GithubHelp home page GithubHelp logo

mtrojnar / osslsigncode Goto Github PK

View Code? Open in Web Editor NEW
648.0 14.0 115.0 2.2 MB

OpenSSL based Authenticode signing for PE/MSI/Java CAB files

License: Other

Makefile 0.02% Shell 3.58% Python 2.58% C 86.84% CMake 6.55% Dockerfile 0.13% Mathematica 0.30% PowerShell 0.01%

osslsigncode's Introduction

osslsigncode

BUILD STATUS

CI

WHAT IS IT?

osslsigncode is a small tool that implements part of the functionality of the Microsoft tool signtool.exe - more exactly the Authenticode signing and timestamping. But osslsigncode is based on OpenSSL and cURL, and thus should be able to compile on most platforms where these exist.

WHY?

Why not use signtool.exe? Because I don't want to go to a Windows machine every time I need to sign a binary - I can compile and build the binaries using Wine on my Linux machine, but I can't sign them since the signtool.exe makes good use of the CryptoAPI in Windows, and these APIs aren't (yet?) fully implemented in Wine, so the signtool.exe tool would fail. And, so, osslsigncode was born.

WHAT CAN IT DO?

It can sign and timestamp PE (EXE/SYS/DLL/etc), CAB, CAT and MSI files. It supports the equivalent of signtool.exe's "-j javasign.dll -jp low", i.e. add a valid signature for a CAB file containing Java files. It supports getting the timestamp through a proxy as well. It also supports signature verification, removal and extraction.

BUILDING

This section covers building osslsigncode for Unix-like operating systems. See INSTALL.W32.md for Windows notes. We highly recommend downloading a release tarball instead of cloning from a git repository.

Configure, build, make tests and install osslsigncode

  • Install prerequisites on a Debian-based distributions, such as Ubuntu:
  sudo apt update && sudo apt install cmake libssl-dev libcurl4-openssl-dev zlib1g-dev python3
  • Install prerequisites on macOS with Homebrew:
  brew install cmake pkg-config [email protected]
  export PKG_CONFIG_PATH="/usr/local/opt/[email protected]/lib/pkgconfig"

NOTE: osslsigncode requires CMake 3.17 or newer.

You may need to use cmake3 instead of cmake to complete the following steps on your system.

  • Navigate to the build directory and run CMake to configure the osslsigncode project and generate a native build system:
  mkdir build && cd build && cmake -S ..

optional CMake parameters:

  -DCMAKE_BUILD_TYPE=Debug
  -DCMAKE_C_COMPILER=clang
  -DCMAKE_PREFIX_PATH=[openssl directory];[curl directory]
  -DCMAKE_INSTALL_PREFIX=[installation directory]
  -DBASH_COMPLETION_USER_DIR=[bash completion installation directory]
  • Then call that build system to actually compile/link the osslsigncode project (alias make):
  cmake --build .
  • Make test:
  ctest -C Release
  • Make install:
  sudo cmake --install .
  • Make tarball (simulate autotools' make dist):
  cmake --build . --target package_source

USAGE

Before you can sign a file you need a Software Publishing Certificate (spc) and a corresponding private key.

This article provides a good starting point as to how to do the signing with the Microsoft signtool.exe:

http://www.matthew-jones.com/articles/codesigning.html

To sign with osslsigncode you need the certificate file mentioned in the article above, in SPC or PEM format, and you will also need the private key which must be a key file in DER or PEM format, or if osslsigncode was compiled against OpenSSL 1.0.0 or later, in PVK format.

To sign a PE or MSI file you can now do:

  osslsigncode sign -certs <cert-file> -key <der-key-file> \
    -n "Your Application" -i http://www.yourwebsite.com/ \
    -in yourapp.exe -out yourapp-signed.exe

or if you are using a PEM or PVK key file with a password together with a PEM certificate:

  osslsigncode sign -certs <cert-file> \
    -key <key-file> -pass <key-password> \
    -n "Your Application" -i http://www.yourwebsite.com/ \
    -in yourapp.exe -out yourapp-signed.exe

or if you want to add a timestamp as well:

  osslsigncode sign -certs <cert-file> -key <key-file> \
    -n "Your Application" -i http://www.yourwebsite.com/ \
    -t http://timestamp.digicert.com \
    -in yourapp.exe -out yourapp-signed.exe

You can use a certificate and key stored in a PKCS#12 container:

  osslsigncode sign -pkcs12 <pkcs12-file> -pass <pkcs12-password> \
    -n "Your Application" -i http://www.yourwebsite.com/ \
    -in yourapp.exe -out yourapp-signed.exe

To sign a CAB file containing java class files:

  osslsigncode sign -certs <cert-file> -key <key-file> \
    -n "Your Application" -i http://www.yourwebsite.com/ \
    -jp low \
    -in yourapp.cab -out yourapp-signed.cab

Only the 'low' parameter is currently supported.

If you want to use PKCS11 token, you should indicate PKCS11 engine and module. An example of using osslsigncode with SoftHSM:

  osslsigncode sign \
    -pkcs11engine /usr/lib64/engines-1.1/pkcs11.so \
    -pkcs11module /usr/lib64/pkcs11/libsofthsm2.so \
    -pkcs11cert 'pkcs11:token=softhsm-token;object=cert' \
    -key 'pkcs11:token=softhsm-token;object=key' \
    -in yourapp.exe -out yourapp-signed.exe

You can check that the signed file is correct by right-clicking on it in Windows and choose Properties --> Digital Signatures, and then choose the signature from the list, and click on Details. You should then be presented with a dialog that says amongst other things that "This digital signature is OK".

UNAUTHENTICATED BLOBS

The "-addUnauthenticatedBlob" parameter adds a 1024-byte unauthenticated blob of data to the signature in the same area as the timestamp. This can be used while signing, while timestamping, after a file has been code signed, or by itself. This technique (but not this project) is used by Dropbox, GoToMeeting, and Summit Route.

Example 1. Sign and add blob to unsigned file

osslsigncode sign -addUnauthenticatedBlob -pkcs12 yourcert.pfx -pass your_password -n "Your Company" -i https://YourSite.com/ -in srepp.msi -out srepp_added.msi

Example 2. Timestamp and add blob to signed file

osslsigncode.exe add -addUnauthenticatedBlob -t http://timestamp.digicert.com -in your_signed_file.exe -out out.exe

Example 3. Add blob to signed and time-stamped file

osslsigncode.exe add -addUnauthenticatedBlob -in your_signed_file.exe -out out.exe

WARNING

This feature allows for doing dumb things. Be very careful with what you put in the unauthenticated blob, as an attacker could modify this. Do NOT, under any circumstances, put a URL here that you will use to download an additional file. If you do do that, you would need to check the newly downloaded file is code signed AND that it has been signed with your cert AND that it is the version you expect.

BUGS, QUESTIONS etc.

Check whether your your question or suspected bug was already discussed on https://github.com/mtrojnar/osslsigncode/issues. Otherwise, open a new issue.

BUT, if you have questions related to generating spc files, converting between different formats and so on, please spend a few minutes searching on google for your particular problem since many people probably already have had your problem and solved it as well.

osslsigncode's People

Contributors

aesx86 avatar barrybingo avatar batmaninpink avatar charles-dyfis-net avatar dirkmueller avatar egonk avatar elmarco avatar fanquake avatar jcristau avatar jemmy1228 avatar jon-turney avatar jtylka avatar leifj avatar matthauck avatar max619 avatar mcb30 avatar mkrautz avatar mtrojnar avatar olszomal avatar rdoeffinger avatar rfay avatar sebaxakerhtc avatar skitt avatar steve-pexip avatar theuni avatar thinlinc-zeijlon avatar tim77 avatar trdyer avatar vszakats avatar yjh-styx avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

sylingyy barrybingo rdoeffinger imhoffd maxpeal olszomal killvxk rfay coder666 noname8753 fanquake radiology-partners xmeng1 wjwidener mikalv hmyit ryancraig bitman694 shad0w008 eltorobiz xzvb12 matthauck stweil humaton fishsoupisgood tim77 akheon23 add1ct3d saurabh93 aditya-wate directionless trdyer i0mm reregistered mfriedl magistryoda hartl3y94 bemaru xintao2017 gavz hugmyndakassi rixiet aesx86 arryboom admksh beyondcy skitt jhexperiment krystofwoldrich signageos bastiencaillot cluck neosmatrix skycandyzhe swuttich kyocheng jon-turney yvettep321 onlinedeal4unow wh1te909 sslbox candicandi dirkmueller edwardt mrexodia gmh5225 jn94501 webstorage119 jmccanta n0740 babywyrm frumioj cyberhive bashsupport-pro krishnait beastycoding-forks 83mi upiter adriencarbonne orfeasz oneclick-ag jpluimers assarbad exoosh rul3rst4 treeswift jcristau chennqqi luoxiaojun1992 caido jerry-bond honsunrise charles-dyfis-net scottsh jgoelten psyirius thruinc yjh-styx yuyfbj atfemrmas

osslsigncode's Issues

osslsigncode fails to verify RFC 3161 counter signatures by signtool

Repro:

signtool -verify C:\Windows\explorer.exe
RFC3161 Timestamp
Policy OID: 1.3.6.1.4.1.311.3.3.1
Error: RFC3161 Timestamp could not be decoded correctly
139990680864576:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:../crypto/asn1/tasn_dec.c:1130:
139990680864576:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:290:Type=X509
139990680864576:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:596:Field=cert, Type=PKCS7_SIGNED
139990680864576:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:627:
139990680864576:error:0D08403A:asn1 encoding routines:asn1_template_ex_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:477:Field=d.sign, Type=PKCS7

Fix: RFC3161 countersignatures are not always PKCS7 (or at least what OpenSSL defines PKCS7 to be). Instead these are OpenSSL CMS objects. There's similar style functions to replace all the related PKCS7 calls with. For example, PKCS7_d2i would become CMS_d2i

Timestamp without signing

What if you want to timestamp a file using RFC-3161 without signing it, let alone pay for an overpriced certficate? Just hash it and
The code is there to do the work but the command structure apparently doesn't let you use it.

Verification failing on msi

I'm wondering what the limits of the osslsigncode verify capabilities are?

Trying to verify the latest LibreOffice stable MSI (LibreOffice_6.4.7_Win_x64.msi, sha1: b6f6e81ae081bd23f1cfcc597d66cf85af6cd09c, conforming to https://download.documentfoundation.org/libreoffice/stable/6.4.7/win/x86_64/LibreOffice_6.4.7_Win_x64.msi.mirrorlist) fails with:

$ osslsigncode verify -in LibreOffice_6.4.7_Win_x64.msi
Signature Index: 0 (Primary Signature)
Message digest algorithm : SHA1
Calculated DigitalSignature : 1C42938B51E59F2CA12C7EC2418257C4387FC246 MISMATCH!!!
FILE HAS : F9F0BC99A946729F418F5BB6A090C6FD7ED9E97B

Signature verification: failed

Number of verified signatures: 1
Failed

Is this expected? Am I doing something wrong? A known bug? A limitation? Can it be fixed? Can I fix it?

EDIT/UPDATE: Yes, it passes signtool.exe.

Distribute official binaries for osslsigncode

It would be easier to use osslsigncode if official binaries were available on the Releases tab. These could be built and uploaded automatically on each release using Travis CI or similar.

While distributing portable Windows and macOS binaries should be relatively easy, it may be more challenging to provide portable Linux binaries. Maybe this could be achieved using Holy Build Box (I haven't tested it yet).

This would make it easier to integrate osslsigncode in CI workflows (see godotengine/godot#32556).

Getting segmentation fault using 2.1

I have tried signing a Windows executable using osslsigncode 2.0, 2.1, and the latest commit in the repo (1c175c4). I'm using an Ubuntu 18.04 AMD64 PC. The private key is stored on a SafeNet eToken.

The command I'm running is:

osslsigncode sign -readpass <password_file> \
-pkcs11engine /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so \
-pkcs11module /usr/lib/libeToken.so \
-h sha256 -n test -t http://timestamp.digicert.com \
-certs <path_to_certs> \
-key "pkcs11:model=eToken;manufacturer=SafeNet%2c%20Inc.;<more>;type=cert" \
-verbose -in <unsigned_exe> -out <signed_exe>

When I run this using 2.1 or the latest commit then I receive the following output:

Engine "pkcs11" set.
Segmentation fault (core dumped)

When I run this command using 2.0 it succeeds.

Succeeded

PKCS11 Clarification on Parameters

I am currently trying to sign an executable with a hsm. I am unsure how the -key parameter works how to define the user to use for connecting to the hsm. I am using a luna safenet network hsm and got it running with pyhsm. But I now need executable suport.

I am currently using the following command:

osslsigncode sign -pkcs11engine /usr/lib64/engines-1.1/pkcs11.so -pkcs11module /usr/safenet/lunaclient/lib/libCryptoki2_64.so -certs ./Certificate.cer -key 0:100 -pass [Password] -verbose -in ./in.exe -out ./out.exe

And I am getting:

Login failed
Login to token failed, returning NULL...
PKCS11_get_private_key returned NULL
Failed to load private key 0:77
140226514693248:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:crypto/asn1/tasn_dec.c:1130:
140226514693248:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:290:Type=PKCS7
140226514693248:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:
Failed

extract multiple signatures

Hello all,

I have a file (a Windows driver) that holds two signatures, one from Microsoft, one from Symantec. When I use extract-signature I get a pkcs7 file that contains only one of the signatures (the one from Microsoft). Is it possible to extract both signatures to a pkcs7 file?

Thanks and best regards,
Christian

libgsf is not available, msi support is disabled: test.msi, while signing msi

trying to sign MSI on centOS 7 with subjected error:

[root@localhost 64]# osslsigncode sign -certs ossl.pem -key privkey.pem -in test.msi -out sign.msi
Enter PEM pass phrase:
libgsf is not available, msi support is disabled: test.msi
140163159205808:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1220:
140163159205808:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:649:
140163159205808:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1220:
140163159205808:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:386:Type=RSA
140163159205808:error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib:rsa_ameth.c:121:
140163159205808:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1220:
140163159205808:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:386:Type=PKCS8_PRIV_KEY_INFO
140163159205808:error:0907B068:PEM routines:PEM_READ_BIO_PRIVATEKEY:bad password read:pem_pkey.c:117:

osslsigncode -v
osslsigncode 1.7.1, using:
OpenSSL 1.0.2k-fips 26 Jan 2017
libcurl/7.29.0 NSS/3.44 zlib/1.2.7 libidn/1.28 libssh2/1.8.0
no libgsf available

yum install libgsf
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile

  • base: mirrors.piconets.webwerks.in
  • extras: mirrors.piconets.webwerks.in
  • updates: mirrors.piconets.webwerks.in
    Package libgsf-1.14.26-7.el7.x86_64 already installed and latest version
    Nothing to do

Let me know if I am missing something?

Thanks for the help...

Sign a driver.

I'm curious about signing windows drivers.

On windows I'm using signtool.exe /a /ac [CA-file] /f [pfx-file] [driver-path]

I played a bit around with osslsigncode but I it seems that it just does not sign a *.sys file in a way the windows driver loader expects it to be signed.
Does anyone have similar troubles?

Signature verification with RFC 3161 timestamp

I signed a PE file with a RFC 3161 timestamp:

$ ./osslsigncode sign -pkcs12 cert.p12 -pass passme -ts http://time.certum.pl/ -in test.exe -out test1.exe
Succeeded

I tried to verify the signature, but there is no information about the timestamp verification:

$ ./osslsigncode verify test1.exe 
Current PE checksum   : 000202C0
Calculated PE checksum: 000202C0

Message digest algorithm  : SHA1
Current message digest    : 15B382D03C419530326CCBA906DB0FEE7FD102F6
Calculated message digest : 15B382D03C419530326CCBA906DB0FEE7FD102F6

Signature verification: ok

Number of signers: 1
	Signer #0:
		Subject: /C=PL/O=osslsigncode/OU=CA/CN=localhost/[email protected]
		Issuer : /C=PL/O=osslsigncode/OU=Root CA/CN=CA/[email protected]
		Serial : 1000

Number of certificates: 1
	Cert #0:
		Subject: /C=PL/O=osslsigncode/OU=CA/CN=localhost/[email protected]
		Issuer : /C=PL/O=osslsigncode/OU=Root CA/CN=CA/[email protected]
		Serial : 1000

Succeeded

When I try to verify the signature in the same file using Microsoft SignTool I see that the signature is timestamped

>signtool verify /pa /v test1.exe

Verifying: test1.exe
Signature Index: 0 (Primary Signature)
Hash of file (sha1): 15B382D03C419530326CCBA906DB0FEE7FD102F6

Signing Certificate Chain:
    Issued to: CA
    Issued by: CA
    Expires:   Mon Jul 24 12:29:24 2023
    SHA1 hash: 1161A4818600A0FB6963B478DA6CF4A974840EC6

        Issued to: localhost
        Issued by: CA
        Expires:   Mon Jul 24 12:29:24 2023
        SHA1 hash: F6B6B6DCB45D4CDA29815D9C19B23D61F27E1094

The signature is timestamped: Wed Jul 24 15:24:14 2019
Timestamp Verified by:
    Issued to: Certum Trusted Network CA
    Issued by: Certum Trusted Network CA
    Expires:   Mon Dec 31 14:07:37 2029
    SHA1 hash: 07E032E020B72C3F192F0628A2593A19A70F069E

        Issued to: Certum EV TSA SHA2
        Issued by: Certum Trusted Network CA
        Expires:   Sun May 30 15:10:43 2027
        SHA1 hash: 4F8D4C480649426AEF8B86D4D5FC7932E7142D85


Successfully verified: test1.exe

Difference between -t and -ts in "sign" command not clear

The help text for the sign command shows:

-t                      = specifies that the digital signature will be timestamped
                          by the Time-Stamp Authority (TSA) indicated by the URL
                          this option cannot be used with the -ts option
-ts                     = specifies the URL of the RFC 3161 Time-Stamp Authority server
                          this option cannot be used with the -t option

From these explanations, I don't understand what the difference is. What's the difference between a TSA and an RFC 3161 TSA server?

Build technique for both Linux and macOS?

I note that there's no documented way to build for macOS (and the homebrew version 1.7.1 doesn't seem to work any more).

I also note that this doesn't build as suggested in the readme on Linux (./configure)

Building hints appreciated.

confiugre error syntax error near unexpected token `newline'

I have followed the building manual
./autogen.sh
./configure

I got error when running "./configure"
./configure: line 4907: syntax error near unexpected token newline' ./configure: line 4907: PKG_CHECK_MODULES('

Any help is much appreciated.

An input file can’t be an output file

Steps to reproduce the bug

I tried to sign a PE file to add a signature to the input file:

osslsigncode sign -certs cert.pem -key key.pem -in myapp.exe -out myapp.exe
Bus error (core dumped)

The file is damaged after this operation:

$ du  myapp.exe
0    myapp.exe

The other osslsigncode options (extract-signature, remove-signature, attach-signature) work similarly.

My initial analysis

The stack backtrace from the gdb tool:

#0  0x0000000000403fc2 in main (argc=<optimized out>, argv=<optimized out>)
    at osslsigncode.c:2964

Code signing suddenly stopped working

I've been happily signing exe's with a Digicert certificate and osslsigncode for several years, with an invocation of

osslsigncode sign -certs certificate.cer -key private.rsa.pem ...

But today it stopped working, with the errors shown below. libssl and libcrypto have been updated fairly recently on my Arch system, but signing has worked OK since then so I don't think that can be the issue. The cert files I'm using are unchanged. Any ideas what could be happening here? (I've googled those errors and the standard analysis seems to be that the cert file(s) are malformed, with unwanted whitespace, but these files of mine have been working for years.)

error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:crypto/asn1/tasn_dec.c:1149:
error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:572:
error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:crypto/asn1/tasn_dec.c:1149:
error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:crypto/asn1tasn_dec.c:309:Type=RSAPrivateKey
error:04093004:rsa routines:old_rsa_priv_decode:RSA lib:crypto/rsa/rsa_ameth.c:142:
error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:crypto/asn1/tasn_dec.c:1149:
error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:309:Type=PKCS8_PRIV_KEY_INFO
error:02001011:system library:fopen:File exists:crypto/bio/bss_file.c:69:fopen('Output/gretl_install-64.exe','w+bx')
error:2006D002:BIO routines:BIO_new_file:system lib:crypto/bio/bss_file.c:78:

curl version trouble 

debian-gnu-linux-vm:~/osslsigncode$ ./configure
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
...
checking for curl_easy_strerror in -lcurl... no
configure: error: Curl 7.12.0 or later is required for timestamping support. http://curl.haxx.se/

debian-gnu-linux-vm:~/osslsigncode$ curl --version
curl 7.52.1 (x86_64-pc-linux-gnu) libcurl/7.52.1 OpenSSL/1.0.2u zlib/1.2.8 libidn2/0.16 libpsl/0.17.0 (+libidn2/0.16) libssh2/1.7.0 nghttp2/1.18.1 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL

7.52.1 >= 7.12.0

osslsigncode -ph option not specified for PE file injects an "<<<Obsolete>>>" link

We're using osslsigncode 2.1, but this occurs with 2.0 too.
We call osslsigncode to sign Windows EXEs (PE files) without specifying the "-ph" option (page hash).
Doing so adds a Unicode string "<<<Obsolete>>>" in the signed output. This seems to correspond a string value of the output of get_obsolete_link(), and that "link" gets added to data that would be output, for PE file type, if the "page hash" option is not specified. That "link" is injected by get_indirect_data_blob() (circa line 1604 in osslsigncode.c).

Windows SignTool doesn't do any of that; there's no tell-tale "<<<Obsolete>>>" in the output (although this might be something different with SignTool that I haven't spotted).

Would that be a bug, albeit minor ("Obsolete" can be an ominous word), or some correct (and harmless) behaviour?

untrusted option is confusing

Thanks so much for picking up the mostly abandoned osslsigncode. I noticed a new option -- untrusted. It sounds like it's about something that's untrusted, but the underlying source code looks like it's a CA path for timestamp servers? I'm confused about what it's supposed to be.

Signing APPX/MSIX Packages

osslsigncode does not recognize the .appx/.msix file types and is unable to sign them. I'm building them using the makemsix tool from the MSIX sdk, but does not (yet) provide a way to sign them and it's not trivial to install an unsigned msix package on Windows as it is for .exe and .msi so there's almost no point bothering with them without that capability. The sdk does have code relating to verifying the signatures in their unpacking code and there is WIP signing code in another branch, but it's not really in a usable state yet. Their code is MIT so I'd imagine there shouldn't be any trouble cribbing from it to implement this sort of things in osslsigncode, but I do not know how much effort would be involved or whether you're even interested.

Homebrew macOS osslsigncode fails with "dyld: Library not loaded"

First, congratulations on getting this project (instead of abandoned one) into homebrew.

But...

osslsigncode with latest homebrew fails every way I've tried on mojave or catalina with this message. (It seems to work on Catalina).

dyld: Library not loaded: /usr/local/opt/libgsf/lib/libgsf-1.114.dylib
  Referenced from: /usr/local/bin/osslsigncode
  Reason: image not found

homebrew info:

Distillers-Mac-4:ddev distiller$ brew info libgsf
libgsf: stable 1.14.46 (bottled), HEAD
I/O abstraction library for dealing with structured file formats
https://developer.gnome.org/gsf/
/usr/local/Cellar/libgsf/1.14.46_1 (153 files, 2.3MB) *
  Poured from bottle on 2020-01-02 at 09:10:09
From: https://github.com/Homebrew/homebrew-core/blob/master/Formula/libgsf.rb
==> Dependencies
Build: intltool ✘, pkg-config ✘
Required: gettext ✔, glib ✔
==> Options
--HEAD
	Install HEAD version
==> Analytics
install: 1,313 (30 days), 4,030 (90 days), 20,620 (365 days)
install-on-request: 47 (30 days), 210 (90 days), 1,133 (365 days)
build-error: 0 (30 days)
Distillers-Mac-4:ddev distiller$ brew info osslsigncode
osslsigncode: stable 2.0 (bottled)
OpenSSL based Authenticode signing for PE/MSI/Java CAB files
https://github.com/mtrojnar/osslsigncode
/usr/local/Cellar/osslsigncode/2.0_1 (8 files, 125.6KB) *
  Poured from bottle on 2020-01-02 at 09:10:11
From: https://github.com/Homebrew/homebrew-core/blob/master/Formula/osslsigncode.rb
==> Dependencies
Build: autoconf ✔, automake ✔, libtool ✘, pkg-config ✘
Required: libgsf ✔, [email protected] ✔
==> Analytics
install: 91 (30 days), 314 (90 days), 728 (365 days)
install-on-request: 86 (30 days), 304 (90 days), 707 (365 days)
build-error: 0 (30 days)

osslsigncode is osslsigncode-2.0_1.mojave.bottle.tar.gz here

Note that the suggestions in https://stackoverflow.com/questions/44125147/dyld-library-not-loaded-usr-local-opt-openssl-lib-libcrypto-1-0-0-dylib and https://blog.junjizhi.com/all/2019/12/17/git-fetch-libssl-error.html didn't get me working.

configure: error: OpenSSL 1.1.0 or later is required. https://www.openssl.org/

configure: error: OpenSSL 1.1.0 or later is required. https://www.openssl.org/
root@ilya18:/osslsigncode# make^C
root@ilya18:/osslsigncode# apt install openssl
Reading package lists... Done
Building dependency tree
Reading state information... Done
openssl is already the newest version (1.1.1-1ubuntu2.1~18.04.4).
The following packages were automatically installed and are no longer required:
cups-bsd cups-client debugedit libcupsfilters1 libcupsimage2 liblua5.2-0 librpm8 librpmbuild8 librpmio8 librpmsign8 lsb-security pax rpm-common rpm2cpio
Use 'apt autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 109 not upgraded.

Signature verification of CAB files

I have got a simple CAB file

$ xxd  logs/test.ex_ | grep MSCF
00000000: 4d53 4346 0000 0000 1a5f 0100 0000 0000  MSCF....._......

I sign this CAB file

$ ./osslsigncode sign -h sha256 -certs cert.pem -key key.pem -ts http://time.certum.pl/ -in test.ex_ -out test1.ex_
Succeeded

and I try to verify the signature, but it does not work

$ ./osslsigncode verify test1.ex_ 
Command is not supported for non-PE/non-MSI files: test1.ex_

Failed

but I can successfully verify the signature in the same file using Microsoft SignTool.

>signtool verify /pa /v test1.ex_

Verifying: test1.ex_
Signature Index: 0 (Primary Signature)
Hash of file (sha256): 8434161C1A393BD2877C3BE9E0B42EB917B96AE0850455486BA51FC5D5DA4EF8

Signing Certificate Chain:
    Issued to: CA
    Issued by: CA
    Expires:   Mon Jul 24 12:29:24 2023
    SHA1 hash: 1161A4818600A0FB6963B478DA6CF4A974840EC6

        Issued to: localhost
        Issued by: CA
        Expires:   Mon Jul 24 12:29:24 2023
        SHA1 hash: F6B6B6DCB45D4CDA29815D9C19B23D61F27E1094

The signature is timestamped: Fri Jul 26 11:15:24 2019
Timestamp Verified by:
    Issued to: Certum Trusted Network CA
    Issued by: Certum Trusted Network CA
    Expires:   Mon Dec 31 14:07:37 2029
    SHA1 hash: 07E032E020B72C3F192F0628A2593A19A70F069E

        Issued to: Certum EV TSA SHA2
        Issued by: Certum Trusted Network CA
        Expires:   Sun May 30 15:10:43 2027
        SHA1 hash: 4F8D4C480649426AEF8B86D4D5FC7932E7142D85


Successfully verified: test1.ex_

Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0

Osslsigncode to use keys/Cert from HSM

Hello Experts,

I am new in the community, I was looking if there is a way to integrate osslsigncode to pick keys from HSM which are based on pkcs11 standard?
I have a working installation of OpenSSL which can successfully generate/use keys from HSM using -engine switch, any help would be really appreciated.

Thanks,
Aamir

Signing with more than 2 signatures

Hi,

I have a slightly weird use-case: dual sign a PE with multiple certificates in both sha1 and sha256. This works "fine" with signtool.exe, and I'm wondering how to best approach this with osslsigncode.

I'd want to be able to continue appending nested signatures using -nest, although I don't mind if I need to change the arguments to get this working. However, in practice it looks like osslsigncode just overwrites the signature that was nested, so I only ever end up with the first (non nested signature) and the last nested signature.

Example:

osslsigncode sign -h sha1 \
  -certs cert.pem -key key.pem -pass pass
  -in foo.exe -out foo.1.exe

osslsigncode sign -h sha256 \
  -nest
  -certs cert.pem -key key.pem -pass pass
  -in foo.1.exe -out foo.2.exe

osslsigncode sign -h sha256 \
  -nest
  -certs othercert.pem -key otherkey.pem -pass otherpass
  -in foo.2.exe -out foo.3.exe

Then on verify:

osslsigncode verify -in foo.3.exe

expected: <3 signatures>
actual: <2 signatures, missing the sha256 signature from cert.pem>

It looks like the tests currently use just two, https://github.com/mtrojnar/osslsigncode/blob/master/tests/recipes/11_sign_nest, and I can correctly get dual signing to work with just two, but no more. Am I missing options for signing with multiple certificates?

Issue with rfc3161

Hi,

I have an issue signing with rfc3161 timestamps when signing files. Timestamp with older authenticode standard works fine. I don't know if it is my environment or if I'm doing something stupid. I've tried on several different machines with CentOS 7 with osslsigncode v 1.7.1 and and CentOS 8 with version 2.1.

We have successfully used version osslsigncode 1.7.1 on CentOS 7 for a couple of years. Thanks a lot to authors, btw. We sign using a private authenticode certificate and we have used the older authenticode timestamp method (with -t option). This has worked fine.

Now many TSAs are changing to rfc3161 (without offering the older standard), so it would be good to begin using the newer standard, but I cannot get this to work. Here is the error output when I use the -ts option:

$ osslsigncode sign -verbose -certs demo.authenticode.spc -key demo.authenticode.key -n Mysoftware -h sha256 -ts http://timestamp.sectigo.com -verbose -in test.cab -out test.signed.cab
Failed to convert timestamp reply from http://timestamp.sectigo.com; HTTP status 404
139906608410688:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:crypto/asn1/tasn_dec.c:1149:
139906608410688:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:309:Type=TimeStampResp
RFC 3161 timestamping failed
Failed

The above command works as soon as I change to -t parameter. Do you have any idea from the error message where I could start looking?

unable to compile with openssl-1.0.2

I'm not sure if it's really the openssl issue, here is the log:

Preparing the osslsigncode build system...please wait

Found GNU Autoconf version 2.69
Found GNU Automake version 1.15.1
Found GNU Libtool version 2.4.6

Automatically preparing build ... done

The osslsigncode build system is now prepared.  To build here, run:
  ./configure
  make
/var/tmp/portage/app-crypt/osslsigncode-2.0/temp/environment: line 499: eautoreconf: command not found
>>> Source prepared.
>>> Configuring source in /var/tmp/portage/app-crypt/osslsigncode-2.0/work/osslsigncode-2.0 ...
./configure --prefix=/usr --build=x86_64-pc-linux-gnu --host=x86_64-pc-linux-gnu --mandir=/usr/share/man --infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc --localstatedir=/var/lib --disable-dependency-tracking --disable-silent-rules --docdir=/usr/share/doc/osslsigncode-2.0 --htmldir=/usr/share/doc/osslsigncode-2.0/html --libdir=/usr/lib64 --without-curl
configure: loading site script /usr/share/config.site
checking for a BSD-compatible install... /usr/lib/portage/python3.6/ebuild-helpers/xattr/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking for x86_64-pc-linux-gnu-gcc... x86_64-pc-linux-gnu-gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables... 
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether x86_64-pc-linux-gnu-gcc accepts -g... yes
checking for x86_64-pc-linux-gnu-gcc option to accept ISO C89... none needed
checking whether x86_64-pc-linux-gnu-gcc understands -c and -o together... yes
checking for style of include used by make... GNU
checking dependency style of x86_64-pc-linux-gnu-gcc... none
checking how to run the C preprocessor... x86_64-pc-linux-gnu-gcc -E
checking for grep that handles long lines and -e... /bin/grep
checking for egrep... /bin/grep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking minix/config.h usability... no
checking minix/config.h presence... no
checking for minix/config.h... no
checking whether it is safe to define __EXTENSIONS__... yes
checking for x86_64-pc-linux-gnu-pkg-config... /usr/bin/x86_64-pc-linux-gnu-pkg-config
checking pkg-config is at least version 0.9.0... yes
checking how to run the C preprocessor... x86_64-pc-linux-gnu-gcc -E
checking whether ln -s works... yes
checking for a sed that does not truncate output... /bin/sed
checking whether make sets $(MAKE)... (cached) yes
checking for an ANSI C-conforming const... yes
checking for ANSI C header files... (cached) yes
checking whether time.h and sys/time.h may both be included... yes
checking sys/mman.h usability... yes
checking sys/mman.h presence... yes
checking for sys/mman.h... yes
checking for mmap... yes
checking windows.h usability... no
checking windows.h presence... no
checking for windows.h... no
checking for dlopen in -ldl... yes
checking termios.h usability... yes
checking termios.h presence... yes
checking for termios.h... yes
checking for getpass... yes
checking for libgsf-1... no
checking for libcrypto >= 1.1.0... no
checking for openssl >= 1.1.0... no
checking for RSA_verify in -lcrypto... yes
checking for libcurl >= 7.12.0... yes
checking that generated files are newer than configure... done
configure: creating ./config.status
config.status: creating Makefile
config.status: creating config.h
config.status: executing depfiles commands
>>> Source configured.
>>> Compiling source in /var/tmp/portage/app-crypt/osslsigncode-2.0/work/osslsigncode-2.0 ...
make -j4 
make  all-am
make[1]: Entering directory '/var/tmp/portage/app-crypt/osslsigncode-2.0/work/osslsigncode-2.0'
x86_64-pc-linux-gnu-gcc -DHAVE_CONFIG_H -I.       -march=native -O2 -pipe -frecord-gcc-switches -c -o osslsigncode.o osslsigncode.c
osslsigncode.c:923:1: warning: return type defaults to ‘int’ [-Wimplicit-int]
 DEFINE_STACK_OF(ASN1_OCTET_STRING)
 ^~~~~~~~~~~~~~~
osslsigncode.c: In function ‘DEFINE_STACK_OF’:
osslsigncode.c:925:1: error: expected declaration specifiers before ‘DEFINE_STACK_OF’
 DEFINE_STACK_OF(SpcAttributeTypeAndOptionalValue)
 ^~~~~~~~~~~~~~~
osslsigncode.c:980:1: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘{’ token
 {
 ^
osslsigncode.c:1060:1: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘{’ token
 {
 ^
osslsigncode.c:1092:1: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘{’ token
 {
 ^
osslsigncode.c:1102:47: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘{’ token
 static unsigned char nib2val(unsigned char c) {
                                               ^
osslsigncode.c:1115:63: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘{’ token
 static int verify_leaf_hash(X509 *leaf, const char *leafhash) {
                                                               ^
osslsigncode.c:1207:67: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘{’ token
 static PKCS7 *pkcs7_get_nested_signature(PKCS7 *p7, int *has_sig) {
                                                                   ^
osslsigncode.c:1223:65: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘{’ token
 static int pkcs7_set_nested_signature(PKCS7 *p7, PKCS7 *p7nest) {
                                                                 ^
osslsigncode.c:1902:1: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘{’ token
 {
 ^
osslsigncode.c:1938:1: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘{’ token
 {
 ^
osslsigncode.c:1992:1: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘{’ token
 {
 ^
osslsigncode.c:2046:1: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘{’ token
 {
 ^
osslsigncode.c:2192:1: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘{’ token
 {
 ^
osslsigncode.c:2239:1: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘{’ token
 {
 ^
osslsigncode.c:2260:1: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘{’ token
 {
 ^
osslsigncode.c:2274:1: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘{’ token
 {
 ^
osslsigncode.c:2283:1: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘{’ token
 {
 ^
osslsigncode.c:2306:1: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘{’ token
 {
 ^
osslsigncode.c:2330:1: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘{’ token
 {
 ^
osslsigncode.c:2368:1: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘{’ token
 {
 ^
osslsigncode.c:923:1: error: parameter name omitted
 DEFINE_STACK_OF(ASN1_OCTET_STRING)
 ^~~~~~~~~~~~~~~
osslsigncode.c:3423:1: error: expected ‘{’ at end of input
 }
 ^

feature require: signtool /dg and /di

from: https://docs.microsoft.com/en-us/windows/win32/seccrypto/signtool

Sign command option Description
/dg Path Generates the digest to be signed and the unsigned PKCS7 files. The output digest and PKCS7 files will be: Path\FileName.dig and Path\FileName.p7u. To output an additional XML file, see /dxml.
/di Path Creates the signature by ingesting the signed digest to the unsigned PKCS7 file. The input signed digest and unsigned PKCS7 files should be: Path\FileName.dig.signed and Path\FileName.p7u.

This function is mostly used for remote signing

❯ ./osslsigncode [1] 23416 killed ./osslsigncode 

❯ ./autogen.sh
Preparing the osslsigncode build system...please wait

Found GNU Autoconf version 2.69
Found GNU Automake version 1.16.3
Found GNU Libtool version 2.4.6

Automatically preparing build ... done

The osslsigncode build system is now prepared.  To build here, run:
  ./configure
  make

❯ ./configure
checking for a BSD-compatible install... /opt/homebrew/bin/ginstall -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /opt/homebrew/bin/gmkdir -p
checking for gawk... no
checking for mawk... no
checking for nawk... no
checking for awk... awk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking whether gcc understands -c and -o together... yes
checking whether make supports the include directive... yes (GNU style)
checking dependency style of gcc... gcc3
checking how to run the C preprocessor... gcc -E
checking for grep that handles long lines and -e... /usr/bin/grep
checking for egrep... /usr/bin/grep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking minix/config.h usability... no
checking minix/config.h presence... no
checking for minix/config.h... no
checking whether it is safe to define __EXTENSIONS__... yes
checking for pkg-config... /opt/homebrew/bin/pkg-config
checking pkg-config is at least version 0.9.0... yes
checking how to run the C preprocessor... gcc -E
checking whether ln -s works... yes
checking for a sed that does not truncate output... /usr/bin/sed
checking whether make sets $(MAKE)... (cached) yes
checking for an ANSI C-conforming const... yes
checking for ANSI C header files... (cached) yes
checking whether time.h and sys/time.h may both be included... yes
checking sys/mman.h usability... yes
checking sys/mman.h presence... yes
checking for sys/mman.h... yes
checking for mmap... yes
checking windows.h usability... no
checking windows.h presence... no
checking for windows.h... no
checking for dlopen in -ldl... yes
checking termios.h usability... yes
checking termios.h presence... yes
checking for termios.h... yes
checking for getpass... yes
checking for libgsf-1... yes
checking for libcrypto >= 1.1.1... yes
checking for libcurl >= 7.12.0... yes
checking that generated files are newer than configure... done
configure: creating ./config.status
config.status: creating Makefile
config.status: creating config.h
config.status: config.h is unchanged
config.status: executing depfiles commands

❯ make
/Library/Developer/CommandLineTools/usr/bin/make  all-am
gcc -DHAVE_CONFIG_H -I.   -I/opt/homebrew/opt/[email protected]/include -I/opt/homebrew/Cellar/libffi/3.3_3/include -I/opt/homebrew/Cellar/libgsf/1.14.47/include/libgsf-1 -I/opt/homebrew/Cellar/glib/2.68.0/include -I/opt/homebrew/Cellar/glib/2.68.0/include/glib-2.0 -I/opt/homebrew/Cellar/glib/2.68.0/lib/glib-2.0/include -I/opt/homebrew/opt/gettext/include -I/opt/homebrew/Cellar/pcre/8.44/include -I/opt/homebrew/Cellar/[email protected]/1.1.1j/include  -g -O2 -MT osslsigncode.o -MD -MP -MF .deps/osslsigncode.Tpo -c -o osslsigncode.o osslsigncode.c
mv -f .deps/osslsigncode.Tpo .deps/osslsigncode.Po
gcc -I/opt/homebrew/Cellar/libffi/3.3_3/include -I/opt/homebrew/Cellar/libgsf/1.14.47/include/libgsf-1 -I/opt/homebrew/Cellar/glib/2.68.0/include -I/opt/homebrew/Cellar/glib/2.68.0/include/glib-2.0 -I/opt/homebrew/Cellar/glib/2.68.0/lib/glib-2.0/include -I/opt/homebrew/opt/gettext/include -I/opt/homebrew/Cellar/pcre/8.44/include -I/opt/homebrew/Cellar/[email protected]/1.1.1j/include  -g -O2  -L/opt/homebrew/opt/[email protected]/lib -o osslsigncode osslsigncode.o -L/opt/homebrew/Cellar/libgsf/1.14.47/lib -L/opt/homebrew/Cellar/glib/2.68.0/lib -L/opt/homebrew/opt/gettext/lib -lgsf-1 -lgobject-2.0 -lglib-2.0 -lintl -lxml2 -L/opt/homebrew/Cellar/[email protected]/1.1.1j/lib -lcrypto -lcurl

❯ ./osslsigncode
[1]    23416 killed     ./osslsigncode

Darwin xxxx.local 20.3.0 Darwin Kernel Version 20.3.0: Thu Jan 21 00:06:51 PST 2021; root:xnu-7195.81.3~1/RELEASE_ARM64_T8101 arm64

Windows cannot verify the digital signature for this file

In my CI/CD i need to sign my new driver.
My CI/CD system is on an Ubuntu machine.
The command line I use for signing is
./osslsigncode sign -pkcs12 MY_PFX.pfx -pass MY_PASSWORD -ac MY_CER.cer -in input_file.sys -out output_file.sys
The output of the command is "Success".
But when i try to deploy my driver as a service it writes:
Windows cannot verify the digital signature for this file ...
Both the certificate and pfx files are valid and I know that because if I do the same with Microsoft's signtool.exe it works

I would appreciate if you could help 😄

Sign catalog files

It would be great if osslsigncode could sign catalog files. We are able to generate a valid catalog file but won't have a windows machine available to sign it. I haven't yet found a Linux alternative to signtool for signing catalogs.

osslsigncode with AWS CloudHSM?

Hi,

Has anyone managed to successfully utilise osslsigncode and AWS CloudHSM together? Amazon have instructions for signtool, which is simple enough to follow and I'm able to sign properly.

I feel as if I'm close on Linux but am not quite there.

On Ubuntu 16 LTS, I have:

  • Built and installed OpenSSL 1.1.1c:
openssl version -a
OpenSSL 1.1.1c  28 May 2019
built on: Thu Feb 25 06:49:47 2021 UTC
platform: linux-x86_64
options:  bn(64,64) rc4(16x,int) des(int) idea(int) blowfish(ptr) 
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DZLIB -DNDEBUG
OPENSSLDIR: "/usr/local/ssl"
ENGINESDIR: "/usr/local/ssl/lib/engines-1.1"
Seeding source: os-specific
  • Built and installed libp11-0.4.11 which output the libs we want in /usr/local/ssl/lib/engines-1.1.

The results of pkcs11-tool give:

pkcs11-tool --module /opt/cloudhsm/lib/libcloudhsm_pkcs11.so --list-slots
Available slots:
Slot 0 (0x1): Cavium Slot
  token label        : cavium
  token manufacturer : Cavium Networks
  token model        : NITROX-III CNN35
  token flags        : login required, token initialized, PIN initialized
  hardware version   : 5.3
  firmware version   : 2.4
  serial num         : {SERIAL}
  pin min/max        : {MIN/MAX}

The latest necessary CLI tools are installed:
cloudhsm-client-pkcs11 (3.3.1-1)
cloudhsm-client (3.3.1-1)
The necessary service is live:

sudo service cloudhsm-client status
● cloudhsm-client.service - AWS CloudHsm Client daemon
   Loaded: loaded (/lib/systemd/system/cloudhsm-client.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2021-06-15 14:40:31 UTC; 1h 31min ago
     Docs: https://docs.aws.amazon.com/cloudhsm/latest/userguide/introduction.html
 Main PID: 25603 (cloudhsm_client)
    Tasks: 4
   Memory: 3.5M
      CPU: 4min 27.017s
   CGroup: /system.slice/cloudhsm-client.service
           └─25603 /opt/cloudhsm/bin/cloudhsm_client /opt/cloudhsm/etc/cloudhsm_client.cfg

The cluster certificate lives at:
/opt/cloudhsm/etc/customerCA.crt

When I try to sign though:

 osslsigncode sign \
>     -pkcs11engine /usr/local/ssl/lib/engines-1.1/pkcs11.so \
>     -pkcs11module /opt/cloudhsm/lib/libcloudhsm_pkcs11.so \
>     -pkcs11cert 'pkcs11:token=cavium;object=cert' \
>     -key 'pkcs11:token=cavuium;object=key' \
>     -in input.exe -out output.exe
Engine "pkcs11" set.
Enter PKCS#11 token PIN for cavium:
Certificate not found.
Failed to load certificate pkcs11:token=cavium;object=cert
139688091965248:error:80066065:pkcs11 engine:ctx_ctrl_load_cert:object not found:eng_back.c:652:
Failed

As the error outputs - it's clear there isn't a cert/private key living in the HSM.

I thought I had some, as per following the AWS guide - but clearly not.

On Windows, these steps create the certificate and key to sign with.

I feel like this may not be exactly related to osslsigncode - and may just be an issue to fix on my end.

I'm assuming I need to purchase an EV codesign certificate for HSM and somehow put the cert on the HSM (I haven't found any instructions on how that works).

Has anyone gotten osslsigncode to work in this way?

Feel free to close if it's not the right place for this :-)

How to run this project in visual studio

I want to debug this project in visual studio, I create a c++ project, and have openssl lib setted, but when I copy osslsigncode.c contents to main.c file, there are many errors. Is there someone has successed debug this project in visual studio?

C99 %zu

I tried compiling 2.1.0 manually with MSVC (VS 2019) and /W3 and these are the printf warnings:

20>osslsigncode.c(3679): warning C4477: 'printf' : format string '%08lX' requires an argument of type 'unsigned long', but variadic argument 1 has type 'size_t'
20>osslsigncode.c(3679): note: consider using '%zX' in the format string
20>osslsigncode.c(3687): warning C4477: 'printf' : format string '%04lX' requires an argument of type 'unsigned long', but variadic argument 1 has type 'size_t'
20>osslsigncode.c(3687): note: consider using '%zX' in the format string
20>osslsigncode.c(3698): warning C4477: 'printf' : format string '%08lX' requires an argument of type 'unsigned long', but variadic argument 1 has type 'size_t'
20>osslsigncode.c(3698): note: consider using '%zX' in the format string
20>osslsigncode.c(3703): warning C4477: 'printf' : format string '%08lX' requires an argument of type 'unsigned long', but variadic argument 1 has type 'size_t'
20>osslsigncode.c(3703): note: consider using '%zX' in the format string
20>osslsigncode.c(3718): warning C4477: 'printf' : format string '%lu' requires an argument of type 'unsigned long', but variadic argument 1 has type 'size_t'
20>osslsigncode.c(3718): note: consider using '%zu' in the format string
20>osslsigncode.c(3718): warning C4477: 'printf' : format string '%lu' requires an argument of type 'unsigned long', but variadic argument 2 has type 'size_t'
20>osslsigncode.c(3718): note: consider using '%zu' in the format string
20>osslsigncode.c(3720): warning C4477: 'printf' : format string '%lu' requires an argument of type 'unsigned long', but variadic argument 1 has type 'size_t'
20>osslsigncode.c(3720): note: consider using '%zu' in the format string

If you don't mind, I can send the PR fixing this using "%z". There are also a lot of other size_t and int conversion warnings, but printf seems to be "the lowest hanging fruit". int and long are both 32 bit on 64-bit MSVC.

Support for XKU_CODE_SIGN purpose or note why what's not supported

I'm checking Debian secure boot shim signatures.
Shim itself is signed by Microsoft and trusts a Debian Secure Boot CA cert.
Certificate: https://dsa.debian.org/secure-boot-ca
Shim: https://salsa.debian.org/pmhahn/shim-signed/-/blob/master/shimx64.efi.signed

The shim can be checked against microsoft key with sbverify.

However when I try checking the signature of mmx64.efi and fbx64.efi from shim-helpers-amd64-signed I get sbverify failing as it's signed with other certificate which is issued by this CA.

osslsigncode verify -CAfile debian-secure-boot-ca.pem usr/lib/shim/fbx64.efi.signed should work but the signer has purpose XKU_CODE_SIGN which is not supported. I'm not sure why that's not allowed and cannot find any information for what that extension is used for. I think a comment should be added into the code reasoning why it's not allowed and the error print made a bit more clear.

Unrecognized file type for .cat files >= 65KB

When signing a ".cat" file >= 65KB in size osslsigncode shows "Unrecognized file type" error.

Steps to reproduce the issue:

Create ".cat" file via PowerShell (5.1) with size >=65KB

New-FileCatalog -CatalogVersion 2 -CatalogFilePath C:\Temp -Path C:\Temp\test

Try to sign the file

osslsigncode -sign -pkcs12 /home/test/test.crt -pass "testsign" -n "Test app" -in /tmp/catalog.cat -out /tmp/catalog_sign.cat

Error:
Unrecognized file type: /tmp/catalog.cat

Debugging:

I changed the condition in function get_file_type() at line

osslsigncode/osslsigncode.c

Line 4803 in fb1bc06

} else if (!memcmp(indata+4, pkcs7_signed_data, sizeof(pkcs7_signed_data))) {

to check if the signing of file fails too but after modifying the condition (removed "!") signing of file is actually working.

[2.1] build fails using static openssl

When using an static version of openssl it looks like the configure script don't detect the needed linker options correct, so it fails with:

gcc -I/usr/include/libgsf-1 -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include -I/usr/include/libxml2 -I/builddir/build/BUILD/my_openssl/include -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -Wl,-z,relro -o osslsigncode osslsigncode.o -lgsf-1 -lgobject-2.0 -lxml2 -lglib-2.0 -L/builddir/build/BUILD/my_openssl/lib -lcrypto -lcurl
/usr/bin/ld: /usr/lib/gcc/x86_64-redhat-linux/4.8.5/../../../../lib64/libgsf-1.so: undefined reference to symbol 'deflate'
//usr/lib64/libz.so.1: error adding symbols: DSO missing from command line
make[1]: Leaving directory `/builddir/build/BUILD/osslsigncode-2.1'
collect2: error: ld returned 1 exit status
make[1]: *** [osslsigncode] Error 1
make: *** [all] Error 2

Workaround:

LDFLAGS="$RPM_LD_FLAGS -lz -ldl -pthread" ./configure ....

PE PageHash isn't functioning properly

I think the -ph option in osslsigncode isn't functioning properly.
I've tried to sign a PE file using both signtool and osslsigncode with -ph option. The signature from osslsigncode seems contain an invalid SpcSerializedObject. The classId is correct, but the serializedData is invalid.
You can view the pkcs7 signed data in the attachment. serializedData is very very long in the signature from signtool, but short in that from osslsigncode.
What's more, by viewing the octects in that, I think the serializedData produced by osslsigncode doesn't even contain either SPC_PE_IMAGE_PAGE_HASHES_V1 (1.3.6.1.4.1.311.2.3.1) nor SPC_PE_IMAGE_PAGE_HASHES_V2 (1.3.6.1.4.1.311.2.3.2) der object identifier. I don't know what these octects really are....

The code in

static SpcLink *get_page_hash_link(int phtype, char *indata, size_t peheader, int pe32plus, size_t sigpos)

may not be correct. I've tried to locate the bug but failed. I don't understand why you need SpcAttributeTypeAndOptionalValue to produce SpcLink?

Some Asn.1 structure for you reference

SpcIndirectDataContent ::= SEQUENCE {
    data                    SpcAttributeTypeAndOptionalValue,
    messageDigest           DigestInfo
}

SpcAttributeTypeAndOptionalValue ::= SEQUENCE {
    type                    ObjectID,
    value                   [0] EXPLICIT ANY OPTIONAL
}
// type should be SPC_PE_IMAGE_DATAOBJ OID (1.3.6.1.4.1.311.2.1.15)
// value should be an SpcPeImageData structure

SpcPeImageData ::= SEQUENCE {
   flags                   SpcPeImageFlags DEFAULT { includeResources },
   file                    SpcLink
}

SpcLink ::= CHOICE {
    url                     [0] IMPLICIT IA5STRING,
    moniker                 [1] IMPLICIT SpcSerializedObject,
    file                    [2] EXPLICIT SpcString
}

SpcSerializedObject ::= SEQUENCE {
    classId             SpcUuid,
    serializedData      OCTETSTRING
}

I can guess what is the structure of serializedData

SpcSerializedObject ::= SEQUENCE {
    classId             SpcUuid,
    serializedData      OCTETSTRING
}

OCTETSTRING ::= SET OF PageHashObject

PageHashObject ::= SEQUENCE {
    type                ObjectID,
    pageHashes          OCTETSTRING
}

The pageHashes are addresses in uint32 followed by the hash in its length.
But I have no idea how the hash is calculated. I didn't get it from the your code nor the python script as well.
attachment.zip

Can't use process substitution with `-certs`

I store my cert & key in a cloud service - at signing time I pull them down and attempt to use with process substitution like this:

osslsigncode sign -certs <( get-the-cert ) -key <( get-the-key ) ...

osslsigncode complains:

Failed to read certificate file: /dev/fd/$N

I believe this is because read_certs_with_pass seeks to the beginning of the file [1] [2]. But this seems silly, why do we need to seek(0) immediately after we read the file? Am I missing something?

[1]

osslsigncode/osslsigncode.c

Lines 2252 to 2264 in 2ffa5a9

static STACK_OF(X509) *PEM_read_certs_with_pass(BIO *bin, char *certpass)
{
STACK_OF(X509) *certs = sk_X509_new_null();
X509 *x509;
(void)BIO_seek(bin, 0);
while((x509 = PEM_read_bio_X509(bin, NULL, NULL, certpass)))
sk_X509_push(certs, x509);
if (!sk_X509_num(certs)) {
sk_X509_free(certs);
return NULL;
}
return certs;
}

[2] https://en.wikipedia.org/wiki/Process_substitution#Limitations

Detached signature output?

OpenType fonts can be digitally signed. They may contain a DSIG table in the SFNT structure for this purpose. To apply a signature, I would need a separate PKCS#7 blob containing the signature. Adding it to the font can be done with existing tools, e.g. the Python FontTools as a lot of fonts are built using Python today.

Any chance that osslsigncode could support output of detached signatures?

MS's signtool.exe can be used to sign fonts when you have mssipotf.dll which is hard to get hold of. It would be great to have an alternative.

--version and --help exit with error code 255

I built osslsigncode from source on Debian, when executing osslsigncode --help or osslsigncode --version after the help message / version number is displayed the process exists with error code 255 instead of 0.

root@f9c6e8bc785d:/$ osslsigncode --version; echo "ERROR CODE: $?"
osslsigncode 2.1.0, using:
        OpenSSL 1.1.1d  10 Sep 2019 (Library: OpenSSL 1.1.1d  10 Sep 2019)
        libcurl/7.64.0 GnuTLS/3.6.7 zlib/1.2.11 libidn2/2.0.5 libpsl/0.20.2 (+libidn2/2.0.5) libssh2/1.8.0 nghttp2/1.36.0 librtmp/2.3

Please send bug-reports to [email protected]

ERROR CODE: 255

Sign powershell scripts (ps1)

I need to sign ps1 files, but I don't want to have go to a windows machine just to sign a script. Is it possible to modify this program to also sign ps1 files?

A signed ps1 file would just have the signature appended to the end of the script:

# SIG # Begin signature block
# thesignaturewouldgohere
# ...
# SIG # End signature block

Signing catalog ".cat" files

This is a feature request to support signing cabs, much like signtool does. The osslsigncode "verify" command works well already on cabs

-readpass <file> should strip trailing linefeeds

Most editors will save a text file with complete lines, thus adding a lf to the end:

hexdump -C pw 
00000000  6d 79 70 61 73 73 77 6f  72 64 0a                 |mypassword.|

This will cause osslsigncode to read an invalid password.

(Untested) suggestion:

passbuf[passlen] = 0x00;
// NEW: strip trailing LF
if(passlen>0 && passbuf[passlen-1] == '\n')passbuf[--passlen]=0x00;

Failed to extract current message digest

Hello

I'm trying to use your software to verify a exe signature, in this way:

$ osslsigncode verify "soft.exe"

The software returns me this message:

Current PE checksum   : 00000000
Calculated PE checksum: 0C423E31

Failed to extract current message digest

Failed

Sadly I didn't find a way to give you more information (-verbose is not available for verify) and I can't give you the exe file

I'm trying to patch a bit the files, I'll keep you informed.
Thanks

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.