I encountered a bit peculiar behavior when trying to automate compilation and signing of particular NSIS-based binary. Namely, makensis
is run under wine
to compile the executable, and afterwards the osslsigncode
is used to sign the binary.
Executable seems to be built fine, as it works on Windows systems, however there's an issue (in the lack of better word) with the signing. As the code signing certificate is in PKCS#12 format, the command used is as suggested here:
osslsigncode sign -pkcs12 <pkcs12-file> -pass <pkcs12-password> \
-n "Your Application" -i http://www.yourwebsite.com/ \
-in yourapp.exe -out yourapp-signed.exe
I get "Succeeded" message from osslsigncode, as if the signing went OK, however when the binary is run on Windows (Win 7 in this case), UAC says:
Publisher: Unknown
The strange thing is that when I opened the extracted cert from original .p12
file, to view it's info, Windows was afterwards able to recognize the publisher and the digital signature, as if it somehow became aware of the certification path...?
Any advice would be appreciated.
EDIT 1
osslsigncode versions used: 1.5.2 and 1.7.1
EDIT 2
For the sake of comparison, I tried signing with SignTool
, and apparently it works without any problem. So this looks like cert + osslsigncode
issue, but I can't tell what is it exactly.
I also tried osslsigncode
on the exact same EXE with another cert, and to make matters more interesting, it worked... (I noticed certification paths differ for the 2 certs).
Some cert details:
1) non-working cert
version: V3
public key: RSA 2048 bits
signature hash algorithm: sha1
signature algorithm: sha1RSA
certification path: USERTrust -> Comodo Code Signing CA 2 -> NonWorkingCert
2) working cert
version: V3
public key: RSA 2048 bits
signature hash algorithm: sha1
signature algorithm: sha1RSA
certification path: USERTrust -> UTN-UserFirst-Object -> Comodo Code Signing CA 2 -> WorkingCert