7

I need to digitally sign&timestamp a PE file (EFI, actually) on Linux. I found 3 tools for signing PE files: pesign, osslsigncode and signcode (mono), but it seems none quite fits my needs. The problem is, the key is on a hardware token and cannot be exported. Therefore I have to create a certificate database, add token driver entry there and work via this DB. Only pesign allows this, but it does not support timestamping. osslsigncode and signcode support timestamping, but they cannot use the database.

The Windows signttool.exe can perform signing and timestamping as separate steps. So I thought, I might use pesign to sign the file and then only timestamp it with another tool. But as I discovered, osslsigncode and signcode do not support separate timestamping (in osslsigncode project it's listed in the TODO file, but no signs of it in repository yet).

Are there some tools I missed? Are there not-too-lowlevel libraries which would allow me to write such program myself? (Preferrably, C/C++/Perl/Python.) I tried to get the timestamping code from osslsigncode, but failed to detach it easily from the prior steps (removing existing signature and adding a new one).

P.S. I also tried to run signtool.exe under wine, but 1) failed to get it working, and 2) I'm not sure it's legally permitted (I'm not good at analyzing EULAs).

Konstantin Vlasov
  • 150
  • 10

3 Answers3

3

Since march 2015, there is a patch in osslsigncode which allows you sign the code via a key on a PKCS#11 token. It is not part of an official release yet. So you have to build it yourself, but it works like charm for me.

An example invocation looks like this:

osslsigncode sign -pkcs11engine /usr/lib/engines/engine_pkcs11.so -pkcs11module /usr/lib/libeTPkcs11.so  -certs ~/mysigningcert.pem  -key 0:42ff -in ~/filetosign.exe -out ~/signedfile.exe

The -pkcs11module switch takes the PKCS#11 library as a parameter, the parameter for -key is in the format slotID:keyID.

mat
  • 1,645
  • 15
  • 36
  • Could you please elaborate how this patch helps? I managed to compile osslsigncode, but I don't understand what "pkcs11engine" and "pkcs11module" are. I tried to use SafeNet's libeToken.so as module, and engine_pkcs11 as engine (I had to compile it with libp11 as well), but when I try to sign a file, fails: "Failed to read certificate file: (null)" From source code I can see that -certs argument is still required for engine+module scheme. Where do I get it? I only have a token. – Konstantin Vlasov Jul 12 '15 at 15:05
  • I've extended my answer – mat Jul 13 '15 at 09:10
  • I didn't understand what certificate I'm supposed to supply and how do I get slotID and keyID, but when I simply exported the certificate from the token, `osslsigncode` agreed to sign my test file, even without the `-key` parameter. It's just a bit confusing why I should have exported the certificate explicitly if the program could have taken it directly from the token… But OK. I didn't perform extensive tests yet, but at first glance it looks it worked fine. Thanks for the tips! – Konstantin Vlasov Jul 15 '15 at 22:13
  • Hmm... in my case signing process finished successfully... but verification fails – Monah Tuk Oct 03 '18 at 06:12
1

SignServer Enterprise Edition supports signing and time-stamping of PE files using Authenticode.

Also hardware tokens are supported through the PKCS#11 interface.

SignServer is typically setup on separate server or VM and preferably runs on Linux (but Windows is also supported).

The files you want to sign can simply be sent to the server with an HTTP POST and then the response is the signed file.

https://www.signserver.org/

Markus
  • 196
  • 5
  • Funny, I have already implemented exactly the same approach myself, in simplified form, of course. :-) Thanks, I'll keep SignServer in mind in case we need something bigger. – Konstantin Vlasov Jun 20 '16 at 14:38
0

current osslsigncode has timestamp option -t:

osslsigncode sign \
  -pkcs12 cert.pfx -pass "**********" \
  -t http://timestamp.digicert.com \
  -in app.exe  -out app-sign-with-timestamp.exe

See https://github.com/mtrojnar/osslsigncode

radistao
  • 14,889
  • 11
  • 66
  • 92