Can you help me to figure out how to sign my software with a certificate. You know that signtool can work only on windows machines, but i need to sign files on linux server. Now the system working like that, file builds on linux server then it moves to win server for signing and then again back to linux.
I try google and found a new way of signing with osslsigncode program.
My problem now is how to convert certificate from MS to osslsigncode format. So now i do this steps permanently have two files: cert.crt and key.blob firstly i need to convert them to .pfx format i do:
openssl rsa -inform MS/PRIVATEKEYBLOB -in key.blob -outform PEM -out key.pem
openssl rsa -in key.pem -outform PVK -pvk-strong -out key.pvk
pvk2pfx -pvk key.pvk -pi 1234 -spc cert.crt -pfx cert.pfx
then i can sign my soft with command
signtool.exe sign /v /f cert.pfx /p 1234 soft.exe
can you tell me what converting steps i need to do to use osslsigncode program?
There are a few ways to sign an executable. The first is to sign the executable is using a .pfx
file directly, without extracting it, as follows:
osslsigncode sign \
-pkcs12 code-sign-certificate.pfx \
-askpass \
-n "Program Name" \
-i https://www.program-website.com \
-in program.exe \
-out program-signed.exe
(It is more secure to prompt for the password using -askpass
than to create a script on the hard drive that contains the password. Memory is more ephemeral than data written to disk.)
Another way is to export the key from the keystore as a PKCS12 file and convert it using openssl:
openssl pkcs12 -in authenticode.pfx -nocerts -nodes -out key.pem
openssl pkcs12 -in authenticode.pfx -nokeys -nodes -out cert.pem
openssl rsa -in key.pem -outform DER -out authenticode.key
openssl crl2pkcs7 -nocrl -certfile cert.pem -outform DER -out authenticode.spc
Then:
osslsigncode \
-spc authenticode.spc \
-key authenticode.key \
-t http://timestamp.verisign.com/scripts/timstamp.dll \
-in install.exe \
-out install-signed.exe
Newer versions of osslsigncode may require different arguments:
osslsigncode \
-certs \
-spc authenticode.spc \
-key authenticode.key \
-t http://timestamp.digicert.com \
-in program.exe \
-out program-signed.exe
Alternative timestamp server URLs are:
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With