nhyatt/osslsigncode
1
0
Fork 0
mirror of https://github.com/mtrojnar/osslsigncode.git synced 2025-04-05 17:08:05 -05:00
Code Issues Projects Releases Wiki Activity
487 Commits 1 Branch 10 Tags
Commit Graph

298 Commits

Author SHA1 Message Date
Michal Trojnara
2bb573219a Fix invocation without arguments 
Closes #29
 2020-01-25 18:41:47 +01:00
olszomal
7366df707d Help (#27) 2020-01-25 08:37:11 +01:00
olszomal
49f25a1914 CRL support with new CRLfile global option (#28) 2020-01-25 08:25:48 +01:00
olszomal
7f6ec7607f ifdef ENABLE_CURL mistake 2019-12-28 20:34:13 +01:00
olszomal
311f5af395 signature verification 2019-12-28 20:34:13 +01:00
Michał Trojnara
2ffa5a9d69 Signing Time code refactoring 
- Code simplification.
 - Support for the -st option while timestamps are enabled.
 - Fix for a NULL pointer dereference.
 2019-09-10 23:03:35 +02:00
Viktor Szakats
5c51cab171 reword comment 2019-09-10 22:09:45 +02:00
Viktor Szakats
c72434aa08 add option to override non-trusted time in signature 
By default the non-trusted time embedded in the signature is the
current time of the machine. This means that adding a signature
prevents from creating reproducible/deterministic binaries.

This patch resolves that by introducing the -st <unix-time> option
where a custom time can be supplied and which will be used in the
signature. By using a point in time bound to the package (e.g.
release date or timestamp of a specific file in the source package
- or just 0 to suppress the current time), it makes it possible to
create signed binaries with reproducible/deterministic, IOW
identical signatures, regardless of when the build was done. It
also makes osslsigncode behaviour closer to signtool.exe, which by
default creates deterministic signatures (by include no
non-trusted time at all.)

The patch has been used live for the last year to build curl-for-win
binaries:
  https://github.com/curl/curl-for-win/blob/master/osslsigncode.patch

It also resolves this osslsigncode bug:
  https://sourceforge.net/p/osslsigncode/bugs/8/#a59a
 2019-09-10 22:09:45 +02:00
olszomal
b512aa534c some options warnings 2019-07-28 14:19:08 +02:00
olszomal
62e8ffd0c9 allow timestamping with the add command 2019-07-20 12:51:23 +02:00
Michał Trojnara
891887a974 Never overwrite or unlink an existing file 
Fixes #9

The code uses the "x" file access mode flag introduced by the C11
standard (ISO/IEC 9899:2011).  It may be unsupported on Windows.
 2019-07-13 15:25:41 +02:00
Michał Trojnara
4c44cfdd76 Fix double free 2019-07-11 20:20:47 +02:00
Jemmy Wang
6c8ec4427a Fix segmentation fault 2019-07-01 22:02:17 +02:00
Jemmy Wang
c740b097df Fix SpcPageHashLink generation 
The orginal code handles ASN1_SET improperly, which results in INVALID
page hash SpcLink.
This commit fixes the bug. osslsigncode can now generate valid
signatures with -ph (page hash) option.
 2019-07-01 22:02:17 +02:00
Reimar Döffinger
0bea1ac8f6 Ensure variable is initialized. 
It seem unnecessarily risky to leave it
uninitialized when PKCS7_free is called
on it unconditionally at the end of the
function.
 2019-04-25 00:02:33 +02:00
Michał Trojnara
12966f611a Consistent DO_EXIT_n interface 2019-04-24 06:54:44 +02:00
Reimar Döffinger
044861b323 Make -pkcs11engine option optional. (#5) 
If not specified, load all builtin engines,
most likely the pkcs11 one will be among them.
This makes the pkcs11module option much easier
to use in the most common use-cases.
 2019-04-24 06:47:53 +02:00
Michał Trojnara
bed25dcb7d Error formatting fixes 
closes #3
 2019-04-24 06:17:31 +02:00
Reimar Döffinger
8c82f76905 Remove unused Authenticode object IDs. 2019-04-23 22:55:57 +02:00
barrybingo
342518fcbe Minorfixes (#2) 
Replace legacy function
 2019-04-02 13:52:25 +02:00
Michał Trojnara
fe08daaa4f use OpenSSL memory allocation 2018-12-09 23:30:20 +01:00
Michał Trojnara
5a01658434 use tohex() for bin2hex conversion 2018-12-09 23:05:13 +01:00
Michał Trojnara
d007c03bb6 signed/unsigned conversion fixes 2018-12-09 22:51:15 +01:00
Michał Trojnara
a935479e7f fixed a few typos 2018-12-08 22:06:36 +01:00
Michał Trojnara
db559c4769 code simplification 
Avoid re-implementing common library functions.
 2018-12-08 21:55:15 +01:00
Michał Trojnara
2e9113cd41 code deduplication and cleanup 2018-12-08 16:56:29 +01:00
Michał Trojnara
642a290343 more consistent code formatting and indentation 2018-12-05 22:59:41 +01:00
Michał Trojnara
687bd91531 corrected OpenSSL version checks 2018-11-22 08:33:44 +01:00
Michał Trojnara
1f9f8df126 ported to OpenSSL 1.1.x 2018-11-22 07:54:27 +01:00
Per Allansson
e72a1937d1 fixed Windows / Cygwin / MinGW compile 2015-08-31 23:03:58 +02:00
Per Allansson
4ef0e54438 guard against missing defs of TRUE/FALSE 2015-08-31 20:15:01 +02:00
Per Allansson
df25781578 added -noverifypeer option to timestamping 2015-07-07 21:07:42 +02:00
Cory Fields
3be7eb1676 add the attach-signature command 
Combine a previously extracted signature with an unsigned file and output a
valid, signed result. Accepts binary or pem pkcs7 inputs.

This is helpful for a deterministic build process, where the signer is only
required to provide a detached signature and users or other builders can use
it to create an otherwise deterministic binary.
 2015-06-18 17:19:05 -04:00
Cory Fields
36715c1183 add the -pem option in extract-signature mode 
This changes the extracted output to plaintext PEM format.
 2015-06-18 17:18:44 -04:00
Per Allansson
59a42c66b6 Improved error reporting for timestamping errors (patch from Carlo Teubner) 2015-03-10 20:30:50 +01:00
Per Allansson
afd5c5177d added ability to add an unauthenticated blob a signed PE file (patch from Scott Piper) 2015-03-07 20:25:30 +01:00
Per Allansson
80b92fd778 fixed double free 2015-03-07 08:23:06 +01:00
Per Allansson
50b66a1eb4 pkcs11: don't hardcode pkcs11 engine path - use -pkcs11engine + -pkcs11module args instead 2015-03-06 22:00:48 +01:00
Leif Johansson
89af05898e pkcs11 support - initial version 2015-02-26 14:07:00 +01:00
Per Allansson
5677522790 verify: print cert serialno as well 2015-01-14 14:49:14 +01:00
Per Allansson
0c15ccc4db speed up checksum calculation (patch from Veselin Georgiev) 2015-01-06 09:08:26 +01:00
Per Allansson
a912601140 version 1.7.1 2014-07-11 06:55:08 +02:00
Mikkel Krautz
6b9774f6bc Remove reference to exsig in msi_verify_pkcs7 to fix the -DGSF_CAN_READ_METADATA build. 
This was broken due to the refactoring that happened during
the introduction of nested signature support.
 2014-07-11 06:46:58 +02:00
Mikkel Krautz
180a775702 Add sanity check for the potentially 'dangerous' combination of -add-msi-dse and -nest. 
We don't want osslsigncode to emit bad signatures when we can avoid it.
 2014-07-10 23:47:13 +02:00
Mikkel Krautz
d0c5b350e9 Remove NO_MSI_DIGITALSIGNATUREEX ifndefs. 2014-07-10 23:09:41 +02:00
Mikkel Krautz
ec3d58ad4b Add the MSI-specific flag '-add-msi-se' to the 'sign' command for explicitly adding a MsiDigitalSignatureEx section. 2014-07-10 23:01:48 +02:00
Per Allansson
9fa7e17770 version 1.7 2014-07-10 07:42:02 +02:00
Per Allansson
71838d3242 Fix a couple of GCC warnings 2014-07-10 07:33:53 +02:00
Mikkel Krautz
0b0be2f97b Disable the addition of MsiDigitalSignatureEx when signing MSI files. It does not work well with nested signatures. 2014-07-09 20:39:28 +02:00
Mikkel Krautz
fe7dd0076e Fix leaf hash corruption when verifying nested signatures. 2014-07-06 12:15:18 +02:00