release 2.3

Signed-off-by: Michał Trojnara <Michal.Trojnara@stunnel.org>

.gitignore

@@ -15,7 +15,10 @@ install-sh
 missing
 osslsigncode
 osslsigncode.o
+msi.o
 stamp-h1
+INSTALL
+COPYING
 
 .#*#
 .*.bak
@@ -40,3 +43,7 @@ stamp-h1
 *~
 *.gz
 *.bz2
+
+**/*.log
+!myapp.exe
+*.pem

INSTALL.W32.md

@@ -0,0 +1,96 @@
+# osslsigncode Windows install notes
+
+### Building osslsigncode source with MSYS2 MinGW 64-bit and MSYS2 packages:
+
+1) Download and install MSYS2 from https://msys2.github.io/ and follow installation instructions.
+   Once up and running install even mingw-w64-x86_64-gcc, mingw-w64-x86_64-curl.
+```
+  pacman -S mingw-w64-x86_64-gcc mingw-w64-x86_64-curl
+```
+   mingw-w64-x86_64-openssl and mingw-w64-x86_64-zlib packages are installed with dependencies.
+
+2) Run "MSYS2 MinGW 64-bit" and build 64-bit Windows executables.
+```
+  cd osslsigncode-folder
+  x86_64-w64-mingw32-gcc osslsigncode.c msi.c msi.h -o osslsigncode.exe \
+    -lcrypto -lssl -lcurl \
+    -D 'PACKAGE_STRING="osslsigncode 2.3"' \
+    -D 'PACKAGE_BUGREPORT="Michal.Trojnara@stunnel.org"' \
+    -D ENABLE_CURL
+```
+
+3) Run "Command prompt" and include "c:\msys64\mingw64\bin" folder as part of the path.
+```
+  path=%path%;c:\msys64\mingw64\bin
+  cd osslsigncode-folder
+  osslsigncode.exe -v
+  osslsigncode 2.3, using:
+        OpenSSL 1.1.1g  21 Apr 2020 (Library: OpenSSL 1.1.1g  21 Apr 2020)
+        libcurl/7.70.0 OpenSSL/1.1.1g (Schannel) zlib/1.2.11 brotli/1.0.7 libidn2/2.3.0
+        libpsl/0.21.0 (+libidn2/2.3.0) libssh2/1.9.0 nghttp2/1.40.0
+```
+
+
+### Building OpenSSL, Curl and osslsigncode sources with MSYS2 MinGW 64-bit:
+
+1) Download and install MSYS2 from https://msys2.github.io/ and follow installation instructions.
+   Once up and running install even: perl make autoconf automake libtool pkg-config.
+```
+  pacman -S perl make autoconf automake libtool pkg-config
+```
+   Make sure there are no curl, brotli, libpsl, libidn2 and nghttp2 packages installed:
+```
+  pacman -R mingw-w64-x86_64-curl \
+    mingw-w64-x86_64-brotli \
+    mingw-w64-x86_64-libpsl \
+    mingw-w64-x86_64-libidn2 \
+    mingw-w64-x86_64-nghttp2
+```
+
+   Run "MSYS2 MinGW 64-bit" in the administrator mode.
+
+2) Build and install OpenSSL.
+```
+  cd openssl-(version)
+  ./config --prefix='C:/OpenSSL' --openssldir='C:/OpenSSL'
+  make && make install
+```
+ 3) Build and install curl.
+```
+  cd curl-(version)
+  ./buildconf
+  ./configure --prefix='C:/curl' --with-ssl='C:/OpenSSL' \
+    --disable-ftp --disable-tftp --disable-file --disable-dict \
+    --disable-telnet --disable-imap --disable-smb --disable-smtp \
+    --disable-gopher --disable-pop --disable-pop3 --disable-rtsp \
+    --disable-ldap --disable-ldaps --disable-unix-sockets \
+    --disable-pthreads --without-zstd
+  make && make install
+```
+
+3) Build 64-bit Windows executables.
+```
+  cd osslsigncode-folder
+  x86_64-w64-mingw32-gcc osslsigncode.c msi.c msi.h -o osslsigncode.exe \
+    -L 'C:/OpenSSL/lib/' -lcrypto -lssl \
+    -I 'C:/OpenSSL/include/' \
+    -L 'C:/curl/lib' -lcurl \
+    -I 'C:/curl/include' \
+    -D 'PACKAGE_STRING="osslsigncode 2.3"' \
+    -D 'PACKAGE_BUGREPORT="Michal.Trojnara@stunnel.org"' \
+    -D ENABLE_CURL
+```
+
+4) Run "Command prompt" and copy required libraries.
+```
+  cd osslsigncode-folder
+  copy C:\OpenSSL\bin\libssl-1_1-x64.dll
+  copy C:\OpenSSL\bin\libcrypto-1_1-x64.dll
+  copy C:\curl\bin\libcurl-4.dll
+  copy C:\msys64\mingw64\bin\zlib1.dll
+
+  osslsigncode.exe -v
+  osslsigncode 2.3, using:
+        OpenSSL 1.1.1k  25 Mar 2021 (Library: OpenSSL 1.1.1k  25 Mar 2021)
+        libcurl/7.78.0 OpenSSL/1.1.1k zlib/1.2.11
+```

LICENSE.txt

@@ -1,7 +1,7 @@
 OpenSSL based Authenticode signing for PE/MSI/Java CAB files.
 
 Copyright (C) 2005-2014 Per Allansson <pallansson@gmail.com>
-Copyright (C) 2018 Michał Trojnara <Michal.Trojnara@stunnel.org>
+Copyright (C) 2018-2019 Michał Trojnara <Michal.Trojnara@stunnel.org>
 
 This program is free software: you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by

Makefile.am

@@ -8,9 +8,14 @@ MAINTAINERCLEANFILES = \
 	$(srcdir)/config.guess $(srcdir)/config.sub
 EXTRA_DIST = .gitignore
 
-AM_CFLAGS = $(GSF_CFLAGS) $(OPENSSL_CFLAGS) $(OPTIONAL_LIBCURL_CFLAGS)
+AM_CFLAGS = $(OPENSSL_CFLAGS) $(OPTIONAL_LIBCURL_CFLAGS)
 
 bin_PROGRAMS = osslsigncode
 
-osslsigncode_SOURCES = osslsigncode.c
-osslsigncode_LDADD = $(GSF_LIBS) $(OPENSSL_LIBS) $(OPTIONAL_LIBCURL_LIBS)
+osslsigncode_SOURCES = osslsigncode.c msi.c msi.h
+osslsigncode_LDADD = $(OPENSSL_LIBS) $(OPTIONAL_LIBCURL_LIBS)
+
+# bash completion script
+AM_DISTCHECK_CONFIGURE_FLAGS = --with-bashcompdir='$$(datarootdir)/bash-completion/completions'
+bashcompdir = @bashcompdir@
+dist_bashcomp_DATA = osslsigncode.bash

NEWS.md

@@ -1,3 +1,41 @@
+# osslsigncode change log
+
+### 2.3 (2022.03.06)
+
+**CRITICAL SECURITY VULNERABILITIES**
+
+This release fixes several critical memory corruption vulnerabilities.
+A malicious attacker could create a file, which, when processed with
+osslsigncode, triggers arbitrary code execution.  Any previous version
+of osslsigncode should be immediately upgraded if the tool is used for
+processing of untrusted files.
+
+- fixed several memory safety issues
+- fixed non-interactive PVK (MSBLOB) key decryption
+- added a bash completion script
+- added CA bundle path auto-detection
+
+### 2.2 (2021.08.15)
+
+- CAT files support (thanks to James McKenzie)
+- MSI support rewritten without libgsf dependency, which allows
+  for handling of all the needed MSI metadata, such as dates
+- "-untrusted" option renamed to "-TSA-CAfile"
+- "-CRLuntrusted" option renamed to "-TSA-CRLfile"
+- numerous bug fixes and improvements
+
+### 2.1 (2020-10-11)
+
+- certificate chain verification support
+- timestamp verification support
+- CRL verification support ("-CRLfile" option)
+- improved CAB signature support
+- nested signatures support
+- user-specified signing time ("-st" option) by vszakats
+- added more tests
+- fixed numerous bugs
+- dropped OpenSSL 1.1.0 support
+
 ### 2.0 (2018-12-04)
 
 - orphaned project adopted by Michał Trojnara

README.md

@@ -19,19 +19,53 @@ tool  would fail. And, so, osslsigncode was born.
 
 ## WHAT CAN IT DO?
 
-It can sign and timestamp PE (EXE/SYS/DLL/etc), CAB and MSI files. It supports
-the equivalent of signtool.exe's "-j javasign.dll -jp low", i.e. add a
-valid signature for a CAB file containing Java files. It supports getting
-the timestamp through a proxy as well. It also supports signature verification,
-removal and extraction.
+It can sign and timestamp PE (EXE/SYS/DLL/etc), CAB, CAT and MSI files.
+It supports the equivalent of signtool.exe's "-j javasign.dll -jp low",
+i.e. add a valid signature for a CAB file containing Java files.
+It supports getting the timestamp through a proxy as well. It also
+supports signature verification, removal and extraction.
 
-## INSTALLATION
+## BUILDING
 
-The usual way:
+This section covers building osslsigncode for [Unix-like](https://en.wikipedia.org/wiki/Unix-like) operating systems.
+See [INSTALL.W32.md](https://github.com/mtrojnar/osslsigncode/blob/master/INSTALL.W32.md) for Windows notes.
+
+### Generate the ./configure script
+
+This step is only needed if osslsigncode was cloned from a git repository.
+We highly recommend downloading a [release tarball](https://github.com/mtrojnar/osslsigncode/releases) instead.
+
+* Install prerequisites on a Debian-based distributions, such as Ubuntu:
 ```
-  ./configure
-  make
-  make install
+  sudo apt update && sudo apt install automake pkg-config
+```
+
+* Install prerequisites on macOS with Homebrew:
+```
+  brew install automake pkg-config
+```
+
+* Generate the ./configure script:
+```
+  ./bootstrap
+```
+
+### Configure, build and install osslsigncode
+
+* Install prerequisites on a Debian-based distributions, such as Ubuntu:
+```
+  sudo apt update && sudo apt install build-essential pkg-config libssl-dev libcurl4-openssl-dev
+```
+
+* Install prerequisites on macOS with Homebrew:
+```
+  brew install pkg-config openssl@1.1
+  export PKG_CONFIG_PATH="/usr/local/opt/openssl@1.1/lib/pkgconfig"
+```
+
+* Configure, build and install osslsigncode:
+```
+  ./configure && make && sudo make install
 ```
 
 ## USAGE
@@ -67,7 +101,7 @@ or if you want to add a timestamp as well:
 ```
   osslsigncode sign -certs <cert-file> -key <key-file> \
     -n "Your Application" -i http://www.yourwebsite.com/ \
-    -t http://timestamp.verisign.com/scripts/timstamp.dll \
+    -t http://timestamp.digicert.com \
     -in yourapp.exe -out yourapp-signed.exe
 ```
 You can use a certificate and key stored in a PKCS#12 container:
@@ -85,6 +119,17 @@ To sign a CAB file containing java class files:
 ```
 Only the 'low' parameter is currently supported.
 
+If you want to use PKCS11 token, you should indicate PKCS11 engine and module.
+An example of using osslsigncode with SoftHSM:
+```
+  osslsigncode sign \
+    -pkcs11engine /usr/lib64/engines-1.1/pkcs11.so \
+    -pkcs11module /usr/lib64/pkcs11/libsofthsm2.so \
+    -pkcs11cert 'pkcs11:token=softhsm-token;object=cert' \
+    -key 'pkcs11:token=softhsm-token;object=key' \
+    -in yourapp.exe -out yourapp-signed.exe
+```
+
 You can check that the signed file is correct by right-clicking
 on it in Windows and choose Properties --> Digital Signatures,
 and then choose the signature from the list, and click on
@@ -110,7 +155,7 @@ use instead of your *.spc file. It's the same basic thing, in a different format
 For your PVK file, you will need to download a little utility called
 PVK.EXE. This can currently be downloaded at
 
-  http://support.globalsign.net/en/objectsign/PVK.zip
+  https://www.globalsign.com/support/code-signing/PVK.zip
 
 Run:
 ```
@@ -129,7 +174,9 @@ You need the *.p7b and *.der files to use osslsigncode, instead of your
 
 ## BUGS, QUESTIONS etc.
 
-Send an email to pallansson@gmail.com
+Check whether your your question or suspected bug was already
+discussed on https://github.com/mtrojnar/osslsigncode/issues.
+Otherwise, open a new issue.
 
 BUT, if you have questions related to generating spc files,
 converting between different formats and so on, *please*

README.unauthblob.md

@@ -14,7 +14,7 @@ osslsigncode sign -addUnauthenticatedBlob -pkcs12 yourcert.pfx -pass your_passwo
 
 ```
 # Example 2. Timestamp and add blob to signed file 
-osslsigncode.exe add -addUnauthenticatedBlob -t http://timestamp.verisign.com/scripts/timstamp.dll -in your_signed_file.exe -out out.exe
+osslsigncode.exe add -addUnauthenticatedBlob -t http://timestamp.digicert.com -in your_signed_file.exe -out out.exe
 ```
 
 ```

TODO.md

@@ -1,8 +1,5 @@
 - signature extraction/removal/verificaton on MSI/CAB files
-- improved signature verification on PE files
 - clean up / untangle code
 - separate timestamping
-- man page
 - remove mmap usage to increase portability
-- tests
 - fix other stuff marked 'XXX'

bootstrap

@@ -0,0 +1,2 @@
+#!/bin/sh
+autoreconf --verbose --install --force

configure.ac

@@ -1,12 +1,21 @@
 AC_PREREQ(2.60)
 
-AC_INIT([osslsigncode], [1.7.1], [pallansson@gmail.com])
+AC_INIT([osslsigncode], [2.3.0], [Michal.Trojnara@stunnel.org])
 AC_CONFIG_AUX_DIR([.])
 AC_CONFIG_HEADERS([config.h])
 AM_INIT_AUTOMAKE
 
 AC_CONFIG_SRCDIR([osslsigncode.c])
 
+# bash completion support
+AC_ARG_WITH([bashcompdir],
+    AS_HELP_STRING([--with-bashcompdir=DIR], [directory for bash completions]), ,
+    [PKG_CHECK_VAR([with_bashcompdir], [bash-completion], [completionsdir], ,
+        [with_bashcompdir="${datarootdir}/bash-completion/completions"])])
+AC_MSG_CHECKING([for bashcompdir])
+AC_MSG_RESULT([$with_bashcompdir])
+AC_SUBST([bashcompdir], [$with_bashcompdir])
+
 dnl Checks for programs.
 AC_PROG_CC
 AC_USE_SYSTEM_EXTENSIONS
@@ -77,33 +86,19 @@ AC_CHECK_LIB(
 AC_CHECK_HEADERS([termios.h])
 AC_CHECK_FUNCS(getpass)
 
-AC_ARG_WITH([gsf],
-        AS_HELP_STRING([--without-gsf], [Ignore presence of libgsf and disable it])
-)
-AS_IF([test "x$with_gsf" != "xno"],
-        [PKG_CHECK_MODULES([GSF], [libgsf-1], [have_gsf=yes], [have_gsf=no])],
-        [have_gsf=no]
-)
-AS_IF([test "x$have_gsf" = "xyes"],
-        [AC_DEFINE([WITH_GSF], 1, [Have libgsf?])],
-        [AS_IF([test "x$with_gsf" = "xyes"],
-                [AC_MSG_ERROR([libgsf requested but not found])])]
-)
-
-
 PKG_CHECK_MODULES(
 	[OPENSSL],
-	[libcrypto >= 1.1.0],
+	[libcrypto >= 1.1.1],
 	,
 	[PKG_CHECK_MODULES(
 		[OPENSSL],
-		[openssl >= 1.1.0],
+		[openssl >= 1.1.1],
 		,
 		[AC_CHECK_LIB(
 			[crypto],
-			[RSA_verify],
+			[EVP_MD_CTX_new],
 			[OPENSSL_LIBS="-lcrypto ${SOCKETS_LIBS} ${DL_LIBS}"],
-			[AC_MSG_ERROR([OpenSSL 1.1.0 or later is required. http://www.openssl.org/])],
+			[AC_MSG_ERROR([OpenSSL 1.1.1 or later is required. https://www.openssl.org/])],
 			[${DL_LIBS}]
 		)]
 	)]
@@ -123,7 +118,13 @@ PKG_CHECK_MODULES(
 )
 
 if test "${with_curl}" = "yes"; then
-	test -z "${LIBCURL_LIBS}" && AC_MSG_ERROR([Curl 7.12.0 or later is required for timestamping support. http://curl.haxx.se/])
+	test -z "${LIBCURL_LIBS}" && AC_MSG_ERROR(m4_normalize([
+		Curl 7.12.0 or later required for timestamping support http://curl.haxx.se/
+		m4_newline() or libcurl development package not found, try installing:
+		m4_newline() * libcurl4-openssl-dev (Debian, Ubuntu)
+		m4_newline() * libcurl-devel (Fedora, CentOS, RHEL)
+		m4_newline() * libcurl_dev (Solaris)
+		]))
 	OPTIONAL_LIBCURL_CFLAGS="${LIBCURL_CFLAGS}"
 	OPTIONAL_LIBCURL_LIBS="${LIBCURL_LIBS}"
 	AC_DEFINE([ENABLE_CURL], [1], [libcurl is enabled])
@@ -134,3 +135,5 @@ AC_SUBST([OPTIONAL_LIBCURL_LIBS])
 
 AC_CONFIG_FILES([Makefile])
 AC_OUTPUT
+
+# vim: set ts=4 noexpandtab:

msi.h

@@ -0,0 +1,237 @@
+/*
+ * MSI file support library
+ *
+ * Copyright (C) 2021 Michał Trojnara <Michal.Trojnara@stunnel.org>
+ * Author: Małgorzata Olszówka <Malgorzata.Olszowka@stunnel.org>
+ *
+ * Reference specifications:
+ * http://en.wikipedia.org/wiki/Compound_File_Binary_Format
+ * https://msdn.microsoft.com/en-us/library/dd942138.aspx
+ * https://github.com/microsoft/compoundfilereader
+ */
+
+#include <stdint.h>
+#include <openssl/safestack.h>
+#include <openssl/bio.h>
+#include <openssl/crypto.h>
+#include <openssl/evp.h>
+
+#define MAXREGSECT       0xfffffffa   /* maximum regular sector number */
+#define DIFSECT          0xfffffffc   /* specifies a DIFAT sector in the FAT */
+#define FATSECT          0xfffffffd   /* specifies a FAT sector in the FAT */
+#define ENDOFCHAIN       0xfffffffe   /* end of a linked chain of sectors */
+#define NOSTREAM         0xffffffff   /* terminator or empty pointer */
+#define FREESECT         0xffffffff   /* empty unallocated free sectors */
+
+#define DIR_UNKNOWN      0
+#define DIR_STORAGE      1
+#define DIR_STREAM       2
+#define DIR_ROOT         5
+
+#define RED_COLOR        0
+#define BLACK_COLOR      1
+
+#define DIFAT_IN_HEADER             109
+#define MINI_STREAM_CUTOFF_SIZE     0x00001000 /* 4096 bytes */
+#define HEADER_SIZE                 0x200  /* 512 bytes, independent of sector size */
+#define MAX_SECTOR_SIZE             0x1000 /* 4096 bytes */
+
+#define HEADER_SIGNATURE            0x00   /* 0xD0, 0xCF, 0x11, 0xE0, 0xA1, 0xB1, 0x1A, 0xE1 */
+#define HEADER_CLSID                0x08   /* reserved and unused */
+#define HEADER_MINOR_VER            0x18   /* SHOULD be set to 0x003E */
+#define HEADER_MAJOR_VER            0x1a   /* MUST be set to either 0x0003 (version 3) or 0x0004 (version 4) */
+#define HEADER_BYTE_ORDER           0x1c   /* 0xfe 0xff == Intel Little Endian */
+#define HEADER_SECTOR_SHIFT         0x1e   /* MUST be set to 0x0009, or 0x000c */
+#define HEADER_MINI_SECTOR_SHIFT    0x20   /* MUST be set to 0x0006 */
+#define RESERVED                    0x22   /* reserved and unused */
+#define HEADER_DIR_SECTORS_NUM      0x28
+#define HEADER_FAT_SECTORS_NUM      0x2c
+#define HEADER_DIR_SECTOR_LOC       0x30
+#define HEADER_TRANSACTION          0x34
+#define HEADER_MINI_STREAM_CUTOFF   0x38   /* 4096 bytes */
+#define HEADER_MINI_FAT_SECTOR_LOC  0x3c
+#define HEADER_MINI_FAT_SECTORS_NUM 0x40
+#define HEADER_DIFAT_SECTOR_LOC     0x44
+#define HEADER_DIFAT_SECTORS_NUM    0x48
+#define HEADER_DIFAT                0x4c
+
+#define DIRENT_SIZE                 0x80   /* 128 bytes */
+#define DIRENT_MAX_NAME_SIZE        0x40   /* 64 bytes */
+
+#define DIRENT_NAME                 0x00
+#define DIRENT_NAME_LEN             0x40   /* length in bytes incl 0 terminator */
+#define DIRENT_TYPE                 0x42
+#define DIRENT_COLOUR               0x43
+#define DIRENT_LEFT_SIBLING_ID      0x44
+#define DIRENT_RIGHT_SIBLING_ID     0x48
+#define DIRENT_CHILD_ID             0x4c
+#define DIRENT_CLSID                0x50
+#define DIRENT_STATE_BITS           0x60
+#define DIRENT_CREATE_TIME          0x64
+#define DIRENT_MODIFY_TIME          0x6c
+#define DIRENT_START_SECTOR_LOC     0x74
+#define DIRENT_FILE_SIZE            0x78
+
+#define GET_UINT8_LE(p) ((u_char*)(p))[0]
+
+#define GET_UINT16_LE(p) (uint16_t)(((u_char*)(p))[0] | (((u_char*)(p))[1]<<8))
+
+#define GET_UINT32_LE(p) (uint32_t)(((u_char*)(p))[0] | (((u_char*)(p))[1]<<8) | \
+			(((u_char*)(p))[2]<<16) | (((u_char*)(p))[3]<<24))
+
+#define PUT_UINT8_LE(i,p) \
+	((u_char*)(p))[0] = (i) & 0xff;
+
+#define PUT_UINT16_LE(i,p) \
+	((u_char*)(p))[0] = (i) & 0xff; \
+	((u_char*)(p))[1] = ((i)>>8) & 0xff
+
+#define PUT_UINT32_LE(i,p) \
+	((u_char*)(p))[0] = (i) & 0xff; \
+	((u_char*)(p))[1] = ((i)>>8) & 0xff; \
+	((u_char*)(p))[2] = ((i)>>16) & 0xff; \
+	((u_char*)(p))[3] = ((i)>>24) & 0xff
+
+#ifndef FALSE
+#define FALSE 0
+#endif
+
+#ifndef TRUE
+#define TRUE 1
+#endif
+
+#define SIZE_64K 65536			/* 2^16 */
+#define SIZE_16M 16777216		/* 2^24 */
+
+typedef unsigned char u_char;
+
+typedef struct {
+	u_char signature[8];      /* 0xd0, 0xcf, 0x11, 0xe0, 0xa1, 0xb1, 0x1a, 0xe1 */
+	u_char unused_clsid[16];  /* reserved and unused */
+	uint16_t minorVersion;
+	uint16_t majorVersion;
+	uint16_t byteOrder;
+	uint16_t sectorShift;     /* power of 2 */
+	uint16_t miniSectorShift; /* power of 2 */
+	u_char reserved[6];       /* reserved and unused */
+	uint32_t numDirectorySector;
+	uint32_t numFATSector;
+	uint32_t firstDirectorySectorLocation;
+	uint32_t transactionSignatureNumber; /* reserved */
+	uint32_t miniStreamCutoffSize;
+	uint32_t firstMiniFATSectorLocation;
+	uint32_t numMiniFATSector;
+	uint32_t firstDIFATSectorLocation;
+	uint32_t numDIFATSector;
+	uint32_t headerDIFAT[DIFAT_IN_HEADER];
+} MSI_FILE_HDR;
+
+typedef struct {
+	u_char name[DIRENT_MAX_NAME_SIZE];
+	uint16_t nameLen;
+	uint8_t type;
+	uint8_t colorFlag;
+	uint32_t leftSiblingID;
+	uint32_t rightSiblingID;
+	uint32_t childID;
+	u_char clsid[16];
+	u_char stateBits[4];
+	u_char creationTime[8];
+	u_char modifiedTime[8];
+	uint32_t startSectorLocation;
+	u_char size[8];
+} MSI_ENTRY;
+
+typedef struct msi_dirent_struct {
+	u_char name[DIRENT_MAX_NAME_SIZE];
+	uint16_t nameLen;
+	uint8_t type;
+	MSI_ENTRY *entry;
+	STACK_OF(MSI_DIRENT) *children;
+	struct msi_dirent_struct *next; /* for cycle detection */
+} MSI_DIRENT;
+
+DEFINE_STACK_OF(MSI_DIRENT)
+
+typedef struct {
+	const u_char *m_buffer;
+	uint32_t m_bufferLen;
+	MSI_FILE_HDR *m_hdr;
+	uint32_t m_sectorSize;
+	uint32_t m_minisectorSize;
+	uint32_t m_miniStreamStartSector;
+} MSI_FILE;
+
+typedef struct {
+	char *header;
+	char *ministream;
+	char *minifat;
+	char *fat;
+	uint32_t dirtreeLen;
+	uint32_t miniStreamLen;
+	uint32_t minifatLen;
+	uint32_t fatLen;
+	int ministreamsMemallocCount;
+	int minifatMemallocCount;
+	int fatMemallocCount;
+	int dirtreeSectorsCount;
+	int minifatSectorsCount;
+	int fatSectorsCount;
+	int miniSectorNum;
+	int sectorNum;
+	uint32_t sectorSize;
+} MSI_OUT;
+
+static const u_char msi_magic[] = {
+	0xd0, 0xcf, 0x11, 0xe0, 0xa1, 0xb1, 0x1a, 0xe1
+};
+
+static const u_char digital_signature[] = {
+	0x05, 0x00, 0x44, 0x00, 0x69, 0x00, 0x67, 0x00,
+	0x69, 0x00, 0x74, 0x00, 0x61, 0x00, 0x6C, 0x00,
+	0x53, 0x00, 0x69, 0x00, 0x67, 0x00, 0x6E, 0x00,
+	0x61, 0x00, 0x74, 0x00, 0x75, 0x00, 0x72, 0x00,
+	0x65, 0x00, 0x00, 0x00
+};
+
+static const u_char digital_signature_ex[] = {
+	0x05, 0x00, 0x4D, 0x00, 0x73, 0x00, 0x69, 0x00,
+	0x44, 0x00, 0x69, 0x00, 0x67, 0x00, 0x69, 0x00,
+	0x74, 0x00, 0x61, 0x00, 0x6C, 0x00, 0x53, 0x00,
+	0x69, 0x00, 0x67, 0x00, 0x6E, 0x00, 0x61, 0x00,
+	0x74, 0x00, 0x75, 0x00, 0x72, 0x00, 0x65, 0x00,
+	0x45, 0x00, 0x78, 0x00, 0x00, 0x00
+};
+
+static const u_char msi_root_entry[] = {
+	0x52, 0x00, 0x6F, 0x00, 0x6F, 0x00, 0x74, 0x00,
+	0x20, 0x00, 0x45, 0x00, 0x6E, 0x00, 0x74, 0x00,
+	0x72, 0x00, 0x79, 0x00, 0x00, 0x00
+};
+
+static const u_char msi_zeroes[] = {
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+};
+
+int msi_file_read(MSI_FILE *msi, MSI_ENTRY *entry, uint32_t offset, char *buffer, uint32_t len);
+MSI_FILE *msi_file_new(char *buffer, uint32_t len);
+void msi_file_free(MSI_FILE *msi);
+MSI_ENTRY *msi_root_entry_get(MSI_FILE *msi);
+int msi_dirent_new(MSI_FILE *msi, MSI_ENTRY *entry, MSI_DIRENT *parent, MSI_DIRENT **ret);
+MSI_ENTRY *msi_signatures_get(MSI_DIRENT *dirent, MSI_ENTRY **dse);
+void msi_dirent_free(MSI_DIRENT *dirent);
+int msi_prehash_dir(MSI_DIRENT *dirent, BIO *hash, int is_root);
+int msi_hash_dir(MSI_FILE *msi, MSI_DIRENT *dirent, BIO *hash, int is_root);
+int msi_calc_digest(char *indata, const EVP_MD *md, u_char *mdbuf, uint32_t fileend);
+int msi_dirent_delete(MSI_DIRENT *dirent, const u_char *name, uint16_t nameLen);
+int msi_file_write(MSI_FILE *msi, MSI_DIRENT *dirent, u_char *p, int len, u_char *p_msiex, int len_msiex, BIO *outdata);
+
+/*
+Local Variables:
+   c-basic-offset: 4
+   tab-width: 4
+   indent-tabs-mode: t
+End:
+
+  vim: set ts=4 noexpandtab:
+*/

osslsigncode.bash

@@ -0,0 +1,76 @@
+# bash completion for osslsigncode                         -*- shell-script -*-
+# Copyright (C) 2021-2022 Michał Trojnara <Michal.Trojnara@stunnel.org>
+# Author: Małgorzata Olszówka <Malgorzata.Olszowka@stunnel.org>
+
+bind 'set show-all-if-ambiguous on'
+bind 'set completion-ignore-case on'
+COMP_WORDBREAKS=${COMP_WORDBREAKS//:}
+
+_comp_cmd_osslsigncode()
+{
+    local cur prev words cword
+    _init_completion || return
+
+    local commands command options timestamps rfc3161
+
+    commands="--help --version -v
+        sign add attach-signature extract-signature remove-signature verify"
+
+    timestamps="http://timestamp.digicert.com
+        http://time.certum.pl
+        http://timestamp.sectigo.com
+        http://timestamp.globalsign.com/?signature=sha2"
+
+    rfc3161="http://timestamp.digicert.com
+        http://time.certum.pl
+        http://timestamp.entrust.net/TSS/RFC3161sha2TS
+        http://tss.accv.es:8318/tsa
+        http://kstamp.keynectis.com/KSign/
+        http://sha256timestamp.ws.symantec.com/sha256/timestamp"
+
+
+    if ((cword == 1)); then
+        COMPREPLY=($(compgen -W "${commands}" -- ${cur}))
+    else
+        command=${words[1]}
+        case $prev in
+            -ac | -c | -catalog | -certs | -spc | -key | -pkcs12 | -pass | \
+            -readpass | -pkcs11engine | -pkcs11module | -in | -out | -sigin | \
+            -n | -CAfile | -CRLfile  | -TSA-CAfile | -TSA-CRLfile)
+                _filedir
+                return
+                ;;
+            -h | -require-leaf-hash)
+                COMPREPLY=($(compgen -W 'md5 sha1 sha2 sha256 sha384 sha512' \
+                    -- "$cur"))
+                return
+                ;;
+            -jp)
+                COMPREPLY=($(compgen -W 'low medium high' -- "$cur"))
+                return
+                ;;
+            -t)
+                COMPREPLY=($(compgen -W "${timestamps}" -- "$cur"))
+                return
+                ;;
+            -ts)
+                COMPREPLY=($(compgen -W "${rfc3161}" -- "$cur"))
+                return
+                ;;
+            -i | -p)
+                _known_hosts_real -- "$cur"
+                return
+                ;;
+        esac
+
+        if [[ $cur == -* ]]; then
+            # possible options for the command
+            options=$(_parse_help "$1" "$command --help" 2>/dev/null)
+            COMPREPLY=($(compgen -W "${options}" -- ${cur}))
+        fi
+    fi
+
+} &&
+    complete -F _comp_cmd_osslsigncode osslsigncode
+
+# ex: filetype=sh

tests/certs/.gitignore

@@ -0,0 +1,6 @@
+*.der
+*.pem
+*.pvk
+*.p12
+*.spc
+*.txt

tests/certs/ca-bundle.crt

@@ -0,0 +1,47 @@
+# Certum Trusted Network CA
+-----BEGIN CERTIFICATE-----
+MIIDuzCCAqOgAwIBAgIDBETAMA0GCSqGSIb3DQEBBQUAMH4xCzAJBgNVBAYTAlBM
+MSIwIAYDVQQKExlVbml6ZXRvIFRlY2hub2xvZ2llcyBTLkEuMScwJQYDVQQLEx5D
+ZXJ0dW0gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxIjAgBgNVBAMTGUNlcnR1bSBU
+cnVzdGVkIE5ldHdvcmsgQ0EwHhcNMDgxMDIyMTIwNzM3WhcNMjkxMjMxMTIwNzM3
+WjB+MQswCQYDVQQGEwJQTDEiMCAGA1UEChMZVW5pemV0byBUZWNobm9sb2dpZXMg
+Uy5BLjEnMCUGA1UECxMeQ2VydHVtIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSIw
+IAYDVQQDExlDZXJ0dW0gVHJ1c3RlZCBOZXR3b3JrIENBMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEA4/t9o3K6wvDJFIf1awFO4W5AB7ptJ11/91sts1rH
+UV+rpDKmYYe2bg+G0jACl/jXaVehGDldamR5xgFZrDwxSjh80gTSSyjoIF87B6LM
+TXPb865Px1bVWqeWifrzq2jUI4ZZJ88JJ7ysbnKDHDBy3+Ci6dLhdHUZvSqeexVU
+BBvXQzmtVSjF4hq79MDkrjhJM8x2hZ85RdKknvISjFH4fOQtf/WsX+sWn7Et0brM
+kUJ3TCXJkDhv2/DM+44el1k+1WBO5gUo7Ul5E0u6SNsv+XLTOcr+H9g0cvW0QM8x
+AcPs3hEtF10fuFDRXhmnad4HMyjKUJX5p1TLVIZQRan5SQIDAQABo0IwQDAPBgNV
+HRMBAf8EBTADAQH/MB0GA1UdDgQWBBQIds3LB/8k9sXN7buQvOKEN0Z19zAOBgNV
+HQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQEFBQADggEBAKaorSLOAT2mo/9i0Eidi15y
+sHhE49wcrwn9I0j6vSrEuVUEtRCjjSfeC4Jj0O7eDDd5QVsisrCaQVymcODU0HfL
+I9MA4GxWL+FpDQ3Zqr8hgVDZBqWo/5U30Kr+4rP1mS1FhIrlQgnXdAIv94nYmem8
+J9RHjboNRhx3zxSkHLmkMcScKHQDNP8zGSal6Q10tz6XxnboJ5ajZt3hrvJBW8qY
+VoNzcOSGGtIxQbovvi0TWnZvTuhOgQ4/WwMioBK+ZlgRSssDxLQqKi2WF+A5VLxI
+03YnnZotBqbJ7DnSq9ufmgsnAjUpsUCV5/nonFWIGUbWtzT1fs45mtk48VH3Tyw=
+-----END CERTIFICATE-----
+
+# DigiCert Assured ID Root CA
+-----BEGIN CERTIFICATE-----
+MIIDtzCCAp+gAwIBAgIQDOfg5RfYRv6P5WD8G/AwOTANBgkqhkiG9w0BAQUFADBl
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJv
+b3QgQ0EwHhcNMDYxMTEwMDAwMDAwWhcNMzExMTEwMDAwMDAwWjBlMQswCQYDVQQG
+EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNl
+cnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJvb3QgQ0EwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtDhXO5EOAXLGH87dg+XESpa7c
+JpSIqvTO9SA5KFhgDPiA2qkVlTJhPLWxKISKityfCgyDF3qPkKyK53lTXDGEKvYP
+mDI2dsze3Tyoou9q+yHyUmHfnyDXH+Kx2f4YZNISW1/5WBg1vEfNoTb5a3/UsDg+
+wRvDjDPZ2C8Y/igPs6eD1sNuRMBhNZYW/lmci3Zt1/GiSw0r/wty2p5g0I6QNcZ4
+VYcgoc/lbQrISXwxmDNsIumH0DJaoroTghHtORedmTpyoeb6pNnVFzF1roV9Iq4/
+AUaG9ih5yLHa5FcXxH4cDrC0kqZWs72yl+2qp/C3xag/lRbQ/6GW6whfGHdPAgMB
+AAGjYzBhMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
+BBRF66Kv9JLLgjEtUYunpyGd823IDzAfBgNVHSMEGDAWgBRF66Kv9JLLgjEtUYun
+pyGd823IDzANBgkqhkiG9w0BAQUFAAOCAQEAog683+Lt8ONyc3pklL/3cmbYMuRC
+dWKuh+vy1dneVrOfzM4UKLkNl2BcEkxY5NM9g0lFWJc1aRqoR+pWxnmrEthngYTf
+fwk8lOa4JiwgvT2zKIn3X/8i4peEH+ll74fg38FnSbNd67IJKusm7Xi+fT8r87cm
+NW1fiQG2SVufAQWbqz0lwcy2f8Lxb4bG+mRo64EtlOtCt/qMHt1i8b5QZ7dsvfPx
+H2sMNgcWfzd8qVttevESRmCD1ycEvkvOl77DZypoEd+A5wwzZr8TDRRu838fYxAe
++o0bJW1sj6W3YQGx0qMmoRBxna3iw/nDmVG3KwcIzi7mULKn+gpFL6Lw8g==
+-----END CERTIFICATE-----

tests/certs/makecerts.sh

@@ -0,0 +1,230 @@
+#!/bin/sh
+
+result=0
+
+test_result() {
+  if test "$1" -eq 0
+    then
+      printf "Succeeded\n" >> "makecerts.log"
+    else
+      printf "Failed\n" >> "makecerts.log"
+    fi
+}
+
+make_certs() {
+  password=passme
+  result_path=$(pwd)
+  cd $(dirname "$0")
+  script_path=$(pwd)
+  cd "${result_path}"
+  mkdir "tmp/"
+
+# OpenSSL settings
+  CONF="${script_path}/openssl_intermediate.cnf"
+  if test -n "$1"
+    then
+      OPENSSL="$1/bin/openssl"
+      export LD_LIBRARY_PATH="$1/lib:$1/lib64"
+    else
+      OPENSSL=openssl
+    fi
+
+  mkdir "demoCA/" 2>> "makecerts.log" 1>&2
+  touch "demoCA/index.txt"
+  echo -n "unique_subject = no" > "demoCA/index.txt.attr"
+  echo 1000 > "demoCA/serial"
+  date > "makecerts.log"
+  "$OPENSSL" version 2>> "makecerts.log" 1>&2
+  echo -n "$password" > "password.txt"
+
+  printf "\nGenerate root CA certificate\n" >> "makecerts.log"
+  "$OPENSSL" genrsa -out demoCA/CA.key \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+  TZ=GMT faketime -f '@2017-01-01 00:00:00' /bin/bash -c '
+    script_path=$(pwd)
+    OPENSSL="$0"
+    export LD_LIBRARY_PATH="$1"
+    CONF="${script_path}/openssl_root.cnf"
+    "$OPENSSL" req -config "$CONF" -new -x509 -days 3600 -key demoCA/CA.key -out tmp/CACert.pem \
+        -subj "/C=PL/O=osslsigncode/OU=Certification Authority/CN=Root CA" \
+        2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH"
+  test_result $?
+
+  printf "\nGenerate intermediate CA certificate\n" >> "makecerts.log"
+  "$OPENSSL" genrsa -out demoCA/intermediate.key \
+        2>> "makecerts.log" 1>&2
+    TZ=GMT faketime -f '@2017-01-01 00:00:00' /bin/bash -c '
+    script_path=$(pwd)
+    OPENSSL="$0"
+    export LD_LIBRARY_PATH="$1"
+    CONF="${script_path}/openssl_intermediate.cnf"
+    "$OPENSSL" req -config "$CONF" -new -key demoCA/intermediate.key -out demoCA/intermediate.csr \
+        -subj "/C=PL/O=osslsigncode/OU=Certification Authority/CN=Intermediate CA" \
+        2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH"
+  test_result $?
+  TZ=GMT faketime -f '@2017-01-01 00:00:00' /bin/bash -c '
+    script_path=$(pwd)
+    OPENSSL="$0"
+    export LD_LIBRARY_PATH="$1"
+    CONF="${script_path}/openssl_root.cnf"
+    "$OPENSSL" ca -config "$CONF" -batch -in demoCA/intermediate.csr -out demoCA/intermediate.cer \
+        2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH"
+  test_result $?
+  "$OPENSSL" x509 -in demoCA/intermediate.cer -out tmp/intermediate.pem \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+
+  printf "\nGenerate private RSA encrypted key\n" >> "makecerts.log"
+  "$OPENSSL" genrsa -des3 -out demoCA/private.key -passout pass:"$password" \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+  cat demoCA/private.key >> tmp/keyp.pem 2>> "makecerts.log"
+  test_result $?
+
+  printf "\nGenerate private RSA decrypted key\n" >> "makecerts.log"
+  "$OPENSSL" rsa -in demoCA/private.key -passin pass:"$password" -out tmp/key.pem \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+
+  printf "\nGenerate a certificate to revoke\n" >> "makecerts.log"
+  "$OPENSSL" req -config "$CONF" -new -key demoCA/private.key -passin pass:"$password" -out demoCA/revoked.csr \
+      -subj "/C=PL/O=osslsigncode/OU=CSP/CN=Revoked/emailAddress=osslsigncode@example.com" \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+  "$OPENSSL" ca -config "$CONF" -batch -in demoCA/revoked.csr -out demoCA/revoked.cer \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+  "$OPENSSL" x509 -in demoCA/revoked.cer -out tmp/revoked.pem \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+
+  printf "\nRevoke above certificate\n" >> "makecerts.log"
+  "$OPENSSL" ca -config "$CONF" -revoke demoCA/revoked.cer \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+
+  printf "\nAttach intermediate certificate to revoked certificate\n" >> "makecerts.log"
+  cat tmp/intermediate.pem >> tmp/revoked.pem 2>> "makecerts.log"
+  test_result $?
+
+  printf "\nGenerate CRL file\n" >> "makecerts.log"
+  TZ=GMT faketime -f '@2019-01-01 00:00:00' /bin/bash -c '
+    script_path=$(pwd)
+    OPENSSL="$0"
+    export LD_LIBRARY_PATH="$1"
+    CONF="${script_path}/openssl_intermediate.cnf"
+    "$OPENSSL" ca -config "$CONF" -gencrl -crldays 8766 -out tmp/CACertCRL.pem \
+        2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH"
+  test_result $?
+
+  printf "\nConvert revoked certificate to SPC format\n" >> "makecerts.log"
+  "$OPENSSL" crl2pkcs7 -in tmp/CACertCRL.pem -certfile tmp/revoked.pem -outform DER -out tmp/revoked.spc \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+
+  printf "\nGenerate CSP Cross-Certificate\n" >> "makecerts.log"
+  "$OPENSSL" genrsa -out demoCA/cross.key \
+      2>> "makecerts.log" 1>&2
+  TZ=GMT faketime -f '@2018-01-01 00:00:00' /bin/bash -c '
+    script_path=$(pwd)
+    OPENSSL="$0"
+    export LD_LIBRARY_PATH="$1"
+    CONF="${script_path}/openssl_intermediate.cnf"
+    "$OPENSSL" req -config "$CONF" -new -x509 -days 900 -key demoCA/cross.key -out tmp/crosscert.pem \
+       -subj "/C=PL/O=osslsigncode/OU=CSP/CN=crosscert/emailAddress=osslsigncode@example.com" \
+       2>> "makecerts.log" 1>&2' "$OPENSSL" "$LD_LIBRARY_PATH"
+  test_result $?
+
+  printf "\nGenerate code signing certificate\n" >> "makecerts.log"
+  "$OPENSSL" req -config "$CONF" -new -key demoCA/private.key -passin pass:"$password" -out demoCA/cert.csr \
+      -subj "/C=PL/ST=Mazovia Province/L=Warsaw/O=osslsigncode/OU=CSP/CN=Certificate/emailAddress=osslsigncode@example.com" \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+  "$OPENSSL" ca -config "$CONF" -batch -in demoCA/cert.csr -out demoCA/cert.cer \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+  "$OPENSSL" x509 -in demoCA/cert.cer -out tmp/cert.pem \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+
+  printf "\nConvert the key to DER format\n" >> "makecerts.log"
+  "$OPENSSL" rsa -in tmp/key.pem -outform DER -out tmp/key.der -passout pass:"$password" \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+
+  printf "\nConvert the key to PVK format\n" >> "makecerts.log"
+  "$OPENSSL" rsa -in tmp/key.pem -outform PVK -out tmp/key.pvk -pvk-none \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+
+  printf "\nConvert the certificate to DER format\n" >> "makecerts.log"
+  "$OPENSSL" x509 -in tmp/cert.pem -outform DER -out tmp/cert.der \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+
+  printf "\nAttach intermediate certificate to code signing certificate\n" >> "makecerts.log"
+  cat tmp/intermediate.pem >> tmp/cert.pem 2>> "makecerts.log"
+  test_result $?
+
+  printf "\nConvert the certificate to SPC format\n" >> "makecerts.log"
+  "$OPENSSL" crl2pkcs7 -nocrl -certfile tmp/cert.pem -outform DER -out tmp/cert.spc \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+
+  printf "\nConvert the certificate and the key into a PKCS#12 container\n" >> "makecerts.log"
+  "$OPENSSL" pkcs12 -export -in tmp/cert.pem -inkey tmp/key.pem -out tmp/cert.p12 -passout pass:"$password" \
+      -keypbe aes-256-cbc -certpbe aes-256-cbc \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+
+  printf "\nGenerate expired certificate\n" >> "makecerts.log"
+  "$OPENSSL" req -config "$CONF" -new -key demoCA/private.key -passin pass:"$password" -out demoCA/expired.csr \
+      -subj "/C=PL/ST=Mazovia Province/L=Warsaw/O=osslsigncode/OU=CSP/CN=Expired/emailAddress=osslsigncode@example.com" \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+  "$OPENSSL" ca -config "$CONF" -enddate "190101000000Z" -batch -in demoCA/expired.csr -out demoCA/expired.cer \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+  "$OPENSSL" x509 -in demoCA/expired.cer -out tmp/expired.pem \
+      2>> "makecerts.log" 1>&2
+  test_result $?
+
+  printf "\nAttach intermediate certificate to expired certificate\n" >> "makecerts.log"
+  cat tmp/intermediate.pem >> tmp/expired.pem 2>> "makecerts.log"
+  test_result $?
+
+# copy new files
+  if test -s tmp/intermediate.pem -a -s tmp/CACert.pem -a -s tmp/CACertCRL.pem \
+      -a -s tmp/key.pem -a -s tmp/keyp.pem -a -s tmp/key.der -a -s tmp/key.pvk \
+      -a -s tmp/cert.pem -a -s tmp/cert.p12 -a -s tmp/cert.der -a -s tmp/cert.spc \
+      -a -s tmp/crosscert.pem -a -s tmp/expired.pem -a -s tmp/revoked.pem -a -s tmp/revoked.spc
+  then
+    cp tmp/* ./
+    printf "%s\n" "keys & certificates successfully generated"
+    printf "%s\n" "makecerts.sh finished"
+  else
+    printf "%s\n" "makecerts.sh failed"
+    printf "%s\n" "error logs ${result_path}/makecerts.log"
+    result=1
+  fi
+
+# remove the working directory
+  rm -rf "demoCA/"
+  rm -rf "tmp/"
+
+  exit "$result"
+}
+
+# Tests requirement
+if test -n "$(command -v faketime)"
+  then
+    make_certs "$1"
+    result=$?
+  else
+    printf "%s\n" "faketime not found in \$PATH"
+    printf "%s\n" "tests skipped, please install faketime package"
+    result=1
+  fi
+
+exit "$result"

tests/certs/openssl_intermediate.cnf

@@ -0,0 +1,71 @@
+# OpenSSL intermediate CA configuration file
+
+[ ca ]
+default_ca                      = CA_default
+
+[ CA_default ]
+# Directory and file locations
+dir                             = .
+certs                           = $dir/demoCA
+crl_dir                         = $dir/demoCA
+new_certs_dir                   = $dir/demoCA
+database                        = $dir/demoCA/index.txt
+serial                          = $dir/demoCA/serial
+rand_serial                     = yes
+private_key                     = $dir/demoCA/intermediate.key
+certificate                     = $dir/tmp/intermediate.pem
+crl_extensions                  = crl_ext
+default_md                      = sha256
+preserve                        = no
+policy                          = policy_loose
+default_startdate               = 180101000000Z
+default_enddate                 = 241231000000Z
+x509_extensions                 = v3_req
+email_in_dn                     = yes
+default_days                    = 2200
+
+[ req ]
+# Options for the `req` tool
+encrypt_key                     = no
+default_bits                    = 2048
+default_md                      = sha256
+string_mask                     = utf8only
+distinguished_name              = req_distinguished_name
+x509_extensions                 = usr_extensions
+
+[ crl_ext ]
+# Extension for CRLs
+authorityKeyIdentifier          = keyid:always
+
+[ usr_extensions ]
+# Extension to add when the -x509 option is used
+basicConstraints                = CA:FALSE
+subjectKeyIdentifier            = hash
+authorityKeyIdentifier          = keyid, issuer
+extendedKeyUsage                = codeSigning
+
+[ v3_req ]
+basicConstraints                = CA:FALSE
+subjectKeyIdentifier            = hash
+authorityKeyIdentifier          = keyid, issuer
+extendedKeyUsage                = codeSigning
+
+[ policy_loose ]
+# Allow the intermediate CA to sign a more diverse range of certificates.
+# See the POLICY FORMAT section of the `ca` man page.
+countryName                     = optional
+stateOrProvinceName             = optional
+localityName                    = optional
+organizationName                = optional
+organizationalUnitName          = optional
+commonName                      = supplied
+emailAddress                    = optional
+
+[ req_distinguished_name ]
+countryName                     = Country Name (2 letter code)
+stateOrProvinceName             = State or Province Name
+localityName                    = Locality Name
+0.organizationName              = Organization Name
+organizationalUnitName          = Organizational Unit Name
+commonName                      = Common Name
+emailAddress                    = Email Address

tests/certs/openssl_root.cnf

@@ -0,0 +1,65 @@
+# OpenSSL root CA configuration file
+
+[ ca ]
+default_ca                      = CA_default
+
+[ CA_default ]
+# Directory and file locations.
+dir                             = .
+certs                           = $dir/demoCA
+crl_dir                         = $dir/demoCA
+new_certs_dir                   = $dir/demoCA
+database                        = $dir/demoCA/index.txt
+serial                          = $dir/demoCA/serial
+rand_serial                     = yes
+private_key                     = $dir/demoCA/CA.key
+certificate                     = $dir/tmp/CACert.pem
+crl_extensions                  = crl_ext
+default_md                      = sha256
+preserve                        = no
+policy                          = policy_match
+default_startdate               = 180101000000Z
+default_enddate                 = 260101000000Z
+x509_extensions                 = v3_intermediate_ca
+email_in_dn                     = yes
+default_days                    = 3000
+unique_subject                  = no
+
+[ req ]
+# Options for the `req` tool
+encrypt_key                     = no
+default_bits                    = 2048
+default_md                      = sha256
+string_mask                     = utf8only
+x509_extensions                 = ca_extensions
+distinguished_name              = req_distinguished_name
+
+[ ca_extensions ]
+# Extension to add when the -x509 option is used
+basicConstraints                = critical, CA:true
+subjectKeyIdentifier            = hash
+authorityKeyIdentifier          = keyid:always,issuer
+keyUsage                        = critical, digitalSignature, cRLSign, keyCertSign
+
+[ v3_intermediate_ca ]
+# Extensions for a typical intermediate CA (`man x509v3_config`)
+basicConstraints                = critical, CA:true, pathlen:0
+subjectKeyIdentifier            = hash
+authorityKeyIdentifier          = keyid:always,issuer
+keyUsage                        = critical, digitalSignature, cRLSign, keyCertSign
+
+[ policy_match ]
+countryName                     = match
+organizationName                = match
+organizationalUnitName          = optional
+commonName                      = supplied
+emailAddress                    = optional
+
+[ req_distinguished_name ]
+countryName                     = Country Name (2 letter code)
+stateOrProvinceName             = State or Province Name
+localityName                    = Locality Name
+0.organizationName              = Organization Name
+organizationalUnitName          = Organizational Unit Name
+commonName                      = Common Name
+emailAddress                    = Email Address

tests/recipes/01_sign_pem

@@ -0,0 +1,53 @@
+#!/bin/sh
+# Sign a file with a certificate and a private key in the PEM format.
+# -st 1556668800 is the Unix time of May 1 00:00:00 2019 GMT
+
+. $(dirname $0)/../test_library
+script_path=$(pwd)
+test_nr=1
+
+for file in ${script_path}/../logs/notsigned/*.*
+  do
+    name="${file##*/}"
+    ext="${file##*.}"
+    desc=""
+    case $ext in
+      "cat") filetype=CAT; format_nr=1 ;;
+      "msi") filetype=MSI; format_nr=2 ;;
+      "ex_") filetype=CAB; format_nr=3 ;;
+      "exe") filetype=PE; format_nr=4 ;;
+      "ps1")
+        filetype=TXT
+        if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
+          format_nr=5
+          desc=" UTF-16LE(BOM)"
+        elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
+          format_nr=6
+          desc=" UTF-8(BOM)"
+        else
+          format_nr=7
+          desc=" UTF-8"
+        fi ;;
+    esac
+
+    number="$test_nr$format_nr"
+    test_name="Sign a $filetype$desc file with a certificate and a private key in the PEM format"
+    printf "\n%03d. %s\n" "$number" "$test_name"
+
+    ../../osslsigncode sign -h sha256 \
+      -st "1556668800" \
+      -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
+      -in "notsigned/$name" -out "test_$number.$ext"
+    result=$?
+
+    if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
+      printf "%s\n" "Compare file prefix failed"
+      test_result "1" "$number" "$test_name"
+    else
+      verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
+        "sha256sum" "osslsigncode" "UNUSED_PATTERN"
+      test_result "$?" "$number" "$test_name"
+    fi
+  done
+
+exit 0

tests/recipes/02_sign_pass

@@ -0,0 +1,53 @@
+#!/bin/sh
+# Sign a file with an encrypted private key in the PEM format.
+
+. $(dirname $0)/../test_library
+script_path=$(pwd)
+test_nr=2
+
+for file in ${script_path}/../logs/notsigned/*.*
+  do
+    name="${file##*/}"
+    ext="${file##*.}"
+    desc=""
+    case $ext in
+      "cat") filetype=CAT; format_nr=1 ;;
+      "msi") filetype=MSI; format_nr=2 ;;
+      "ex_") filetype=CAB; format_nr=3 ;;
+      "exe") filetype=PE; format_nr=4 ;;
+      "ps1")
+        filetype=TXT
+        if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
+          format_nr=5
+          desc=" UTF-16LE(BOM)"
+        elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
+          format_nr=6
+          desc=" UTF-8(BOM)"
+        else
+          format_nr=7
+          desc=" UTF-8"
+        fi ;;
+    esac
+
+    number="$test_nr$format_nr"
+    test_name="Sign a $filetype$desc file with an encrypted private key in the PEM format"
+    printf "\n%03d. %s\n" "$number" "$test_name"
+
+    ../../osslsigncode sign -h sha256 \
+      -st "1556668800" \
+      -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/keyp.pem" \
+      -pass passme \
+      -in "notsigned/$name" -out "test_$number.$ext"
+    result=$?
+
+    if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
+      printf "%s\n" "Compare file prefix failed"
+      test_result "1" "$number" "$test_name"
+    else
+      verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
+        "sha256sum" "osslsigncode" "UNUSED_PATTERN"
+      test_result "$?" "$number" "$test_name"
+    fi
+  done
+
+exit 0

tests/recipes/03_sign_der

@@ -0,0 +1,54 @@
+#!/bin/sh
+# Sign a file with an encrypted private key in the DER format.
+# Requires OpenSSL 1.0.0 or later
+
+. $(dirname $0)/../test_library
+script_path=$(pwd)
+test_nr=3
+
+for file in ${script_path}/../logs/notsigned/*.*
+  do
+    name="${file##*/}"
+    ext="${file##*.}"
+    desc=""
+    case $ext in
+      "cat") filetype=CAT; format_nr=1 ;;
+      "msi") filetype=MSI; format_nr=2 ;;
+      "ex_") filetype=CAB; format_nr=3 ;;
+      "exe") filetype=PE; format_nr=4 ;;
+      "ps1")
+        filetype=TXT
+        if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
+          format_nr=5
+          desc=" UTF-16LE(BOM)"
+        elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
+          format_nr=6
+          desc=" UTF-8(BOM)"
+        else
+          format_nr=7
+          desc=" UTF-8"
+        fi ;;
+    esac
+
+    number="$test_nr$format_nr"
+    test_name="Sign a $filetype$desc file with an encrypted private key in the DER format"
+    printf "\n%03d. %s\n" "$number" "$test_name"
+
+    ../../osslsigncode sign -h sha256 \
+      -st "1556668800" \
+      -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.der" \
+      -pass passme \
+      -in "notsigned/$name" -out "test_$number.$ext"
+    result=$?
+
+    if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
+      printf "%s\n" "Compare file prefix failed"
+      test_result "1" "$number" "$test_name"
+    else
+      verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
+        "sha256sum" "osslsigncode" "UNUSED_PATTERN"
+      test_result "$?" "$number" "$test_name"
+    fi
+  done
+
+exit 0

tests/recipes/04_sign_spc_pvk

@@ -0,0 +1,54 @@
+#!/bin/sh
+# Sign a file with a certificate in the SPC format
+# and a private key in the Microsoft Private Key (PVK) format.
+
+. $(dirname $0)/../test_library
+script_path=$(pwd)
+test_nr=4
+
+for file in ${script_path}/../logs/notsigned/*.*
+  do
+    name="${file##*/}"
+    ext="${file##*.}"
+    desc=""
+    case $ext in
+      "cat") filetype=CAT; format_nr=1 ;;
+      "msi") filetype=MSI; format_nr=2 ;;
+      "ex_") filetype=CAB; format_nr=3 ;;
+      "exe") filetype=PE; format_nr=4 ;;
+      "ps1")
+        filetype=TXT
+        if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
+          format_nr=5
+          desc=" UTF-16LE(BOM)"
+        elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
+          format_nr=6
+          desc=" UTF-8(BOM)"
+        else
+          format_nr=7
+          desc=" UTF-8"
+        fi ;;
+    esac
+
+    number="$test_nr$format_nr"
+    test_name="Sign a $filetype$desc file with a SPC certificate and a PVK private key"
+    printf "\n%03d. %s\n" "$number" "$test_name"
+
+    ../../osslsigncode sign -h sha256 \
+      -st "1556668800" \
+      -spc "${script_path}/../certs/cert.spc" -key "${script_path}/../certs/key.pvk" \
+      -pass passme \
+      -in "notsigned/$name" -out "test_$number.$ext"
+    result=$?
+
+    if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
+      printf "%s\n" "Compare file prefix failed"
+      test_result "1" "$number" "$test_name"
+    else
+      verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
+        "sha256sum" "osslsigncode" "UNUSED_PATTERN"
+      test_result "$?" "$number" "$test_name"
+    fi
+  done
+
+exit 0

tests/recipes/05_sign_pkcs12

@@ -0,0 +1,53 @@
+#!/bin/sh
+# Sign a file with a certificate and a key stored in a PKCS#12 container.
+
+. $(dirname $0)/../test_library
+script_path=$(pwd)
+test_nr=5
+
+for file in ${script_path}/../logs/notsigned/*.*
+  do
+    name="${file##*/}"
+    ext="${file##*.}"
+    desc=""
+    case $ext in
+      "cat") filetype=CAT; format_nr=1 ;;
+      "msi") filetype=MSI; format_nr=2 ;;
+      "ex_") filetype=CAB; format_nr=3 ;;
+      "exe") filetype=PE; format_nr=4 ;;
+      "ps1")
+        filetype=TXT
+        if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
+          format_nr=5
+          desc=" UTF-16LE(BOM)"
+        elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
+          format_nr=6
+          desc=" UTF-8(BOM)"
+        else
+          format_nr=7
+          desc=" UTF-8"
+        fi ;;
+    esac
+
+    number="$test_nr$format_nr"
+    test_name="Sign a $filetype$desc file with a certificate and a key stored in a PKCS#12 container"
+    printf "\n%03d. %s\n" "$number" "$test_name"
+
+    ../../osslsigncode sign -h sha256 \
+      -st "1556668800" \
+      -pkcs12 "${script_path}/../certs/cert.p12" \
+      -pass passme \
+      -in "notsigned/$name" -out "test_$number.$ext"
+    result=$?
+
+    if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
+      printf "%s\n" "Compare file prefix failed"
+      test_result "1" "$number" "$test_name"
+    else
+      verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
+        "sha256sum" "osslsigncode" "UNUSED_PATTERN"
+      test_result "$?" "$number" "$test_name"
+    fi
+  done
+
+exit 0

tests/recipes/06_test_sha256sum

@@ -0,0 +1,34 @@
+#!/bin/sh
+# Checking SHA256 message digests for 01x-05x tests
+
+. $(dirname $0)/../test_library
+script_path=$(pwd)
+result=0
+test_nr=6
+
+for file in ${script_path}/../logs/sha256sum/*.*
+  do
+    name="${file##*/}"
+    case $name in
+      "cat.log") filetype=CAT; format_nr=1 ;;
+      "msi.log") filetype=MSI; format_nr=2 ;;
+      "ex_.log") filetype=CAB; format_nr=3 ;;
+      "exe.log") filetype=PE; format_nr=4 ;;
+      "ps1.log") filetype=TXT; format_nr=5 ;;
+    esac
+
+    number="$test_nr$format_nr"
+    test_name="Checking SHA256 message digests for a $filetype file test"
+    printf "\n%03d. %s\n" "$number" "$test_name"
+
+    if test $(cat "sha256sum/$name" | cut -d' ' -f1 | uniq | wc -l) -ne 1
+      then
+        result=1
+        cat "sha256sum/$name" >> "results.log"
+        printf "Non-unique SHA256 message digests found\n" >> "results.log"
+      fi
+    rm -f "sha256sum/$name"
+    test_result "$result" "$number" "$test_name"
+  done
+
+exit 0

tests/recipes/07_sign_timestamp

@@ -0,0 +1,61 @@
+#!/bin/sh
+# Sign a file with Authenticode timestamping
+
+. $(dirname $0)/../test_library
+script_path=$(pwd)
+test_nr=7
+
+if ! grep -q "no libcurl available" "results.log"; then
+  for file in ${script_path}/../logs/notsigned/*.*
+    do
+      name="${file##*/}"
+      ext="${file##*.}"
+      desc=""
+      case $ext in
+        "cat") filetype=CAT; format_nr=1 ;;
+        "msi") filetype=MSI; format_nr=2 ;;
+        "ex_") filetype=CAB; format_nr=3 ;;
+        "exe") filetype=PE; format_nr=4 ;;
+        "ps1")
+          filetype=TXT
+          if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
+            format_nr=5
+            desc=" UTF-16LE(BOM)"
+          elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
+            format_nr=6
+            desc=" UTF-8(BOM)"
+        else
+            format_nr=7
+            desc=" UTF-8"
+          fi ;;
+      esac
+
+      number="$test_nr$format_nr"
+      test_name="Sign a $filetype$desc file with Authenticode timestamping"
+      printf "\n%03d. %s\n" "$number" "$test_name"
+
+      ../../osslsigncode sign -h sha256 \
+        -st "1556668800" \
+        -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
+        -t http://time.certum.pl/ \
+        -t http://timestamp.digicert.com/ \
+        -in "notsigned/$name" -out "test_$number.$ext"
+      result=$?
+
+      if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
+        printf "%s\n" "Compare file prefix failed"
+        test_result "1" "$number" "$test_name"
+      else
+        verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
+          "UNUSED_PATTERN" "osslsigncode" "UNUSED_PATTERN"
+        test_result "$?" "$number" "$test_name"
+      fi
+    done
+  else
+    format_nr=0
+    number="$test_nr$format_nr"
+    test_name="Sign a file with Authenticode timestamping"
+    printf "\n%03d. %s\nTest skipped\n" "$number" "$test_name"
+  fi
+
+exit 0

tests/recipes/08_sign_rfc3161

@@ -0,0 +1,65 @@
+#!/bin/sh
+# Sign a file with RFC 3161 timestamping
+# An RFC3161 timestamp server provides an essential function in protecting
+# data records for the long-term. It provides proof that the data existed
+# at a particular moment in time and that it has not changed, even by
+# a single binary bit, since it was notarized and time-stamped.
+
+. $(dirname $0)/../test_library
+script_path=$(pwd)
+test_nr=8
+
+if ! grep -q "no libcurl available" "results.log"; then
+  for file in ${script_path}/../logs/notsigned/*.*
+    do
+      name="${file##*/}"
+      ext="${file##*.}"
+      desc=""
+      case $ext in
+        "cat") filetype=CAT; format_nr=1 ;;
+        "msi") filetype=MSI; format_nr=2 ;;
+        "ex_") filetype=CAB; format_nr=3 ;;
+        "exe") filetype=PE; format_nr=4 ;;
+        "ps1")
+          filetype=TXT
+          if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
+            format_nr=5
+            desc=" UTF-16LE(BOM)"
+          elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
+            format_nr=6
+            desc=" UTF-8(BOM)"
+        else
+            format_nr=7
+            desc=" UTF-8"
+          fi ;;
+      esac
+
+      number="$test_nr$format_nr"
+      test_name="Sign a $filetype$desc file with RFC 3161 timestamping"
+      printf "\n%03d. %s\n" "$number" "$test_name"
+
+      ../../osslsigncode sign -h sha256 \
+        -st "1556668800" \
+        -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
+        -ts http://time.certum.pl/ \
+        -ts http://timestamp.digicert.com/ \
+        -in "notsigned/$name" -out "test_$number.$ext"
+      result=$?
+
+      if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
+        printf "%s\n" "Compare file prefix failed"
+        test_result "1" "$number" "$test_name"
+      else
+        verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
+          "UNUSED_PATTERN" "osslsigncode" "UNUSED_PATTERN"
+        test_result "$?" "$number" "$test_name"
+      fi
+    done
+  else
+    format_nr=0
+    number="$test_nr$format_nr"
+    test_name="Sign a file with RFC 3161 timestamping"
+    printf "\n%03d. %s\nTest skipped\n" "$number" "$test_name"
+  fi
+
+exit 0

tests/recipes/09_sign_page_hashes

@@ -0,0 +1,33 @@
+#!/bin/sh
+# Generate page hashes for a file
+
+. $(dirname $0)/../test_library
+script_path=$(pwd)
+test_nr=9
+
+for file in ${script_path}/../logs/notsigned/*.*
+  do
+    name="${file##*/}"
+    ext="${file##*.}"
+    desc=""
+    case $ext in
+      "exe") filetype=PE; format_nr=4 ;;
+      *) continue ;; # Warning: -ph option is only valid for PE files
+    esac
+
+    number="$test_nr$format_nr"
+    test_name="Generate page hashes for a $filetype file"
+    printf "\n%03d. %s\n" "$number" "$test_name"
+
+    ../../osslsigncode sign -h sha256 -ph \
+      -st "1556668800" \
+      -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
+      -in "notsigned/$name" -out "test_$number.$ext"
+    result=$?
+
+    verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
+      "UNUSED_PATTERN" "osslsigncode" "UNUSED_PATTERN"
+    test_result "$?" "$number" "$test_name"
+  done
+
+exit 0

tests/recipes/10_sign_blob

@@ -0,0 +1,53 @@
+#!/bin/sh
+# Sign a file with addUnauthenticatedBlob.
+
+. $(dirname $0)/../test_library
+script_path=$(pwd)
+test_nr=10
+
+for file in ${script_path}/../logs/notsigned/*.*
+  do
+    name="${file##*/}"
+    ext="${file##*.}"
+    desc=""
+    case $ext in
+      "cat") filetype=CAT; format_nr=1 ;;
+      "msi") filetype=MSI; format_nr=2 ;;
+      "ex_") filetype=CAB; format_nr=3 ;;
+      "exe") filetype=PE; format_nr=4 ;;
+      "ps1")
+        filetype=TXT
+        if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
+          format_nr=5
+          desc=" UTF-16LE(BOM)"
+        elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
+          format_nr=6
+          desc=" UTF-8(BOM)"
+        else
+          format_nr=7
+          desc=" UTF-8"
+        fi ;;
+    esac
+
+    number="$test_nr$format_nr"
+    test_name="Sign a $filetype$desc file with addUnauthenticatedBlob"
+    printf "\n%03d. %s\n" "$number" "$test_name"
+
+    ../../osslsigncode sign -h sha256 \
+      -st "1556668800" \
+      -addUnauthenticatedBlob \
+      -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
+      -in "notsigned/$name" -out "test_$number.$ext"
+    result=$?
+
+    if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
+      printf "%s\n" "Compare file prefix failed"
+      test_result "1" "$number" "$test_name"
+    else
+      verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
+        "UNUSED_PATTERN" "osslsigncode" "UNUSED_PATTERN"
+      test_result "$?" "$number" "$test_name"
+    fi
+  done
+
+exit 0

tests/recipes/11_sign_nest

@@ -0,0 +1,42 @@
+#!/bin/sh
+# Sign a file twice with the "nest" flag in the second time
+# in order to add the new signature instead of replacing the first one.
+
+. $(dirname $0)/../test_library
+script_path=$(pwd)
+test_nr=11
+
+for file in ${script_path}/../logs/notsigned/*.*
+  do
+    name="${file##*/}"
+    ext="${file##*.}"
+    desc=""
+    case $ext in
+      "cat") continue;; # Warning: CAT files do not support nesting
+      "msi") filetype=MSI; format_nr=2 ;;
+      "ex_") filetype=CAB; format_nr=3 ;;
+      "exe") filetype=PE; format_nr=4 ;;
+      "ps1") continue;; # Warning: TXT files do not support nesting
+    esac
+
+    number="$test_nr$format_nr"
+    test_name="Sign a $filetype$desc file with the nest flag"
+    printf "\n%03d. %s\n" "$number" "$test_name"
+
+    ../../osslsigncode sign -h sha256 \
+      -st "1556668800" \
+      -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
+      -in "notsigned/$name" -out "signed_$number.$ext"
+    ../../osslsigncode sign -h sha512 \
+      -nest \
+      -st "1556668800" \
+      -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
+      -in "signed_$number.$ext" -out "test_$number.$ext"
+    result=$?
+
+    verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
+      "UNUSED_PATTERN" "osslsigncode" "UNUSED_PATTERN"
+    test_result "$?" "$number" "$test_name"
+  done
+
+exit 0

tests/recipes/12_sign_readpass_pem

@@ -0,0 +1,54 @@
+#!/bin/sh
+# Sign a file with a PEM key and a password read from password.txt file.
+
+. $(dirname $0)/../test_library
+script_path=$(pwd)
+test_nr=12
+
+for file in ${script_path}/../logs/notsigned/*.*
+  do
+    name="${file##*/}"
+    ext="${file##*.}"
+    desc=""
+    case $ext in
+      "cat") filetype=CAT; format_nr=1 ;;
+      "msi") filetype=MSI; format_nr=2 ;;
+      "ex_") filetype=CAB; format_nr=3 ;;
+      "exe") filetype=PE; format_nr=4 ;;
+      "ps1")
+        filetype=TXT
+        if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
+          format_nr=5
+          desc=" UTF-16LE(BOM)"
+        elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
+          format_nr=6
+          desc=" UTF-8(BOM)"
+        else
+          format_nr=7
+          desc=" UTF-8"
+        fi ;;
+    esac
+
+    number="$test_nr$format_nr"
+    test_name="Sign a $filetype$desc file with a PEM key and a password read from password.txt file"
+    printf "\n%03d. %s\n" "$number" "$test_name"
+
+    ../../osslsigncode sign -h sha256 \
+      -st "1556668800" \
+      -addUnauthenticatedBlob \
+      -readpass "${script_path}/../certs/password.txt" \
+      -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/keyp.pem" \
+      -in "notsigned/$name" -out "test_$number.$ext"
+    result=$?
+
+    if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
+      printf "%s\n" "Compare file prefix failed"
+      test_result "1" "$number" "$test_name"
+    else
+      verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
+        "UNUSED_PATTERN" "osslsigncode" "UNUSED_PATTERN"
+      test_result "$?" "$number" "$test_name"
+    fi
+  done
+
+exit 0

tests/recipes/13_sign_readpass_pkcs12

@@ -0,0 +1,54 @@
+#!/bin/sh
+# Sign a file with the certificate and key stored in a PKCS#12 container
+# and a password read from password.txt file.
+
+. $(dirname $0)/../test_library
+script_path=$(pwd)
+test_nr=13
+
+for file in ${script_path}/../logs/notsigned/*.*
+  do
+    name="${file##*/}"
+    ext="${file##*.}"
+    desc=""
+    case $ext in
+      "cat") filetype=CAT; format_nr=1 ;;
+      "msi") filetype=MSI; format_nr=2 ;;
+      "ex_") filetype=CAB; format_nr=3 ;;
+      "exe") filetype=PE; format_nr=4 ;;
+      "ps1")
+        filetype=TXT
+        if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
+          format_nr=5
+          desc=" UTF-16LE(BOM)"
+        elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
+          format_nr=6
+          desc=" UTF-8(BOM)"
+        else
+          format_nr=7
+          desc=" UTF-8"
+        fi ;;
+    esac
+
+    number="$test_nr$format_nr"
+    test_name="Sign a $filetype$desc file with a PKCS#12 container and the file with a password"
+    printf "\n%03d. %s\n" "$number" "$test_name"
+
+    ../../osslsigncode sign -h sha256 \
+      -st "1556668800" \
+      -readpass "${script_path}/../certs/password.txt" \
+      -pkcs12 "${script_path}/../certs/cert.p12" \
+      -in "notsigned/$name" -out "test_$number.$ext"
+    result=$?
+
+    if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
+      printf "%s\n" "Compare file prefix failed"
+      test_result "1" "$number" "$test_name"
+    else
+      verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
+        "UNUSED_PATTERN" "osslsigncode" "UNUSED_PATTERN"
+      test_result "$?" "$number" "$test_name"
+    fi
+  done
+
+exit 0

tests/recipes/14_sign_descryption

@@ -0,0 +1,53 @@
+#!/bin/sh
+# Sign a file with a descryption.
+
+. $(dirname $0)/../test_library
+script_path=$(pwd)
+test_nr=14
+
+for file in ${script_path}/../logs/notsigned/*.*
+  do
+    name="${file##*/}"
+    ext="${file##*.}"
+    desc=""
+    case $ext in
+      "cat") filetype=CAT; format_nr=1 ;;
+      "msi") filetype=MSI; format_nr=2 ;;
+      "ex_") filetype=CAB; format_nr=3 ;;
+      "exe") filetype=PE; format_nr=4 ;;
+      "ps1")
+        filetype=TXT
+        if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
+          format_nr=5
+          desc=" UTF-16LE(BOM)"
+        elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
+          format_nr=6
+          desc=" UTF-8(BOM)"
+        else
+          format_nr=7
+          desc=" UTF-8"
+        fi ;;
+    esac
+
+    number="$test_nr$format_nr"
+    test_name="Sign a $filetype$desc file with a descryption"
+    printf "\n%03d. %s\n" "$number" "$test_name"
+
+    ../../osslsigncode sign -h sha256 \
+      -st "1556668800" \
+      -n "DESCRYPTION_TEXT" \
+      -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
+      -in "notsigned/$name" -out "test_$number.$ext"
+    result=$?
+
+    if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
+      printf "%s\n" "Compare file prefix failed"
+      test_result "1" "$number" "$test_name"
+    else
+      verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
+        "UNUSED_PATTERN" "DESCRYPTION_TEXT" "UNUSED_PATTERN"
+      test_result "$?" "$number" "$test_name"
+    fi
+  done
+
+exit 0

tests/recipes/15_sign_url

@@ -0,0 +1,54 @@
+#!/bin/sh
+# Sign a file with specified URL for expanded description of the signed content
+# https://docs.microsoft.com/en-us/windows-hardware/drivers/install/authenticode-signing-of-csps
+
+. $(dirname $0)/../test_library
+script_path=$(pwd)
+test_nr=15
+
+for file in ${script_path}/../logs/notsigned/*.*
+  do
+    name="${file##*/}"
+    ext="${file##*.}"
+    desc=""
+    case $ext in
+      "cat") filetype=CAT; format_nr=1 ;;
+      "msi") filetype=MSI; format_nr=2 ;;
+      "ex_") filetype=CAB; format_nr=3 ;;
+      "exe") filetype=PE; format_nr=4 ;;
+      "ps1")
+        filetype=TXT
+        if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
+          format_nr=5
+          desc=" UTF-16LE(BOM)"
+        elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
+          format_nr=6
+          desc=" UTF-8(BOM)"
+        else
+          format_nr=7
+          desc=" UTF-8"
+        fi ;;
+    esac
+
+    number="$test_nr$format_nr"
+    test_name="Sign a $filetype$desc file with specified URL"
+    printf "\n%03d. %s\n" "$number" "$test_name"
+
+    ../../osslsigncode sign -h sha256 \
+      -st "1556668800" \
+      -i "https://www.osslsigncode.com/" \
+      -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
+      -in "notsigned/$name" -out "test_$number.$ext"
+    result=$?
+
+    if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
+      printf "%s\n" "Compare file prefix failed"
+      test_result "1" "$number" "$test_name"
+    else
+      verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
+        "UNUSED_PATTERN" "https://www.osslsigncode.com/" "UNUSED_PATTERN"
+      test_result "$?" "$number" "$test_name"
+    fi
+  done
+
+exit 0

tests/recipes/16_sign_comm

@@ -0,0 +1,58 @@
+#!/bin/sh
+# Sign a file with Microsoft Commercial Code Signing purpose set for SPC_STATEMENT_TYPE_OBJID
+# object ID numbers (OIDs) "1.3.6.1.4.1.311.2.1.11"
+# changes default Microsoft Individual Code Signing:
+# "0x30, 0x0c, x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x01, 0x15"
+# sets Microsoft Commercial Code Signing:
+# "0x30, 0x0c, x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x01, 0x16"
+
+. $(dirname $0)/../test_library
+script_path=$(pwd)
+test_nr=16
+
+for file in ${script_path}/../logs/notsigned/*.*
+  do
+    name="${file##*/}"
+    ext="${file##*.}"
+    desc=""
+    case $ext in
+      "cat") filetype=CAT; format_nr=1 ;;
+      "msi") filetype=MSI; format_nr=2 ;;
+      "ex_") filetype=CAB; format_nr=3 ;;
+      "exe") filetype=PE; format_nr=4 ;;
+      "ps1")
+        filetype=TXT
+        if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
+          format_nr=5
+          desc=" UTF-16LE(BOM)"
+        elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
+          format_nr=6
+          desc=" UTF-8(BOM)"
+        else
+          format_nr=7
+          desc=" UTF-8"
+        fi ;;
+    esac
+
+    number="$test_nr$format_nr"
+    test_name="Sign a $filetype$desc file with the common purpose set"
+    printf "\n%03d. %s\n" "$number" "$test_name"
+
+    ../../osslsigncode sign -h sha256 \
+      -st "1556668800" \
+      -comm \
+      -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
+      -in "notsigned/$name" -out "test_$number.$ext"
+    result=$?
+
+    if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
+      printf "%s\n" "Compare file prefix failed"
+      test_result "1" "$number" "$test_name"
+    else
+      verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
+        "UNUSED_PATTERN" "Microsoft Commercial Code Signing" "UNUSED_PATTERN"
+      test_result "$?" "$number" "$test_name"
+    fi
+  done
+
+exit 0

tests/recipes/17_sign_crosscertfile

@@ -0,0 +1,55 @@
+#!/bin/sh
+# Add an additional certificate to the signature block of the file.
+# https://docs.microsoft.com/en-us/windows-hardware/drivers/install/authenticode-signing-of-csps
+# https://docs.microsoft.com/en-us/windows/win32/seccertenroll/about-cross-certification
+
+. $(dirname $0)/../test_library
+script_path=$(pwd)
+test_nr=17
+
+for file in ${script_path}/../logs/notsigned/*.*
+  do
+    name="${file##*/}"
+    ext="${file##*.}"
+    desc=""
+    case $ext in
+      "cat") filetype=CAT; format_nr=1 ;;
+      "msi") filetype=MSI; format_nr=2 ;;
+      "ex_") filetype=CAB; format_nr=3 ;;
+      "exe") filetype=PE; format_nr=4 ;;
+      "ps1")
+        filetype=TXT
+        if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
+          format_nr=5
+          desc=" UTF-16LE(BOM)"
+        elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
+          format_nr=6
+          desc=" UTF-8(BOM)"
+        else
+          format_nr=7
+          desc=" UTF-8"
+        fi ;;
+    esac
+
+    number="$test_nr$format_nr"
+    test_name="Add an additional certificate to the signature block of a $filetype$desc file"
+    printf "\n%03d. %s\n" "$number" "$test_name"
+
+    ../../osslsigncode sign -h sha256 \
+      -st "1556668800" \
+      -ac "${script_path}/../certs/crosscert.pem" \
+      -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
+      -in "notsigned/$name" -out "test_$number.$ext"
+    result=$?
+
+    if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
+      printf "%s\n" "Compare file prefix failed"
+      test_result "1" "$number" "$test_name"
+    else
+      verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
+        "UNUSED_PATTERN" "crosscert" "UNUSED_PATTERN"
+      test_result "$?" "$number" "$test_name"
+    fi
+  done
+
+exit 0

tests/recipes/21_sign_hash_md5

@@ -0,0 +1,52 @@
+#!/bin/sh
+# Sign a file with MD5 set of cryptographic hash functions.
+
+. $(dirname $0)/../test_library
+script_path=$(pwd)
+test_nr=21
+
+for file in ${script_path}/../logs/notsigned/*.*
+  do
+    name="${file##*/}"
+    ext="${file##*.}"
+    desc=""
+    case $ext in
+      "cat") filetype=CAT; format_nr=1 ;;
+      "msi") filetype=MSI; format_nr=2 ;;
+      "ex_") filetype=CAB; format_nr=3 ;;
+      "exe") filetype=PE; format_nr=4 ;;
+      "ps1")
+        filetype=TXT
+        if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
+          format_nr=5
+          desc=" UTF-16LE(BOM)"
+        elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
+          format_nr=6
+          desc=" UTF-8(BOM)"
+        else
+          format_nr=7
+          desc=" UTF-8"
+        fi ;;
+    esac
+
+    number="$test_nr$format_nr"
+    test_name="Sign a $filetype$desc file with MD5 set of cryptographic hash functions"
+    printf "\n%03d. %s\n" "$number" "$test_name"
+
+    ../../osslsigncode sign -h md5 \
+      -st "1556668800" \
+      -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
+      -in "notsigned/$name" -out "test_$number.$ext"
+    result=$?
+
+    if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
+      printf "%s\n" "Compare file prefix failed"
+      test_result "1" "$number" "$test_name"
+    else
+      verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
+        "UNUSED_PATTERN" "MD5" "UNUSED_PATTERN"
+      test_result "$?" "$number" "$test_name"
+    fi
+  done
+
+exit 0

tests/recipes/22_sign_hash_sha1

@@ -0,0 +1,52 @@
+#!/bin/sh
+# Sign a file with SHA1 set of cryptographic hash functions.
+
+. $(dirname $0)/../test_library
+script_path=$(pwd)
+test_nr=22
+
+for file in ${script_path}/../logs/notsigned/*.*
+  do
+    name="${file##*/}"
+    ext="${file##*.}"
+    desc=""
+    case $ext in
+      "cat") filetype=CAT; format_nr=1 ;;
+      "msi") filetype=MSI; format_nr=2 ;;
+      "ex_") filetype=CAB; format_nr=3 ;;
+      "exe") filetype=PE; format_nr=4 ;;
+      "ps1")
+        filetype=TXT
+        if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
+          format_nr=5
+          desc=" UTF-16LE(BOM)"
+        elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
+          format_nr=6
+          desc=" UTF-8(BOM)"
+        else
+          format_nr=7
+          desc=" UTF-8"
+        fi ;;
+    esac
+
+    number="$test_nr$format_nr"
+    test_name="Sign a $filetype$desc file with SHA1 set of cryptographic hash functions"
+    printf "\n%03d. %s\n" "$number" "$test_name"
+
+    ../../osslsigncode sign -h sha1 \
+      -st "1556668800" \
+      -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
+      -in "notsigned/$name" -out "test_$number.$ext"
+    result=$?
+
+    if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
+      printf "%s\n" "Compare file prefix failed"
+      test_result "1" "$number" "$test_name"
+    else
+      verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
+        "UNUSED_PATTERN" "SHA1" "UNUSED_PATTERN"
+      test_result "$?" "$number" "$test_name"
+    fi
+  done
+
+exit 0

tests/recipes/23_sign_hash_sha2

@@ -0,0 +1,52 @@
+#!/bin/sh
+# Signing a file with SHA2 set of cryptographic hash functions.
+
+. $(dirname $0)/../test_library
+script_path=$(pwd)
+test_nr=23
+
+for file in ${script_path}/../logs/notsigned/*.*
+  do
+    name="${file##*/}"
+    ext="${file##*.}"
+    desc=""
+    case $ext in
+      "cat") filetype=CAT; format_nr=1 ;;
+      "msi") filetype=MSI; format_nr=2 ;;
+      "ex_") filetype=CAB; format_nr=3 ;;
+      "exe") filetype=PE; format_nr=4 ;;
+      "ps1")
+        filetype=TXT
+        if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
+          format_nr=5
+          desc=" UTF-16LE(BOM)"
+        elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
+          format_nr=6
+          desc=" UTF-8(BOM)"
+        else
+          format_nr=7
+          desc=" UTF-8"
+        fi ;;
+    esac
+
+    number="$test_nr$format_nr"
+    test_name="Sign a $filetype$desc file with SHA2 set of cryptographic hash functions"
+    printf "\n%03d. %s\n" "$number" "$test_name"
+
+    ../../osslsigncode sign -h sha2 \
+      -st "1556668800" \
+      -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
+      -in "notsigned/$name" -out "test_$number.$ext"
+    result=$?
+
+    if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
+      printf "%s\n" "Compare file prefix failed"
+      test_result "1" "$number" "$test_name"
+    else
+      verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
+        "UNUSED_PATTERN" "SHA2" "UNUSED_PATTERN"
+      test_result "$?" "$number" "$test_name"
+    fi
+  done
+
+exit 0

tests/recipes/24_sign_hash_sha384

@@ -0,0 +1,52 @@
+#!/bin/sh
+# Sign a file with SHA384 set of cryptographic hash functions.
+
+. $(dirname $0)/../test_library
+script_path=$(pwd)
+test_nr=24
+
+for file in ${script_path}/../logs/notsigned/*.*
+  do
+    name="${file##*/}"
+    ext="${file##*.}"
+    desc=""
+    case $ext in
+      "cat") filetype=CAT; format_nr=1 ;;
+      "msi") filetype=MSI; format_nr=2 ;;
+      "ex_") filetype=CAB; format_nr=3 ;;
+      "exe") filetype=PE; format_nr=4 ;;
+      "ps1")
+        filetype=TXT
+        if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
+          format_nr=5
+          desc=" UTF-16LE(BOM)"
+        elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
+          format_nr=6
+          desc=" UTF-8(BOM)"
+        else
+          format_nr=7
+          desc=" UTF-8"
+        fi ;;
+    esac
+
+    number="$test_nr$format_nr"
+    test_name="Sign a $filetype$desc file with SHA384 set of cryptographic hash functions"
+    printf "\n%03d. %s\n" "$number" "$test_name"
+
+    ../../osslsigncode sign -h sha384 \
+      -st "1556668800" \
+      -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
+      -in "notsigned/$name" -out "test_$number.$ext"
+    result=$?
+
+    if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
+      printf "%s\n" "Compare file prefix failed"
+      test_result "1" "$number" "$test_name"
+    else
+      verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
+        "UNUSED_PATTERN" "SHA384" "UNUSED_PATTERN"
+      test_result "$?" "$number" "$test_name"
+    fi
+  done
+
+exit 0

tests/recipes/25_sign_hash_sha512

@@ -0,0 +1,52 @@
+#!/bin/sh
+# Sign a file with SHA512 set of cryptographic hash functions.
+
+. $(dirname $0)/../test_library
+script_path=$(pwd)
+test_nr=25
+
+for file in ${script_path}/../logs/notsigned/*.*
+  do
+    name="${file##*/}"
+    ext="${file##*.}"
+    desc=""
+    case $ext in
+      "cat") filetype=CAT; format_nr=1 ;;
+      "msi") filetype=MSI; format_nr=2 ;;
+      "ex_") filetype=CAB; format_nr=3 ;;
+      "exe") filetype=PE; format_nr=4 ;;
+      "ps1")
+        filetype=TXT
+        if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
+          format_nr=5
+          desc=" UTF-16LE(BOM)"
+        elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
+          format_nr=6
+          desc=" UTF-8(BOM)"
+        else
+          format_nr=7
+          desc=" UTF-8"
+        fi ;;
+    esac
+
+    number="$test_nr$format_nr"
+    test_name="Sign a $filetype$desc file with SHA512 set of cryptographic hash functions"
+    printf "\n%03d. %s\n" "$number" "$test_name"
+
+    ../../osslsigncode sign -h sha512 \
+      -st "1556668800" \
+      -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
+      -in "notsigned/$name" -out "test_$number.$ext"
+    result=$?
+
+    if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
+      printf "%s\n" "Compare file prefix failed"
+      test_result "1" "$number" "$test_name"
+    else
+      verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
+        "UNUSED_PATTERN" "SHA512" "UNUSED_PATTERN"
+      test_result "$?" "$number" "$test_name"
+    fi
+  done
+
+exit 0

tests/recipes/26_extract_signature_pem

@@ -0,0 +1,55 @@
+#!/bin/sh
+# Extract the signature in the PEM format.
+
+. $(dirname $0)/../test_library
+script_path=$(pwd)
+test_nr=26
+
+for file in ${script_path}/../logs/notsigned/*.*
+  do
+    name="${file##*/}"
+    ext="${file##*.}"
+    desc=""
+    case $ext in
+      "cat") continue;; # Unsupported command
+      "msi") filetype=MSI; format_nr=2 ;;
+      "ex_") filetype=CAB; format_nr=3 ;;
+      "exe") filetype=PE; format_nr=4 ;;
+      "ps1")
+        filetype=TXT
+        if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
+          format_nr=5
+          desc=" UTF-16LE(BOM)"
+        elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
+          format_nr=6
+          desc=" UTF-8(BOM)"
+        else
+          format_nr=7
+          desc=" UTF-8"
+        fi ;;
+    esac
+
+    number="$test_nr$format_nr"
+    test_name="Extract the PEM signature from the $filetype$desc file"
+    printf "\n%03d. %s\n" "$number" "$test_name"
+
+    ../../osslsigncode sign -h sha512 \
+      -st "1556668800" \
+      -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
+      -in "notsigned/$name" -out "test_$number.$ext"
+    ../../osslsigncode extract-signature \
+      -pem \
+      -in "test_$number.$ext" -out "sign_$format_nr.pem"
+    result=$?
+
+    if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
+      printf "%s\n" "Compare file prefix failed"
+      test_result "1" "$number" "$test_name"
+    else
+      verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
+        "sha256sum" "SHA512" "UNUSED_PATTERN"
+      test_result "$?" "$number" "$test_name"
+    fi
+  done
+
+exit 0

tests/recipes/27_extract_signature_der

@@ -0,0 +1,54 @@
+#!/bin/sh
+# Extract the signature in the DER format.
+
+. $(dirname $0)/../test_library
+script_path=$(pwd)
+test_nr=27
+
+for file in ${script_path}/../logs/notsigned/*.*
+  do
+    name="${file##*/}"
+    ext="${file##*.}"
+    desc=""
+    case $ext in
+      "cat") continue;; # Unsupported command
+      "msi") filetype=MSI; format_nr=2 ;;
+      "ex_") filetype=CAB; format_nr=3 ;;
+      "exe") filetype=PE; format_nr=4 ;;
+      "ps1")
+        filetype=TXT
+        if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
+          format_nr=5
+          desc=" UTF-16LE(BOM)"
+        elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
+          format_nr=6
+          desc=" UTF-8(BOM)"
+        else
+          format_nr=7
+          desc=" UTF-8"
+        fi ;;
+    esac
+
+    number="$test_nr$format_nr"
+    test_name="Extract the DER signature from the $filetype$desc file"
+    printf "\n%03d. %s\n" "$number" "$test_name"
+
+    ../../osslsigncode sign -h sha512 \
+      -st "1556668800" \
+      -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
+      -in "notsigned/$name" -out "test_$number.$ext"
+    ../../osslsigncode extract-signature\
+      -in "test_$number.$ext" -out "sign_$format_nr.der"
+    result=$?
+
+    if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
+      printf "%s\n" "Compare file prefix failed"
+      test_result "1" "$number" "$test_name"
+    else
+      verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
+        "sha256sum" "SHA512" "UNUSED_PATTERN"
+      test_result "$?" "$number" "$test_name"
+    fi
+  done
+
+exit 0

tests/recipes/31_attach_signature_der

@@ -0,0 +1,58 @@
+#!/bin/sh
+# Attach the DER signature to the file.
+
+. $(dirname $0)/../test_library
+script_path=$(pwd)
+test_nr=31
+
+for file in ${script_path}/../logs/notsigned/*.*
+  do
+    name="${file##*/}"
+    ext="${file##*.}"
+    desc=""
+    case $ext in
+      "cat") continue;; # Unsupported command
+      "msi") filetype=MSI; format_nr=2 ;;
+      "ex_") filetype=CAB; format_nr=3 ;;
+      "exe") filetype=PE; format_nr=4 ;;
+      "ps1")
+        filetype=TXT
+        if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
+          format_nr=5
+          desc=" UTF-16LE(BOM)"
+        elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
+          format_nr=6
+          desc=" UTF-8(BOM)"
+        else
+          format_nr=7
+          desc=" UTF-8"
+        fi ;;
+    esac
+
+    number="$test_nr$format_nr"
+    test_name="Attach the DER signature to the $filetype$desc file"
+    printf "\n%03d. %s\n" "$number" "$test_name"
+
+    ../../osslsigncode attach-signature \
+      -sigin "sign_$format_nr.der" \
+      -CAfile "${script_path}/../certs/CACert.pem" \
+      -CRLfile "${script_path}/../certs/CACertCRL.pem" \
+      -TSA-CAfile "${script_path}/../certs/ca-bundle.crt" \
+      -in "notsigned/$name" -out "test_$number.$ext"
+    result=$?
+
+    if test "$result" -ne 0; then
+      cp "sign_$format_nr.der" "sign_$number.der"
+    fi
+
+    if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
+      printf "%s\n" "Compare file prefix failed"
+      test_result "1" "$number" "$test_name"
+    else
+      verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
+        "sha256sum" "SHA512" "UNUSED_PATTERN"
+      test_result "$?" "$number" "$test_name"
+    fi
+  done
+
+exit 0

tests/recipes/32_attach_signature_pem

@@ -0,0 +1,58 @@
+#!/bin/sh
+# Attach the PEM signature to the file.
+
+. $(dirname $0)/../test_library
+script_path=$(pwd)
+test_nr=32
+
+for file in ${script_path}/../logs/notsigned/*.*
+  do
+    name="${file##*/}"
+    ext="${file##*.}"
+    desc=""
+    case $ext in
+      "cat") continue;; # Unsupported command
+      "msi") filetype=MSI; format_nr=2 ;;
+      "ex_") filetype=CAB; format_nr=3 ;;
+      "exe") filetype=PE; format_nr=4 ;;
+      "ps1")
+        filetype=TXT
+        if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
+          format_nr=5
+          desc=" UTF-16LE(BOM)"
+        elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
+          format_nr=6
+          desc=" UTF-8(BOM)"
+        else
+          format_nr=7
+          desc=" UTF-8"
+        fi ;;
+    esac
+
+    number="$test_nr$format_nr"
+    test_name="Attach the PEM signature to the $filetype$desc file"
+    printf "\n%03d. %s\n" "$number" "$test_name"
+
+    ../../osslsigncode attach-signature \
+      -sigin "sign_$format_nr.pem" \
+      -CAfile "${script_path}/../certs/CACert.pem" \
+      -CRLfile "${script_path}/../certs/CACertCRL.pem" \
+      -TSA-CAfile "${script_path}/../certs/ca-bundle.crt" \
+      -in "notsigned/$name" -out "test_$number.$ext"
+    result=$?
+
+    if test "$result" -ne 0; then
+      cp "sign_$format_nr.der" "sign_$number.der"
+    fi
+
+    if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
+      printf "%s\n" "Compare file prefix failed"
+      test_result "1" "$number" "$test_name"
+    else
+      verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
+        "sha256sum" "SHA512" "UNUSED_PATTERN"
+      test_result "$?" "$number" "$test_name"
+    fi
+  done
+
+exit 0

tests/recipes/33_attach_signed

@@ -0,0 +1,58 @@
+#!/bin/sh
+# Attach the signature to the signed file.
+
+. $(dirname $0)/../test_library
+script_path=$(pwd)
+test_nr=33
+
+for file in ${script_path}/../logs/notsigned/*.*
+  do
+    name="${file##*/}"
+    ext="${file##*.}"
+    desc=""
+    case $ext in
+      "cat") continue;; # Unsupported command
+      "msi") filetype=MSI; format_nr=2 ;;
+      "ex_") filetype=CAB; format_nr=3 ;;
+      "exe") filetype=PE; format_nr=4 ;;
+      "ps1")
+        filetype=TXT
+        if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
+          format_nr=5
+          desc=" UTF-16LE(BOM)"
+        elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
+          format_nr=6
+          desc=" UTF-8(BOM)"
+        else
+          format_nr=7
+          desc=" UTF-8"
+        fi ;;
+    esac
+
+    number="$test_nr$format_nr"
+    test_name="Attach the PEM signature to the signed $filetype$desc file"
+    printf "\n%03d. %s\n" "$number" "$test_name"
+
+    ../../osslsigncode sign -h sha256 \
+      -st "1556668800" \
+      -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
+      -in "notsigned/$name" -out "signed_$number.$ext"
+    ../../osslsigncode attach-signature \
+      -sigin "sign_$format_nr.pem" \
+      -CAfile "${script_path}/../certs/CACert.pem" \
+      -CRLfile "${script_path}/../certs/CACertCRL.pem" \
+      -TSA-CAfile "${script_path}/../certs/ca-bundle.crt" \
+      -in "signed_$number.$ext" -out "test_$number.$ext"
+    result=$?
+
+    if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
+      printf "%s\n" "Compare file prefix failed"
+      test_result "1" "$number" "$test_name"
+    else
+      verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
+        "sha256sum" "SHA512" "UNUSED_PATTERN"
+      test_result "$?" "$number" "$test_name"
+    fi
+  done
+
+exit 0

tests/recipes/34_attach_nest

@@ -0,0 +1,44 @@
+#!/bin/sh
+# Attach the signature to the signed file with the "nest" flag in order to
+# attach the new signature instead of replacing the first one.
+
+. $(dirname $0)/../test_library
+script_path=$(pwd)
+test_nr=34
+
+for file in ${script_path}/../logs/notsigned/*.*
+  do
+    name="${file##*/}"
+    ext="${file##*.}"
+    desc=""
+    case $ext in
+      "cat") continue;; # Warning: CAT files do not support nesting
+      "msi") filetype=MSI; format_nr=2 ;;
+      "ex_") filetype=CAB; format_nr=3 ;;
+      "exe") filetype=PE; format_nr=4 ;;
+      "ps1") continue;; # Warning: TXT files do not support nesting
+    esac
+
+    number="$test_nr$format_nr"
+    test_name="Attach the PEM signature to the signed $filetype$desc file with the nest flag"
+    printf "\n%03d. %s\n" "$number" "$test_name"
+
+    ../../osslsigncode sign -h sha256 \
+      -st "1556668800" \
+      -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
+      -in "notsigned/$name" -out "signed_$number.$ext"
+    ../../osslsigncode attach-signature \
+      -sigin "sign_$format_nr.pem" \
+      -nest \
+      -CAfile "${script_path}/../certs/CACert.pem" \
+      -CRLfile "${script_path}/../certs/CACertCRL.pem" \
+      -TSA-CAfile "${script_path}/../certs/ca-bundle.crt" \
+      -in "signed_$number.$ext" -out "test_$number.$ext"
+    result=$?
+
+    verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
+      "UNUSED_PATTERN" "SHA512" "UNUSED_PATTERN"
+    test_result "$?" "$number" "$test_name"
+  done
+
+exit 0

tests/recipes/35_remove_signature

@@ -0,0 +1,54 @@
+#!/bin/sh
+# Remove the signature from the file.
+
+. $(dirname $0)/../test_library
+script_path=$(pwd)
+test_nr=35
+
+for file in ${script_path}/../logs/notsigned/*.*
+  do
+    name="${file##*/}"
+    ext="${file##*.}"
+    desc=""
+    case $ext in
+      "cat") continue;; # Unsupported command
+      "msi") filetype=MSI; format_nr=2 ;;
+      "ex_") filetype=CAB; format_nr=3 ;;
+      "exe") filetype=PE; format_nr=4 ;;
+      "ps1")
+        filetype=TXT
+        if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
+          format_nr=5
+          desc=" UTF-16LE(BOM)"
+        elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
+          format_nr=6
+          desc=" UTF-8(BOM)"
+        else
+          format_nr=7
+          desc=" UTF-8"
+        fi ;;
+    esac
+
+    number="$test_nr$format_nr"
+    test_name="Remove the signature from the $filetype$desc file"
+    printf "\n%03d. %s\n" "$number" "$test_name"
+
+    ../../osslsigncode sign -h sha256 \
+      -st "1556668800" \
+      -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
+      -in "notsigned/$name" -out "signed_$number.$ext"
+    ../../osslsigncode remove-signature \
+      -in "signed_$number.$ext" -out "test_$number.$ext"
+    result=$?
+
+    if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
+      printf "%s\n" "Compare file prefix failed"
+      test_result "1" "$number" "$test_name"
+    else
+      verify_signature "$result" "$number" "$ext" "fail" "@2019-09-01 12:00:00" \
+        "UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN"
+      test_result "$?" "$number" "$test_name"
+    fi
+  done
+
+exit 0

tests/recipes/36_varia_sha256sum

@@ -0,0 +1,34 @@
+#!/bin/sh
+# Checking SHA256 message digests for "extract" and "attach" tests.
+
+. $(dirname $0)/../test_library
+script_path=$(pwd)
+result=0
+test_nr=36
+
+for file in ${script_path}/../logs/sha256sum/*.*
+  do
+    name="${file##*/}"
+    case $name in
+      "cat.log") filetype=CAT; format_nr=1 ;;
+      "msi.log") filetype=MSI; format_nr=2 ;;
+      "ex_.log") filetype=CAB; format_nr=3 ;;
+      "exe.log") filetype=PE; format_nr=4 ;;
+      "ps1.log") filetype=TXT; format_nr=5 ;;
+    esac
+
+    number="$test_nr$format_nr"
+    test_name="Checking SHA256 message digests for a $filetype file test"
+    printf "\n%03d. %s\n" "$number" "$test_name"
+
+    if test $(cat "sha256sum/$name" | cut -d' ' -f1 | uniq | wc -l) -ne 1
+      then
+        result=1
+        cat "sha256sum/$name" >> "results.log"
+        printf "Non-unique SHA256 message digests found\n" >> "results.log"
+      fi
+    rm -f "sha256sum/$name"
+    test_result "$result" "$number" "$test_name"
+  done
+
+exit 0

tests/recipes/37_add_signature_timestamp

@@ -0,0 +1,64 @@
+#!/bin/sh
+# Add an authenticode timestamp to the signed file.
+
+. $(dirname $0)/../test_library
+script_path=$(pwd)
+test_nr=37
+
+if ! grep -q "no libcurl available" "results.log"; then
+  for file in ${script_path}/../logs/notsigned/*.*
+    do
+      name="${file##*/}"
+      ext="${file##*.}"
+      desc=""
+      case $ext in
+        "cat") filetype=CAT; format_nr=1 ;;
+        "msi") filetype=MSI; format_nr=2 ;;
+        "ex_") filetype=CAB; format_nr=3 ;;
+        "exe") filetype=PE; format_nr=4 ;;
+        "ps1")
+          filetype=TXT
+          if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
+            format_nr=5
+            desc=" UTF-16LE(BOM)"
+          elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
+            format_nr=6
+            desc=" UTF-8(BOM)"
+        else
+            format_nr=7
+            desc=" UTF-8"
+          fi ;;
+      esac
+
+      number="$test_nr$format_nr"
+      test_name="Add an authenticode timestamp to the $filetype$desc signed file"
+      printf "\n%03d. %s\n" "$number" "$test_name"
+
+      ../../osslsigncode sign -h sha256 \
+        -st "1556668800" \
+        -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
+        -in "notsigned/$name" -out "signed_$number.$ext"
+      ../../osslsigncode add \
+        -t http://time.certum.pl/ \
+        -t http://timestamp.digicert.com/ \
+        -verbose \
+        -in "signed_$number.$ext" -out "test_$number.$ext"
+      result=$?
+
+      if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
+        printf "%s\n" "Compare file prefix failed"
+        test_result "1" "$number" "$test_name"
+      else
+        verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
+          "UNUSED_PATTERN" "Timestamp Server Signature" "UNUSED_PATTERN"
+        test_result "$?" "$number" "$test_name"
+      fi
+    done
+  else
+    format_nr=0
+    number="$test_nr$format_nr"
+    test_name="Add an authenticode timestamp to the signed file"
+    printf "\n%03d. %s\nTest skipped\n" "$number" "$test_name"
+  fi
+
+exit 0

tests/recipes/38_add_signature_rfc3161

@@ -0,0 +1,64 @@
+#!/bin/sh
+# Add a RFC 3161 timestamp to the signed file.
+
+. $(dirname $0)/../test_library
+script_path=$(pwd)
+test_nr=38
+
+if ! grep -q "no libcurl available" "results.log"; then
+  for file in ${script_path}/../logs/notsigned/*.*
+    do
+      name="${file##*/}"
+      ext="${file##*.}"
+      desc=""
+      case $ext in
+        "cat") filetype=CAT; format_nr=1 ;;
+        "msi") filetype=MSI; format_nr=2 ;;
+        "ex_") filetype=CAB; format_nr=3 ;;
+        "exe") filetype=PE; format_nr=4 ;;
+        "ps1")
+          filetype=TXT
+          if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
+            format_nr=5
+            desc=" UTF-16LE(BOM)"
+          elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
+            format_nr=6
+            desc=" UTF-8(BOM)"
+          else
+            format_nr=7
+            desc=" UTF-8"
+          fi ;;
+      esac
+
+      number="$test_nr$format_nr"
+      test_name="Add a RFC 3161 timestamp to the $filetype$desc signed file"
+      printf "\n%03d. %s\n" "$number" "$test_name"
+
+      ../../osslsigncode sign -h sha256 \
+        -st "1556668800" \
+        -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
+        -in "notsigned/$name" -out "signed_$number.$ext"
+      ../../osslsigncode add \
+        -ts http://time.certum.pl/ \
+        -ts http://timestamp.digicert.com/ \
+        -verbose \
+        -in "signed_$number.$ext" -out "test_$number.$ext"
+      result=$?
+
+      if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
+        printf "%s\n" "Compare file prefix failed"
+        test_result "1" "$number" "$test_name"
+      else
+        verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
+          "UNUSED_PATTERN" "Timestamp Server Signature" "UNUSED_PATTERN"
+        test_result "$?" "$number" "$test_name"
+      fi
+    done
+  else
+    format_nr=0
+    number="$test_nr$format_nr"
+    test_name="Add a RFC 3161 timestamp to the signed file"
+    printf "\n%03d. %s\nTest skipped\n" "$number" "$test_name"
+  fi
+
+exit 0

tests/recipes/39_add_signature_blob

@@ -0,0 +1,55 @@
+#!/bin/sh
+# Add an unauthenticated blob to the signed file.
+
+. $(dirname $0)/../test_library
+script_path=$(pwd)
+test_nr=39
+
+for file in ${script_path}/../logs/notsigned/*.*
+  do
+    name="${file##*/}"
+    ext="${file##*.}"
+    desc=""
+    case $ext in
+      "cat") filetype=CAT; format_nr=1 ;;
+      "msi") filetype=MSI; format_nr=2 ;;
+      "ex_") filetype=CAB; format_nr=3 ;;
+      "exe") filetype=PE; format_nr=4 ;;
+      "ps1")
+        filetype=TXT
+        if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
+          format_nr=5
+          desc=" UTF-16LE(BOM)"
+        elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
+          format_nr=6
+          desc=" UTF-8(BOM)"
+        else
+          format_nr=7
+          desc=" UTF-8"
+        fi ;;
+    esac
+
+    number="$test_nr$format_nr"
+    test_name="Add an unauthenticated blob to the $filetype$desc signed file"
+    printf "\n%03d. %s\n" "$number" "$test_name"
+
+    ../../osslsigncode sign -h sha256 \
+      -st "1556668800" \
+      -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
+      -in "notsigned/$name" -out "signed_$number.$ext"
+    ../../osslsigncode add \
+      -addUnauthenticatedBlob \
+      -in "signed_$number.$ext" -out "test_$number.$ext"
+    result=$?
+
+    if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
+      printf "%s\n" "Compare file prefix failed"
+      test_result "1" "$number" "$test_name"
+    else
+      verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
+        "UNUSED_PATTERN" "Unauthenticated Data Blob" "MODIFY"
+      test_result "$?" "$number" "$test_name"
+    fi
+  done
+
+exit 0

tests/recipes/40_verify_leaf_hash

@@ -0,0 +1,51 @@
+#!/bin/sh
+# Compare the leaf certificate hash against specified SHA256 message digest for the file
+
+. $(dirname $0)/../test_library
+script_path=$(pwd)
+test_nr=40
+
+for file in ${script_path}/../logs/notsigned/*.*
+  do
+    name="${file##*/}"
+    ext="${file##*.}"
+    desc=""
+    case $ext in
+      "cat") filetype=CAT; format_nr=1 ;;
+      "msi") filetype=MSI; format_nr=2 ;;
+      "ex_") filetype=CAB; format_nr=3 ;;
+      "exe") filetype=PE; format_nr=4 ;;
+      "ps1")
+        filetype=TXT
+        if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
+          format_nr=5
+          desc=" UTF-16LE(BOM)"
+        elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
+          format_nr=6
+          desc=" UTF-8(BOM)"
+        else
+          format_nr=7
+          desc=" UTF-8"
+        fi ;;
+    esac
+
+    number="$test_nr$format_nr"
+    test_name="Compare the leaf hash against SHA256 message digest for the $filetype$desc file"
+    printf "\n%03d. %s\n" "$number" "$test_name"
+
+    ../../osslsigncode sign -h sha256 \
+      -st "1556668800" \
+      -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.der" \
+      -in "notsigned/$name" -out "test_$number.$ext"
+    result=$?
+
+    if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
+      printf "%s\n" "Compare file prefix failed"
+      test_result "1" "$number" "$test_name"
+    else
+      verify_leaf_hash "$result" "$number" "$ext" "@2019-05-01 00:00:00"
+      test_result "$?" "$number" "$test_name"
+    fi
+  done
+
+exit 0

tests/recipes/41_sign_add_msi_dse

@@ -0,0 +1,41 @@
+#!/bin/sh
+# Sign a MSI file with the add-msi-dse option.
+# MsiDigitalSignatureEx (msi-dse) is an enhanced signature type that can be used
+# when signing MSI files. In addition to file content, it also hashes some file metadata,
+# specifically file names, file sizes, creation times and modification times.
+# https://www.unboundtech.com/docs/UKC/UKC_Code_Signing_IG/HTML/Content/Products/UKC-EKM/UKC_Code_Signing_IG/Sign_Windows_PE_and_msi_Files.htm
+
+. $(dirname $0)/../test_library
+script_path=$(pwd)
+test_nr=41
+
+for file in ${script_path}/../logs/notsigned/*.*
+  do
+    name="${file##*/}"
+    ext="${file##*.}"
+    desc=""
+    case $ext in
+      "cat") continue;; # Warning: -add-msi-dse option is only valid for MSI files
+      "msi") filetype=MSI; format_nr=2 ;;
+      "ex_") continue;; # Warning: -add-msi-dse option is only valid for MSI files
+      "exe") continue;; # Warning: -add-msi-dse option is only valid for MSI files
+      "ps1") continue;; # Warning: -add-msi-dse option is only valid for MSI files
+    esac
+
+    number="$test_nr$format_nr"
+    test_name="Sign a $filetype$desc file with the add-msi-dse option"
+    printf "\n%03d. %s\n" "$number" "$test_name"
+
+    ../../osslsigncode sign -h sha256 \
+      -st "1556668800" \
+      -add-msi-dse \
+      -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
+      -in "notsigned/$name" -out "test_$number.$ext"
+    result=$?
+
+    verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
+      "UNUSED_PATTERN" "MsiDigitalSignatureEx" "UNUSED_PATTERN"
+    test_result "$?" "$number" "$test_name"
+  done
+
+exit 0

tests/recipes/42_sign_jp_low

@@ -0,0 +1,38 @@
+#!/bin/sh
+# Sign a CAB file with "low" level of permissions in Microsoft Internet Explorer 4.x for CAB files
+# https://support.microsoft.com/en-us/help/193877
+
+. $(dirname $0)/../test_library
+script_path=$(pwd)
+test_nr=42
+
+for file in ${script_path}/../logs/notsigned/*.*
+  do
+    name="${file##*/}"
+    ext="${file##*.}"
+    desc=""
+    case $ext in
+      "cat") continue;; # Warning: -jp option is only valid for CAB files
+      "msi") continue;; # Warning: -jp option is only valid for CAB files
+      "ex_") filetype=CAB; format_nr=3 ;;
+      "exe") continue;; # Warning: -jp option is only valid for CAB files
+      "ps1") continue;; # Warning: -jp option is only valid for CAB files
+    esac
+
+    number="$test_nr$format_nr"
+    test_name="Sign a $filetype$desc file with the jp low option"
+    printf "\n%03d. %s\n" "$number" "$test_name"
+
+    ../../osslsigncode sign -h sha256 \
+      -st "1556668800" \
+      -jp low \
+      -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
+      -in "notsigned/$name" -out "test_$number.$ext"
+    result=$?
+
+    verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
+      "UNUSED_PATTERN" "Low level of permissions" "UNUSED_PATTERN"
+    test_result "$?" "$number" "$test_name"
+  done
+
+exit 0

tests/recipes/45_verify_fake_pe

@@ -0,0 +1,36 @@
+#!/bin/sh
+# Verify changed file after signing.
+
+. $(dirname $0)/../test_library
+script_path=$(pwd)
+test_nr=45
+
+for file in ${script_path}/../logs/notsigned/*.*
+  do
+    name="${file##*/}"
+    ext="${file##*.}"
+    desc=""
+    case $ext in
+      "cat") continue;; # Test is not supported for non-PE files
+      "msi") continue;; # Test is not supported for non-PE files
+      "ex_") continue;; # Test is not supported for non-PE files
+      "exe") filetype=PE; format_nr=4 ;;
+      "ps1") continue;; # Test is not supported for non-PE files
+    esac
+
+    number="$test_nr$format_nr"
+    test_name="Verify changed $filetype$desc file after signing"
+    printf "\n%03d. %s\n" "$number" "$test_name"
+
+    ../../osslsigncode sign -h sha256 \
+      -st "1556668800" \
+      -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
+      -in "notsigned/$name" -out "test_$number.$ext"
+    result=$?
+
+    verify_signature "$result" "$number" "$ext" "fail" "@2019-09-01 12:00:00" \
+      "UNUSED_PATTERN" "Hello world!" "MODIFY"
+    test_result "$?" "$number" "$test_name"
+  done
+
+exit 0

tests/recipes/46_verify_timestamp

@@ -0,0 +1,46 @@
+#!/bin/sh
+# Verify changed file after signing with Authenticode timestamping.
+
+. $(dirname $0)/../test_library
+script_path=$(pwd)
+test_nr=46
+
+if ! grep -q "no libcurl available" "results.log"; then
+  for file in ${script_path}/../logs/notsigned/*.*
+    do
+      name="${file##*/}"
+      ext="${file##*.}"
+      desc=""
+      case $ext in
+        "cat") continue;; # Test is not supported for non-PE files
+        "msi") continue;; # Test is not supported for non-PE files
+        "ex_") continue;; # Test is not supported for non-PE files
+        "exe") filetype=PE; format_nr=4 ;;
+        "ps1") continue;; # Test is not supported for non-PE files
+      esac
+
+      number="$test_nr$format_nr"
+      test_name="Verify changed $filetype$desc file after signing with Authenticode timestamping"
+      printf "\n%03d. %s\n" "$number" "$test_name"
+
+      ../../osslsigncode sign -h sha256 \
+       -st "1556668800" \
+        -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
+        -t http://time.certum.pl/ \
+        -t http://timestamp.digicert.com/ \
+        -verbose \
+        -in "notsigned/$name" -out "test_$number.$ext"
+      result=$?
+
+      verify_signature "$result" "$number" "$ext" "fail" "@2019-09-01 12:00:00" \
+        "UNUSED_PATTERN" "Hello world!" "MODIFY"
+     test_result "$?" "$number" "$test_name"
+    done
+  else
+    format_nr=0
+    number="$test_nr$format_nr"
+    test_name="Verify changed file after signing with Authenticode timestamping"
+    printf "\n%03d. %s\nTest skipped\n" "$number" "$test_name"
+  fi
+
+exit 0

tests/recipes/47_verify_rfc3161

@@ -0,0 +1,46 @@
+#!/bin/sh
+# Verify changed file after signing with RFC 3161 timestamping.
+
+. $(dirname $0)/../test_library
+script_path=$(pwd)
+test_nr=47
+
+if ! grep -q "no libcurl available" "results.log"; then
+  for file in ${script_path}/../logs/notsigned/*.*
+    do
+      name="${file##*/}"
+      ext="${file##*.}"
+      desc=""
+      case $ext in
+        "cat") continue;; # Test is not supported for non-PE files
+        "msi") continue;; # Test is not supported for non-PE files
+        "ex_") continue;; # Test is not supported for non-PE files
+        "exe") filetype=PE; format_nr=4 ;;
+        "ps1") continue;; # Test is not supported for non-PE files
+      esac
+
+      number="$test_nr$format_nr"
+      test_name="Verify changed $filetype$desc file after signing with RFC 3161 timestamping"
+      printf "\n%03d. %s\n" "$number" "$test_name"
+
+      ../../osslsigncode sign -h sha256 \
+        -st "1556668800" \
+        -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
+        -ts http://time.certum.pl/ \
+        -ts http://timestamp.digicert.com/ \
+        -verbose \
+        -in "notsigned/$name" -out "test_$number.$ext"
+      result=$?
+
+      verify_signature "$result" "$number" "$ext" "fail" "@2019-09-01 12:00:00" \
+        "UNUSED_PATTERN" "Hello world!" "MODIFY"
+      test_result "$?" "$number" "$test_name"
+    done
+  else
+    format_nr=0
+    number="$test_nr$format_nr"
+    test_name="Verify changed file after signing with RFC 3161 timestamping"
+    printf "\n%03d. %s\nTest skipped\n" "$number" "$test_name"
+  fi
+
+exit 0

tests/recipes/51_verify_time

@@ -0,0 +1,52 @@
+#!/bin/sh
+# Verify a file signed after the cert has been expired.
+
+. $(dirname $0)/../test_library
+script_path=$(pwd)
+test_nr=51
+
+for file in ${script_path}/../logs/notsigned/*.*
+  do
+    name="${file##*/}"
+    ext="${file##*.}"
+    desc=""
+    case $ext in
+      "cat") filetype=CAT; format_nr=1 ;;
+      "msi") filetype=MSI; format_nr=2 ;;
+      "ex_") filetype=CAB; format_nr=3 ;;
+      "exe") filetype=PE; format_nr=4 ;;
+      "ps1")
+        filetype=TXT
+        if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
+          format_nr=5
+          desc=" UTF-16LE(BOM)"
+        elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
+          format_nr=6
+          desc=" UTF-8(BOM)"
+        else
+          format_nr=7
+          desc=" UTF-8"
+        fi ;;
+    esac
+
+    number="$test_nr$format_nr"
+    test_name="Verify $filetype$desc file signed after the cert has been expired"
+    printf "\n%03d. %s\n" "$number" "$test_name"
+
+    ../../osslsigncode sign -h sha256 \
+      -st "1556668800" \
+      -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
+      -in "notsigned/$name" -out "test_$number.$ext"
+    result=$?
+
+    if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
+      printf "%s\n" "Compare file prefix failed"
+      test_result "1" "$number" "$test_name"
+    else
+      verify_signature "$result" "$number" "$ext" "fail" "@2025-01-01 12:00:00" \
+        "UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN"
+      test_result "$?" "$number" "$test_name"
+    fi
+  done
+
+exit 0

tests/recipes/52_verify_timestamp

@@ -0,0 +1,62 @@
+#!/bin/sh
+# Verify a file signed with Authenticode timestamping after the cert has been expired.
+
+. $(dirname $0)/../test_library
+script_path=$(pwd)
+test_nr=52
+
+if ! grep -q "no libcurl available" "results.log"; then
+  for file in ${script_path}/../logs/notsigned/*.*
+    do
+      name="${file##*/}"
+      ext="${file##*.}"
+      desc=""
+      case $ext in
+        "cat") filetype=CAT; format_nr=1 ;;
+        "msi") filetype=MSI; format_nr=2 ;;
+        "ex_") filetype=CAB; format_nr=3 ;;
+        "exe") filetype=PE; format_nr=4 ;;
+        "ps1")
+          filetype=TXT
+          if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
+            format_nr=5
+            desc=" UTF-16LE(BOM)"
+          elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
+            format_nr=6
+            desc=" UTF-8(BOM)"
+          else
+            format_nr=7
+            desc=" UTF-8"
+          fi ;;
+        esac
+
+      number="$test_nr$format_nr"
+      test_name="Verify a $filetype$desc file signed with Authenticode after the cert has been expired"
+      printf "\n%03d. %s\n" "$number" "$test_name"
+
+      ../../osslsigncode sign -h sha256 \
+        -st "1556668800" \
+        -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
+        -t http://time.certum.pl/ \
+        -t http://timestamp.digicert.com/ \
+        -verbose \
+        -in "notsigned/$name" -out "test_$number.$ext"
+      result=$?
+
+      if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
+        printf "%s\n" "Compare file prefix failed"
+        test_result "1" "$number" "$test_name"
+      else
+        verify_signature "$result" "$number" "$ext" "success" "@2025-01-01 12:00:00" \
+          "UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN"
+        test_result "$?" "$number" "$test_name"
+      fi
+    done
+  else
+    format_nr=0
+    number="$test_nr$format_nr"
+    test_name="Verify a file signed with Authenticode after the cert has been expired"
+    printf "\n%03d. %s\nTest skipped\n" "$number" "$test_name"
+  fi
+
+exit 0

tests/recipes/53_verify_rfc3161

@@ -0,0 +1,62 @@
+#!/bin/sh
+# Verify a file signed with RFC3161 timestamping after the cert has been expired.
+
+. $(dirname $0)/../test_library
+script_path=$(pwd)
+test_nr=53
+
+if ! grep -q "no libcurl available" "results.log"; then
+  for file in ${script_path}/../logs/notsigned/*.*
+    do
+      name="${file##*/}"
+      ext="${file##*.}"
+      desc=""
+      case $ext in
+        "cat") filetype=CAT; format_nr=1 ;;
+        "msi") filetype=MSI; format_nr=2 ;;
+        "ex_") filetype=CAB; format_nr=3 ;;
+        "exe") filetype=PE; format_nr=4 ;;
+        "ps1")
+          filetype=TXT
+          if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
+            format_nr=5
+            desc=" UTF-16LE(BOM)"
+          elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
+            format_nr=6
+            desc=" UTF-8(BOM)"
+          else
+            format_nr=7
+            desc=" UTF-8"
+          fi ;;
+      esac
+
+      number="$test_nr$format_nr"
+      test_name="Verify a $filetype$desc file signed with RFC3161 after the cert has been expired"
+      printf "\n%03d. %s\n" "$number" "$test_name"
+
+      ../../osslsigncode sign -h sha256 \
+        -st "1556668800" \
+        -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
+        -ts http://time.certum.pl/ \
+        -ts http://timestamp.digicert.com/ \
+        -verbose \
+        -in "notsigned/$name" -out "test_$number.$ext"
+      result=$?
+
+      if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
+        printf "%s\n" "Compare file prefix failed"
+        test_result "1" "$number" "$test_name"
+      else
+        verify_signature "$result" "$number" "$ext" "success" "@2025-01-01 12:00:00" \
+          "UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN"
+        test_result "$?" "$number" "$test_name"
+      fi
+    done
+  else
+    format_nr=0
+    number="$test_nr$format_nr"
+    test_name="Verify a file signed with RFC3161 after the cert has been expired"
+    printf "\n%03d. %s\nTest skipped\n" "$number" "$test_name"
+  fi
+
+exit 0

tests/recipes/54_verify_expired

@@ -0,0 +1,62 @@
+#!/bin/sh
+# Verify a file signed with the expired cert.
+
+. $(dirname $0)/../test_library
+script_path=$(pwd)
+test_nr=54
+
+if ! grep -q "no libcurl available" "results.log"; then
+  for file in ${script_path}/../logs/notsigned/*.*
+    do
+      name="${file##*/}"
+      ext="${file##*.}"
+      desc=""
+      case $ext in
+        "cat") filetype=CAT; format_nr=1 ;;
+        "msi") filetype=MSI; format_nr=2 ;;
+        "ex_") filetype=CAB; format_nr=3 ;;
+        "exe") filetype=PE; format_nr=4 ;;
+        "ps1")
+          filetype=TXT
+          if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
+            format_nr=5
+            desc=" UTF-16LE(BOM)"
+          elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
+            format_nr=6
+            desc=" UTF-8(BOM)"
+          else
+            format_nr=7
+            desc=" UTF-8"
+          fi ;;
+      esac
+
+      number="$test_nr$format_nr"
+      test_name="Verify a $filetype$desc file signed with the expired cert"
+      printf "\n%03d. %s\n" "$number" "$test_name"
+
+      ../../osslsigncode sign -h sha256 \
+        -st "1556668800" \
+        -certs "${script_path}/../certs/expired.pem" -key "${script_path}/../certs/key.pem" \
+        -ts http://time.certum.pl/ \
+        -ts http://timestamp.digicert.com/ \
+        -verbose \
+        -in "notsigned/$name" -out "test_$number.$ext"
+      result=$?
+
+      if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
+        printf "%s\n" "Compare file prefix failed"
+        test_result "1" "$number" "$test_name"
+      else
+        verify_signature "$result" "$number" "$ext" "fail" "@2025-01-01 12:00:00" \
+          "UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN"
+        test_result "$?" "$number" "$test_name"
+      fi
+    done
+  else
+    format_nr=0
+    number="$test_nr$format_nr"
+    test_name="Verify a file signed with the expired cert"
+    printf "\n%03d. %s\nTest skipped\n" "$number" "$test_name"
+  fi
+
+exit 0

tests/recipes/55_verify_revoked

@@ -0,0 +1,62 @@
+#!/bin/sh
+# Verify a file signed with the revoked cert.
+
+. $(dirname $0)/../test_library
+script_path=$(pwd)
+test_nr=55
+
+if ! grep -q "no libcurl available" "results.log"; then
+  for file in ${script_path}/../logs/notsigned/*.*
+    do
+      name="${file##*/}"
+      ext="${file##*.}"
+      desc=""
+      case $ext in
+        "cat") filetype=CAT; format_nr=1 ;;
+        "msi") filetype=MSI; format_nr=2 ;;
+        "ex_") filetype=CAB; format_nr=3 ;;
+        "exe") filetype=PE; format_nr=4 ;;
+        "ps1")
+          filetype=TXT
+          if xxd -p -l 2 "notsigned/$name" | grep -q "fffe"; then
+            format_nr=5
+            desc=" UTF-16LE(BOM)"
+          elif xxd -p -l 3 "notsigned/$name" | grep -q "efbbbf"; then
+            format_nr=6
+            desc=" UTF-8(BOM)"
+          else
+            format_nr=7
+            desc=" UTF-8"
+          fi ;;
+      esac
+
+      number="$test_nr$format_nr"
+      test_name="Verify a $filetype$desc file signed with the revoked cert"
+      printf "\n%03d. %s\n" "$number" "$test_name"
+
+      ../../osslsigncode sign -h sha256 \
+        -st "1556668800" \
+        -certs "${script_path}/../certs/revoked.pem" -key "${script_path}/../certs/key.pem" \
+        -ts http://time.certum.pl/ \
+        -ts http://timestamp.digicert.com/ \
+        -verbose \
+        -in "notsigned/$name" -out "test_$number.$ext"
+      result=$?
+
+      if test "$filetype" = "TXT" && ! cmp -l -n 3 "notsigned/$name" "test_$number.$ext"; then
+        printf "%s\n" "Compare file prefix failed"
+        test_result "1" "$number" "$test_name"
+      else
+        verify_signature "$result" "$number" "$ext" "fail" "@2019-09-01 12:00:00" \
+          "UNUSED_PATTERN" "UNUSED_PATTERN" "UNUSED_PATTERN"
+        test_result "$?" "$number" "$test_name"
+      fi
+    done
+  else
+    format_nr=0
+    number="$test_nr$format_nr"
+    test_name="Verify a file signed with the revoked cert"
+    printf "\n%03d. %s\nTest skipped\n" "$number" "$test_name"
+  fi
+
+exit 0

tests/recipes/56_verify_multiple

@@ -0,0 +1,60 @@
+#!/bin/sh
+# Verify a file signed with the multiple signature.
+
+. $(dirname $0)/../test_library
+script_path=$(pwd)
+test_nr=56
+
+if ! grep -q "no libcurl available" "results.log"; then
+  for file in ${script_path}/../logs/notsigned/*.*
+    do
+      name="${file##*/}"
+      ext="${file##*.}"
+      desc=""
+      case $ext in
+        "cat") continue;; # Warning: CAT files do not support nesting
+        "msi") filetype=MSI; format_nr=2 ;;
+        "ex_") filetype=CAB; format_nr=3 ;;
+        "exe") filetype=PE; format_nr=4 ;;
+        "ps1") continue;; # Warning: TXT files do not support nesting
+      esac
+
+      number="$test_nr$format_nr"
+      test_name="Verify a $filetype$desc file signed with the multiple signature"
+      printf "\n%03d. %s\n" "$number" "$test_name"
+
+      ../../osslsigncode sign -h sha256 \
+        -st "1556668800" \
+        -certs "${script_path}/../certs/expired.pem" -key "${script_path}/../certs/key.pem" \
+        -verbose \
+        -in "notsigned/$name" -out "signed1_$number.$ext"
+      ../../osslsigncode sign -h sha384 \
+        -st "1556668800" \
+        -nest \
+        -certs "${script_path}/../certs/revoked.pem" -key "${script_path}/../certs/key.pem" \
+        -t http://time.certum.pl/ \
+        -t http://timestamp.digicert.com/ \
+        -verbose \
+        -in "signed1_$number.$ext" -out "signed2_$number.$ext"
+      ../../osslsigncode sign -h sha256 \
+        -st "1556668800" \
+        -nest \
+        -certs "${script_path}/../certs/cert.pem" -key "${script_path}/../certs/key.pem" \
+        -ts http://time.certum.pl/ \
+        -ts http://timestamp.digicert.com/ \
+        -verbose \
+        -in "signed2_$number.$ext" -out "test_$number.$ext"
+      result=$?
+
+      verify_signature "$result" "$number" "$ext" "success" "@2019-09-01 12:00:00" \
+        "UNUSED_PATTERN" "SHA384" "UNUSED_PATTERN"
+      test_result "$?" "$number" "$test_name"
+    done
+  else
+    format_nr=0
+    number="$test_nr$format_nr"
+    test_name="Verify a file signed with the multiple signature"
+    printf "\n%03d. %s\nTest skipped\n" "$number" "$test_name"
+  fi
+
+exit 0

tests/sources/a

@@ -0,0 +1 @@
+aaa

tests/sources/b

@@ -0,0 +1 @@
+bbb

tests/sources/c

@@ -0,0 +1 @@
+ccc

tests/sources/myapp.c

@@ -0,0 +1,6 @@
+#include <stdio.h>
+
+void main(void)
+{
+    printf("Hello world!");
+}

tests/sources/sample.wxs

@@ -0,0 +1,33 @@
+<?xml version='1.0' encoding='windows-1252'?>
+<!--https://wiki.gnome.org/msitools/HowTo/CreateMSI-->
+<Wix xmlns='http://schemas.microsoft.com/wix/2006/wi'>
+  <Product Name='Foobar 1.0' Id='ABCDDCBA-86C7-4D14-AEC0-86416A69ABDE' UpgradeCode='ABCDDCBA-7349-453F-94F6-BCB5110BA4FD'
+    Language='1033' Codepage='1252' Version='1.0.0' Manufacturer='Acme Ltd.'>
+
+    <Package Id='*' Keywords='Installer' Description="Acme's Foobar 1.0 Installer"
+      Comments='Foobar is a registered trademark of Acme Ltd.' Manufacturer='Acme Ltd.'
+      InstallerVersion='100' Languages='1033' Compressed='yes' SummaryCodepage='1252' />
+
+    <Media Id='1' Cabinet='Sample.cab' EmbedCab='yes' DiskPrompt="CD-ROM #1" />
+    <Property Id='DiskPrompt' Value="Acme's Foobar 1.0 Installation [1]" />
+
+    <Directory Id='TARGETDIR' Name='SourceDir'>
+      <Directory Id='ProgramFilesFolder' Name='PFiles'>
+        <Directory Id='Acme' Name='Acme'>
+          <Directory Id='INSTALLDIR' Name='Foobar 1.0'>
+
+            <Component Id='MainExecutable' Guid='ABCDDCBA-83F1-4F22-985B-FDB3C8ABD471'>
+              <File Id='FoobarEXE' Name='FoobarAppl10.exe' DiskId='1' Source='FoobarAppl10.exe' KeyPath='yes'/>
+            </Component>
+
+          </Directory>
+        </Directory>
+      </Directory>
+    </Directory>
+
+    <Feature Id='Complete' Level='1'>
+      <ComponentRef Id='MainExecutable' />
+    </Feature>
+
+  </Product>
+</Wix>

tests/test_library

@@ -0,0 +1,174 @@
+# this file is a library sourced from recipes/*
+
+result_path=$(pwd)
+cd $(dirname "$0")/../
+script_path=$(pwd)
+cd "${result_path}"
+
+test_result() {
+#1 last exit status
+#2 test number
+#3 test name
+
+  local result=0
+
+  if test "$1" -eq 0
+    then
+      printf "%s\n" "Test succeeded"
+    else
+      printf "%s\n" "Test failed"
+      printf "%03d. %-90s\t%s\n" "$2" "$3" "failed" 1>&3
+      result=1
+    fi
+  return "$result"
+}
+
+modify_blob() {
+# $1 test number
+# $2 filename extension
+# $3 text searched in a binary file
+
+  local result=0
+
+  initial_blob=$(echo -n "$3" | xxd -p)
+  modified_blob=$(echo -n "FAKE" | xxd -p)
+  zero_blob="00000000"
+
+  xxd -p -c 1000 "test_$1.$2" | \
+      sed "s/$initial_blob$zero_blob/$initial_blob$modified_blob/" | \
+      xxd -p -r > "changed_$1.$2"
+
+  ../../osslsigncode verify -verbose \
+      -CAfile "${script_path}/../certs/CACert.pem" \
+      -CRLfile "${script_path}/../certs/CACertCRL.pem" \
+      -TSA-CAfile "${script_path}/../certs/ca-bundle.crt" \
+      -in "changed_$1.$2" 2>> "verify.log" 1>&2
+  result=$?
+
+  if test "$result" -ne 0 \
+      -o $(grep -e "Calculated DigitalSignature" -e "Calculated message digest" "verify.log" | uniq | wc -l) -gt 1
+    then
+      printf "Failed: verify error or non-unique message digests found\n" 2>> "verify.log" 1>&2
+      result=1
+    else
+      rm -f "changed_$1.$2"
+    fi
+
+  return "$result"
+}
+
+search_pattern() {
+# $1 test number
+# $2 filename extension
+# $3 pattern searched in a binary file or verify.log
+
+  local result=0
+
+  if ! grep -q "$3" "verify.log"
+    then
+      hex_pattern=$(echo -n "$3" | xxd -p)
+      if ! xxd -p -c 1000 "test_$1.$2" | grep "$hex_pattern" 2>> /dev/null 1>&2
+        then
+          result=1
+          printf "Failed: $3 not found\n"
+        fi
+    fi
+  return "$result"
+}
+
+verify_signature() {
+# $1 sign exit code
+# $2 test number
+# $3 filename extension
+# $4 expected result
+# $5 fake time
+# $6 sha256sum requirement
+# $7 pattern searched in the verify.log file
+# $8 modify requirement
+
+  local result=0
+
+  printf "" > "verify.log"
+  if test "$1" -eq 0
+    then
+      cp "test_$2.$3" "test_tmp.tmp"
+      TZ=GMT faketime -f "$5" /bin/bash -c '
+          printf "Verify time: " >> "verify.log" && date >> "verify.log" && printf "\n" >> "verify.log"
+          script_path=$(pwd)
+          ../../osslsigncode verify -verbose \
+              -CAfile "${script_path}/../certs/CACert.pem" \
+              -CRLfile "${script_path}/../certs/CACertCRL.pem" \
+              -TSA-CAfile "${script_path}/../certs/ca-bundle.crt" \
+              -in "test_tmp.tmp" 2>> "verify.log" 1>&2'
+      result=$?
+      rm -f "test_tmp.tmp"
+
+      if test "$result" -eq 0 -a "$7" != "UNUSED_PATTERN"
+        then
+          search_pattern "$2" "$3" "$7"
+          result=$?
+        fi
+
+      if test "$result" -eq 0 -a "$8" = "MODIFY"
+        then
+          modify_blob "$2" "$3" "$7"
+          result=$?
+       fi
+
+      if test "$6" = "sha256sum"
+        then
+          sha256sum "test_$2.$3" 2>> "sha256sum/$3.log" 1>&2
+        fi
+
+      if test "$4" = "success" -a "$result" -eq 0
+        then
+          rm -f "test_$2.$3" "signed_$2.$3" "signed1_$2.$3" "signed2_$2.$3"
+        elif test "$4" = "fail" -a "$result" -eq 1
+          then
+            rm -f "test_$2.$3" "signed_$2.$3" "signed1_$2.$3" "signed2_$2.$3"
+            rm -f "changed_$2.$3"
+            cat "verify.log" >> "results.log"
+            result=0
+        else
+          cat "verify.log" >> "results.log"
+          result=1
+        fi
+    else
+      result=1
+    fi
+  return "$result"
+}
+
+verify_leaf_hash() {
+# $1 sign exit code
+# $2 test number
+# $3 filename extension
+# $4 fake time
+
+  local result=0
+  printf "" > "verify.log"
+  if test "$1" -eq 0
+    then
+      cp "test_$2.$3" "test_tmp.tmp"
+      TZ=GMT faketime -f "$4" /bin/bash -c '
+          printf "Verify time: " >> "verify.log" && date >> "verify.log" && printf "\n" >> "verify.log"
+          script_path=$(pwd)
+          ../../osslsigncode verify -verbose \
+              -CAfile "${script_path}/../certs/CACert.pem" \
+              -CRLfile "${script_path}/../certs/CACertCRL.pem" \
+              -TSA-CAfile "${script_path}/../certs/ca-bundle.crt" \
+              -require-leaf-hash SHA256:$(sha256sum "${script_path}/../certs/cert.der" | cut -d" " -f1) \
+              -in "test_tmp.tmp" 2>> "verify.log" 1>&2'
+      result=$?
+      rm -f "test_tmp.tmp"
+      if test "$result" -eq 0
+        then
+          rm -f "test_$2.$3"
+        else
+          cat "verify.log" >> "results.log"
+        fi
+    else
+      result=1
+    fi
+  return "$result"
+}

tests/testall.sh

@@ -0,0 +1,135 @@
+#!/bin/sh
+# mingw64-gcc, gcab, msitools, libgsf, libgsf-devel
+# vim-common, libfaketime packages are required
+
+result=0
+count=0
+skip=0
+fail=0
+
+result_path=$(pwd)
+cd $(dirname "$0")
+script_path=$(pwd)
+result_path="${result_path}/logs"
+certs_path="${script_path}/certs"
+
+make_tests() {
+  for plik in ${script_path}/recipes/*
+    do
+      /bin/sh $plik 3>&1 2>> "results.log" 1>&2
+    done
+    count=$(grep -c "Test succeeded" "results.log")
+    skip=$(grep -c "Test skipped" "results.log")
+    fail=$(grep -c "Test failed" "results.log")
+    printf "%s\n" "testall.sh finished"
+    printf "%s\n" "summary: success $count, skip $skip, fail $fail"
+    return $fail
+}
+
+rm -rf "${result_path}"
+mkdir "${result_path}"
+cd "${result_path}"
+mkdir "notsigned" "sha256sum"
+
+date > "results.log"
+../../osslsigncode -v >> "results.log" 2>/dev/null
+
+cd ${certs_path}
+if test -s CACert.pem -a -s crosscert.pem -a -s expired.pem -a -s cert.pem \
+    -a -s CACertCRL.pem -a -s revoked.pem -a -s key.pem -a -s keyp.pem \
+    -a -s key.der -a -s cert.der -a -s cert.spc -a -s cert.p12
+  then
+    printf "%s\n" "keys & certificates path: ${certs_path}"
+  else
+    ./makecerts.sh $1
+    result=$?
+  fi
+cd "${result_path}"
+
+if test "$result" -ne 0
+  then
+    exit $result
+  fi
+
+# PE files support
+if test -n "$(command -v x86_64-w64-mingw32-gcc)"
+  then
+    x86_64-w64-mingw32-gcc "../sources/myapp.c" -o "notsigned/test.exe" 2>> "results.log" 1>&2
+  else
+    printf "%s\n" "x86_64-w64-mingw32-gcc not found in \$PATH"
+    printf "%s\n" "tests for PE files skipped, please install mingw64-gcc package"
+  fi
+
+# CAB files support
+if test -n "$(command -v gcab)"
+  then
+    gcab -c "notsigned/test.ex_" "../sources/a" "../sources/b" "../sources/c" 2>> "results.log" 1>&2
+  else
+    printf "%s\n" "gcab not found in \$PATH"
+    printf "%s\n" "tests for CAB files skipped, please install gcab package"
+  fi
+
+# MSI files support
+if grep -q "no libgsf available" "results.log"
+  then
+    printf "%s\n" "signing MSI files requires libgsf/libgsf-devel packages and reconfiguration osslsigncode"
+  else
+    if test -n "$(command -v wixl)"
+      then
+        touch FoobarAppl10.exe
+        cp "../sources/sample.wxs" "notsigned/sample.wxs" 2>> "results.log" 1>&2
+        wixl -v "notsigned/sample.wxs" 2>> "results.log" 1>&2
+        rm -f "notsigned/sample.wxs"
+        rm -f "FoobarAppl10.exe"
+      else
+        printf "%s\n" "wixl not found in \$PATH"
+        printf "%s\n" "tests for MSI files skipped, please install wixl or msitools package depending on your OS"
+      fi
+  fi
+
+# CAT files support
+if test -s "../sources/good.cat"
+  then
+    cp "../sources/good.cat" "notsigned/good.cat"
+  fi
+
+# TXT files support
+if test -s "../sources/utf8.ps1"
+  then
+    cp "../sources/utf8.ps1" "notsigned/utf8.ps1"
+  fi
+if test -s "../sources/utf8bom.ps1"
+  then
+    cp "../sources/utf8bom.ps1" "notsigned/utf8bom.ps1"
+  fi
+if test -s "../sources/utf16le.ps1"
+  then
+    cp "../sources/utf16le.ps1" "notsigned/utf16le.ps1"
+  fi
+
+# Timestamping support
+if grep -q "no libcurl available" "results.log"
+  then
+    printf "%s\n" "configure --with-curl is required for timestamping support"
+  fi
+
+# Tests requirements
+if test -n "$(command -v faketime)"
+  then
+    if test -n "$(command -v xxd)"
+      then
+        make_tests
+        result=$?
+        rm -r -f "notsigned/" "sha256sum/"
+        rm -f sign_[1-9].pem sign_[1-9].der
+        rm -f "verify.log"
+      else
+        printf "%s\n" "xxd not found in \$PATH"
+        printf "%s\n" "tests skipped, please install vim-common package"
+      fi
+  else
+    printf "%s\n" "faketime not found in \$PATH"
+    printf "%s\n" "tests skipped, please install faketime package"
+  fi
+
+exit $result

tests/testsign.sh

@@ -1,5 +1,11 @@
 #!/bin/sh
 
+if [ -z "$(command -v keytool)" ]; then
+    printf "%s\n" "keytool was not found in the \$PATH"
+    printf "%s\n" "Please install the default-jre-headless package"
+    exit 1
+fi
+
 rm -f putty*.exe
 
 PUTTY_URL="http://the.earth.li/~sgtatham/putty/0.64/x86/putty.exe"
@@ -14,7 +20,12 @@ fi
 rm -f cert.pem cert.spc key.der key.p12 key.pem key.pvk keyp.pem
 
 keytool -genkey \
-	-alias selfsigned -keysize 2048 -keyalg RSA -keypass passme -storepass passme -keystore key.ks << EOF
+    -alias selfsigned \
+    -keysize 2048 \
+    -keyalg RSA \
+    -keypass passme \
+    -storepass passme \
+    -keystore key.ks << EOF
 John Doe
 ACME In
 ACME
@@ -24,11 +35,17 @@ SE
 yes
 EOF
 
-
 echo "Converting key/cert to PKCS12 container"
 keytool -importkeystore \
-	-srckeystore key.ks -srcstoretype JKS -srckeypass passme -srcstorepass passme -srcalias selfsigned \
-	-destkeystore key.p12 -deststoretype PKCS12 -destkeypass passme -deststorepass passme
+    -srckeystore key.ks \
+    -srcstoretype JKS \
+    -srckeypass passme \
+    -srcstorepass passme \
+    -srcalias selfsigned \
+    -destkeystore key.p12 \
+    -deststoretype PKCS12 \
+    -destkeypass passme \
+    -deststorepass passme
 
 rm -f key.ks
 
@@ -46,7 +63,7 @@ openssl pkcs12 -in key.p12 -passin pass:passme -nokeys -out cert.pem
 echo "Converting cert to SPC format"
 openssl crl2pkcs7 -nocrl -certfile cert.pem -outform DER -out cert.spc
 
-
+make -C ..
 ../osslsigncode sign -spc cert.spc -key key.pem putty.exe putty1.exe
 ../osslsigncode sign -certs cert.spc -key keyp.pem -pass passme putty.exe putty2.exe
 ../osslsigncode sign -certs cert.pem -key keyp.pem -pass passme putty.exe putty3.exe
@@ -56,19 +73,18 @@ openssl crl2pkcs7 -nocrl -certfile cert.pem -outform DER -out cert.spc
 
 rm -f cert.pem cert.spc key.der key.p12 key.pem key.pvk keyp.pem
 
-echo ""
-echo ""
+echo
 
 check=`sha1sum putty[1-9]*.exe | cut -d' ' -f1 | uniq | wc -l`
 cmp putty1.exe putty2.exe && \
-	cmp putty2.exe putty3.exe && \
-	cmp putty3.exe putty4.exe && \
-	cmp putty4.exe putty5.exe && \
-	cmp putty5.exe putty6.exe
+    cmp putty2.exe putty3.exe && \
+    cmp putty3.exe putty4.exe && \
+    cmp putty4.exe putty5.exe && \
+    cmp putty5.exe putty6.exe
 if [ $? -ne 0 ]; then
-	echo "Failure is not an option."
+    echo "Failure is not an option."
+    exit 1
 else
-	echo "Yes, it works."
+    echo "Yes, it works."
 fi
 
-