.com/curl/curl-for-win/blob/master/osslsigncode.patch
It also resolves this osslsigncode bug:
https://sourceforge.net/p/osslsigncode/bugs/8/#a59a
The orginal code handles ASN1_SET improperly, which results in INVALID
page hash SpcLink.
This commit fixes the bug. osslsigncode can now generate valid
signatures with -ph (page hash) option.
If not specified, load all builtin engines,
most likely the pkcs11 one will be among them.
This makes the pkcs11module option much easier
to use in the most common use-cases.
Combine a previously extracted signature with an unsigned file and output a
valid, signed result. Accepts binary or pem pkcs7 inputs.
This is helpful for a deterministic build process, where the signer is only
required to provide a detached signature and users or other builders can use
it to create an otherwise deterministic binary.
