How to perform code signing using osslsigncode

4
votes

Can you help me to figure out how to sign my software with a certificate. You know that signtool can work only on windows machines, but i need to sign files on linux server. Now the system working like that, file builds on linux server then it moves to win server for signing and then again back to linux.

I try google and found a new way of signing with osslsigncode program.

My problem now is how to convert certificate from MS to osslsigncode format. So now i do this steps permanently have two files: cert.crt and key.blob firstly i need to convert them to .pfx format i do:

openssl rsa -inform MS/PRIVATEKEYBLOB -in key.blob -outform PEM -out key.pem
openssl rsa -in key.pem -outform PVK -pvk-strong -out key.pvk
pvk2pfx -pvk key.pvk -pi 1234 -spc cert.crt -pfx cert.pfx

then i can sign my soft with command

signtool.exe sign /v /f cert.pfx /p 1234 soft.exe

can you tell me what converting steps i need to do to use osslsigncode program?

1
opensslcode-signingsigntool

1 Answers

8
votes

http://development.adaptris.net/users/lchan/blog/2013/06/07/signing-windows-installers-on-linux/ worked for me... kudos to the original author.

In case that's ever lost, the pertinent steps are:

To do the signing, you basically have to export your key from your keystore [...] as a PKCS12/PFX file so that you can convert it using openssl[...].

openssl pkcs12 -in authenticode.pfx -nocerts -nodes -out key.pem
openssl pkcs12 -in authenticode.pfx -nokeys -nodes -out cert.pem
openssl rsa -in key.pem -outform DER -out authenticode.key
openssl crl2pkcs7 -nocrl -certfile cert.pem -outform DER -out authenticode.spc
osslsigncode -spc authenticode.spc -key authenticode.key -t http://timestamp.verisign.com/scripts/timstamp.dll -in install.exe -out install-signed.exe