How to add timestamp certificate to a signed PE file on Linux?

Question

I need to digitally sign&timestamp a PE file (EFI, actually) on Linux. I found 3 tools for signing PE files: pesign, osslsigncode and signcode (mono), but it seems none quite fits my needs. The problem is, the key is on a hardware token and cannot be exported. Therefore I have to create a certificate database, add token driver entry there and work via this DB. Only pesign allows this, but it does not support timestamping. osslsigncode and signcode support timestamping, but they cannot use the database.

The Windows signttool.exe can perform signing and timestamping as separate steps. So I thought, I might use pesign to sign the file and then only timestamp it with another tool. But as I discovered, osslsigncode and signcode do not support separate timestamping (in osslsigncode project it's listed in the TODO file, but no signs of it in repository yet).

Are there some tools I missed? Are there not-too-lowlevel libraries which would allow me to write such program myself? (Preferrably, C/C++/Perl/Python.) I tried to get the timestamping code from osslsigncode, but failed to detach it easily from the prior steps (removing existing signature and adding a new one).

P.S. I also tried to run signtool.exe under wine, but 1) failed to get it working, and 2) I'm not sure it's legally permitted (I'm not good at analyzing EULAs).

Answer 1

Since march 2015, there is a patch in osslsigncode which allows you sign the code via a key on a PKCS#11 token. It is not part of an official release yet. So you have to build it yourself, but it works like charm for me.

An example invocation looks like this:

osslsigncode sign -pkcs11engine /usr/lib/engines/engine_pkcs11.so -pkcs11module /usr/lib/libeTPkcs11.so  -certs ~/mysigningcert.pem  -key 0:42ff -in ~/filetosign.exe -out ~/signedfile.exe

The -pkcs11module switch takes the PKCS#11 library as a parameter, the parameter for -key is in the format slotID:keyID.

Answer 2

SignServer Enterprise Edition supports signing and time-stamping of PE files using Authenticode.

Also hardware tokens are supported through the PKCS#11 interface.

SignServer is typically setup on separate server or VM and preferably runs on Linux (but Windows is also supported).

The files you want to sign can simply be sent to the server with an HTTP POST and then the response is the signed file.

https://www.signserver.org/