Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to perform code signing using osslsigncode

Tags:

openssl

code-signing

signtool

Can you help me to figure out how to sign my software with a certificate. You know that signtool can work only on windows machines, but i need to sign files on linux server. Now the system working like that, file builds on linux server then it moves to win server for signing and then again back to linux.

I try google and found a new way of signing with osslsigncode program.

My problem now is how to convert certificate from MS to osslsigncode format. So now i do this steps permanently have two files: cert.crt and key.blob firstly i need to convert them to .pfx format i do:

openssl rsa -inform MS/PRIVATEKEYBLOB -in key.blob -outform PEM -out key.pem
openssl rsa -in key.pem -outform PVK -pvk-strong -out key.pvk
pvk2pfx -pvk key.pvk -pi 1234 -spc cert.crt -pfx cert.pfx

then i can sign my soft with command

signtool.exe sign /v /f cert.pfx /p 1234 soft.exe

can you tell me what converting steps i need to do to use osslsigncode program?

like image 410
user1991123 Avatar asked Feb 14 '23 15:02

user1991123

1 Answers

There are a few ways to sign an executable. The first is to sign the executable is using a .pfx file directly, without extracting it, as follows:

osslsigncode sign \
  -pkcs12 code-sign-certificate.pfx \
  -askpass \
  -n "Program Name" \
  -i https://www.program-website.com \
  -in program.exe \
  -out program-signed.exe

(It is more secure to prompt for the password using -askpass than to create a script on the hard drive that contains the password. Memory is more ephemeral than data written to disk.)

Another way is to export the key from the keystore as a PKCS12 file and convert it using openssl:

openssl pkcs12 -in authenticode.pfx -nocerts -nodes -out key.pem
openssl pkcs12 -in authenticode.pfx -nokeys -nodes -out cert.pem
openssl rsa -in key.pem -outform DER -out authenticode.key
openssl crl2pkcs7 -nocrl -certfile cert.pem -outform DER -out authenticode.spc

Then:

osslsigncode \
  -spc authenticode.spc \
  -key authenticode.key \
  -t http://timestamp.verisign.com/scripts/timstamp.dll \
  -in install.exe \
  -out install-signed.exe

Newer versions of osslsigncode may require different arguments:

osslsigncode \
  -certs \
  -spc authenticode.spc \
  -key authenticode.key \
  -t http://timestamp.digicert.com \
  -in program.exe \
  -out program-signed.exe

Alternative timestamp server URLs are:

  • http://timestamp.digicert.com
  • http://time.certum.pl
  • http://timestamp.comodoca.com/authenticode
like image 164
Dan Gravell Avatar answered Feb 17 '23 13:02

Dan Gravell
Sign in to Comment

Related questions

How to verify a digital signature with openssl
Different signatures when using C routines and openssl dgst, rsautl commands
Building OpenSSL on Xcode 4.3 for Simulator fails
Do the openssl X509_verify_cert() verifies the signature in the certificate?
OpenSSL AES_set_encrypt_key differing depending on compilation target
Undefined reference to libssl function with Android NDK
Determining if a TLS/SSL certificate is 'trusted' from the command line?
Poco NetSSL Exception
OpenSSL in Android

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!