osslsigncode cmd generates different executables each time about osslsigncode HOT 7 CLOSED

Yes, the files are signed at a different time, so the resulting signature is different even though the signature algorithm used by authenticode is deterministic.

from osslsigncode.

Removing the signing time attribute would help here, it isn't required and harms the reproducibilty. The issue remains for the counter signature though.

from osslsigncode.

Removing the signing time attribute would help here, it isn't required and harms the reproducibilty.

Reproducibility is not an expected feature of digital signatures.

The issue remains for the counter signature though.

Can you clarify, please?

from osslsigncode.

Reproducibility is not an expected feature of digital signatures

Reproducible builds are important, even when digital signatures are involved. The solution is to store the signature in a file which is shipped along the source release (either a tarball or in a tagged git repository). When rebuilding the project the signing process imports the detached signature from the file instead of generating a new signature.

from osslsigncode.

Reproducible builds are only useful for third parties (not for yourself), thus they require a production signature that does not expire. For the signature to remain valid beyond the expiration of its signing certificate, it needs to include a timestamp. By definition, this timestamp is not reproducible by third parties at a different point in time.

from osslsigncode.

The idea is to export the signature with the counter signature, the full PKCS#7 structure basically. That way the signed+timestamped binary is reproducible.

from osslsigncode.

If you copy the entire signature from a previous executable then you don't need signing with osslsigncode.

from osslsigncode.