Comments (7)
Yes, the files are signed at a different time, so the resulting signature is different even though the signature algorithm used by authenticode is deterministic.
from osslsigncode.
Removing the signing time attribute would help here, it isn't required and harms the reproducibilty. The issue remains for the counter signature though.
from osslsigncode.
Removing the signing time attribute would help here, it isn't required and harms the reproducibilty.
Reproducibility is not an expected feature of digital signatures.
The issue remains for the counter signature though.
Can you clarify, please?
from osslsigncode.
Reproducibility is not an expected feature of digital signatures
Reproducible builds are important, even when digital signatures are involved. The solution is to store the signature in a file which is shipped along the source release (either a tarball or in a tagged git repository). When rebuilding the project the signing process imports the detached signature from the file instead of generating a new signature.
from osslsigncode.
Reproducible builds are only useful for third parties (not for yourself), thus they require a production signature that does not expire. For the signature to remain valid beyond the expiration of its signing certificate, it needs to include a timestamp. By definition, this timestamp is not reproducible by third parties at a different point in time.
from osslsigncode.
The idea is to export the signature with the counter signature, the full PKCS#7 structure basically. That way the signed+timestamped binary is reproducible.
from osslsigncode.
If you copy the entire signature from a previous executable then you don't need signing with osslsigncode.
from osslsigncode.
Related Issues (20)
- using on windows with nitrokey HSM2 HOT 11
- Signing an .appx file corrupts the .appx HOT 5
- syntax error near unexpected token `newline' HOT 1
- Failed to verify signature even though its valid HOT 6
- Verifying digital signature in offline environment HOT 7
- SIGSEGV with 2.8 if "consistency of a private key" check fails HOT 2
- Documentation issue HOT 3
- Write errors to stderr instead of stdout
- GAP: When signing a Appx, signtool creates AppxMetadata\CodeIntegrity.cat, osslsigncode doesn't HOT 6
- Hangs in macOS Sonoma 14.0 with latest libs HOT 1
- [Behavior]: osslsigncode adds timestamp even without passing a timestamp server URL HOT 2
- [Feature Request] Ignore CRL HOT 3
- v2.8 regression: SIGSEGV in BIO_free HOT 2
- v2.8 SIGSEGV in check_key_fork HOT 2
- Hang when using OpenSSL 3.3.0 HOT 8
- Verify Signed 'cab' Files HOT 1
- Signing with Inno Setup HOT 2
- Segmentation Fault after DNS resolution failure of Timestamp server HOT 1
- "Warning: MsiDigitalSignatureEx stream doesn't exist" harmless? HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from osslsigncode.