nhyatt/osslsigncode
1
0
Fork 0
mirror of https://github.com/mtrojnar/osslsigncode.git synced 2025-04-08 18:28:05 -05:00
Code Issues Projects Releases Wiki Activity
405 Commits 1 Branch 10 Tags
f9006f099a
Commit Graph

248 Commits

Author SHA1 Message Date
Michal Trojnara
2bb573219a Fix invocation without arguments 
Closes
2020-01-25 18:41:47 +01:00
olszomal
7366df707d Help () 2020-01-25 08:37:11 +01:00
olszomal
49f25a1914 CRL support with new CRLfile global option () 2020-01-25 08:25:48 +01:00
olszomal
7f6ec7607f ifdef ENABLE_CURL mistake 2019-12-28 20:34:13 +01:00
olszomal
311f5af395 signature verification 2019-12-28 20:34:13 +01:00
Michał Trojnara
2ffa5a9d69 Signing Time code refactoring 
- Code simplification.
 - Support for the -st option while timestamps are enabled.
 - Fix for a NULL pointer dereference.
 2019-09-10 23:03:35 +02:00
Viktor Szakats
5c51cab171 reword comment 2019-09-10 22:09:45 +02:00
Viktor Szakats
c72434aa08 add option to override non-trusted time in signature 
By default the non-trusted time embedded in the signature is the
current time of the machine. This means that adding a signature
prevents from creating reproducible/deterministic binaries.

This patch resolves that by introducing the -st <unix-time> option
where a custom time can be supplied and which will be used in the
signature. By using a point in time bound to the package (e.g.
release date or timestamp of a specific file in the source package
- or just 0 to suppress the current time), it makes it possible to
create signed binaries with reproducible/deterministic, IOW
identical signatures, regardless of when the build was done. It
also makes osslsigncode behaviour closer to signtool.exe, which by
default creates deterministic signatures (by include no
non-trusted time at all.)

The patch has been used live for the last year to build curl-for-win
binaries:
  https://github.com/curl/curl-for-win/blob/master/osslsigncode.patch

It also resolves this osslsigncode bug:
  https://sourceforge.net/p/osslsigncode/bugs/8/#a59a
 2019-09-10 22:09:45 +02:00
olszomal
b512aa534c some options warnings 2019-07-28 14:19:08 +02:00
olszomal
62e8ffd0c9 allow timestamping with the add command 2019-07-20 12:51:23 +02:00
Michał Trojnara
891887a974 Never overwrite or unlink an existing file 
Fixes 

The code uses the "x" file access mode flag introduced by the C11
standard (ISO/IEC 9899:2011).  It may be unsupported on Windows.
 2019-07-13 15:25:41 +02:00
Michał Trojnara
4c44cfdd76 Fix double free 2019-07-11 20:20:47 +02:00
Jemmy Wang
6c8ec4427a Fix segmentation fault 2019-07-01 22:02:17 +02:00
Jemmy Wang
c740b097df Fix SpcPageHashLink generation 
The orginal code handles ASN1_SET improperly, which results in INVALID
page hash SpcLink.
This commit fixes the bug. osslsigncode can now generate valid
signatures with -ph (page hash) option.
 2019-07-01 22:02:17 +02:00
Reimar Döffinger
0bea1ac8f6 Ensure variable is initialized. 
It seem unnecessarily risky to leave it
uninitialized when PKCS7_free is called
on it unconditionally at the end of the
function.
 2019-04-25 00:02:33 +02:00
Michał Trojnara
12966f611a Consistent DO_EXIT_n interface 2019-04-24 06:54:44 +02:00
Reimar Döffinger
044861b323 Make -pkcs11engine option optional. () 
If not specified, load all builtin engines,
most likely the pkcs11 one will be among them.
This makes the pkcs11module option much easier
to use in the most common use-cases.
 2019-04-24 06:47:53 +02:00
Michał Trojnara
bed25dcb7d Error formatting fixes 
closes
2019-04-24 06:17:31 +02:00
Reimar Döffinger
8c82f76905 Remove unused Authenticode object IDs. 2019-04-23 22:55:57 +02:00
barrybingo
342518fcbe Minorfixes () 
Replace legacy function
 2019-04-02 13:52:25 +02:00
Michał Trojnara
fe08daaa4f use OpenSSL memory allocation 2018-12-09 23:30:20 +01:00
Michał Trojnara
5a01658434 use tohex() for bin2hex conversion 2018-12-09 23:05:13 +01:00
Michał Trojnara
d007c03bb6 signed/unsigned conversion fixes 2018-12-09 22:51:15 +01:00
Michał Trojnara
a935479e7f fixed a few typos 2018-12-08 22:06:36 +01:00
Michał Trojnara
db559c4769 code simplification 
Avoid re-implementing common library functions.
 2018-12-08 21:55:15 +01:00
Michał Trojnara
2e9113cd41 code deduplication and cleanup 2018-12-08 16:56:29 +01:00
Michał Trojnara
642a290343 more consistent code formatting and indentation 2018-12-05 22:59:41 +01:00
Michał Trojnara
687bd91531 corrected OpenSSL version checks 2018-11-22 08:33:44 +01:00
Michał Trojnara
1f9f8df126 ported to OpenSSL 1.1.x 2018-11-22 07:54:27 +01:00
Per Allansson
e72a1937d1 fixed Windows / Cygwin / MinGW compile 2015-08-31 23:03:58 +02:00
Per Allansson
4ef0e54438 guard against missing defs of TRUE/FALSE 2015-08-31 20:15:01 +02:00
Per Allansson
df25781578 added -noverifypeer option to timestamping 2015-07-07 21:07:42 +02:00
Cory Fields
3be7eb1676 add the attach-signature command 
Combine a previously extracted signature with an unsigned file and output a
valid, signed result. Accepts binary or pem pkcs7 inputs.

This is helpful for a deterministic build process, where the signer is only
required to provide a detached signature and users or other builders can use
it to create an otherwise deterministic binary.
 2015-06-18 17:19:05 -04:00
Cory Fields
36715c1183 add the -pem option in extract-signature mode 
This changes the extracted output to plaintext PEM format.
 2015-06-18 17:18:44 -04:00
Per Allansson
59a42c66b6 Improved error reporting for timestamping errors (patch from Carlo Teubner) 2015-03-10 20:30:50 +01:00
Per Allansson
afd5c5177d added ability to add an unauthenticated blob a signed PE file (patch from Scott Piper) 2015-03-07 20:25:30 +01:00
Per Allansson
80b92fd778 fixed double free 2015-03-07 08:23:06 +01:00
Per Allansson
50b66a1eb4 pkcs11: don't hardcode pkcs11 engine path - use -pkcs11engine + -pkcs11module args instead 2015-03-06 22:00:48 +01:00
Leif Johansson
89af05898e pkcs11 support - initial version 2015-02-26 14:07:00 +01:00
Per Allansson
5677522790 verify: print cert serialno as well 2015-01-14 14:49:14 +01:00
Per Allansson
0c15ccc4db speed up checksum calculation (patch from Veselin Georgiev) 2015-01-06 09:08:26 +01:00
Per Allansson
a912601140 version 1.7.1 2014-07-11 06:55:08 +02:00
Mikkel Krautz
6b9774f6bc Remove reference to exsig in msi_verify_pkcs7 to fix the -DGSF_CAN_READ_METADATA build. 
This was broken due to the refactoring that happened during
the introduction of nested signature support.
 2014-07-11 06:46:58 +02:00
Mikkel Krautz
180a775702 Add sanity check for the potentially 'dangerous' combination of -add-msi-dse and -nest. 
We don't want osslsigncode to emit bad signatures when we can avoid it.
 2014-07-10 23:47:13 +02:00
Mikkel Krautz
d0c5b350e9 Remove NO_MSI_DIGITALSIGNATUREEX ifndefs. 2014-07-10 23:09:41 +02:00
Mikkel Krautz
ec3d58ad4b Add the MSI-specific flag '-add-msi-se' to the 'sign' command for explicitly adding a MsiDigitalSignatureEx section. 2014-07-10 23:01:48 +02:00
Per Allansson
9fa7e17770 version 1.7 2014-07-10 07:42:02 +02:00
Per Allansson
71838d3242 Fix a couple of GCC warnings 2014-07-10 07:33:53 +02:00
Mikkel Krautz
0b0be2f97b Disable the addition of MsiDigitalSignatureEx when signing MSI files. It does not work well with nested signatures. 2014-07-09 20:39:28 +02:00
Mikkel Krautz
fe7dd0076e Fix leaf hash corruption when verifying nested signatures. 2014-07-06 12:15:18 +02:00