Konstantin Vlasov Konstantin Vlasov - 5 months ago 27
Linux Question

How to add timestamp certificate to a signed PE file on Linux?

I need to digitally sign&timestamp a PE file (EFI, actually) on Linux. I found 3 tools for signing PE files:

pesign
,
osslsigncode
and
signcode
(mono), but it seems none quite fits my needs. The problem is, the key is on a hardware token and cannot be exported. Therefore I have to create a certificate database, add token driver entry there and work via this DB. Only
pesign
allows this, but it does not support timestamping.
osslsigncode
and
signcode
support timestamping, but they cannot use the database.

The Windows
signttool.exe
can perform signing and timestamping as separate steps. So I thought, I might use
pesign
to sign the file and then only timestamp it with another tool. But as I discovered,
osslsigncode
and
signcode
do not support separate timestamping (in
osslsigncode
project it's listed in the
TODO
file, but no signs of it in repository yet).

Are there some tools I missed? Are there not-too-lowlevel libraries which would allow me to write such program myself? (Preferrably, C/C++/Perl/Python.) I tried to get the timestamping code from
osslsigncode
, but failed to detach it easily from the prior steps (removing existing signature and adding a new one).

P.S. I also tried to run
signtool.exe
under wine, but 1) failed to get it working, and 2) I'm not sure it's legally permitted (I'm not good at analyzing EULAs).

mat mat
Answer

Since march 2015, there is a patch in osslsigncode which allows you sign the code via a key on a PKCS#11 token. It is not part of an official release yet. So you have to build it yourself, but it works like charm for me.

An example invocation looks like this:

osslsigncode sign -pkcs11engine /usr/lib/engines/engine_pkcs11.so -pkcs11module /usr/lib/libeTPkcs11.so  -certs ~/mysigningcert.pem  -key 0:42ff -in ~/filetosign.exe -out ~/signedfile.exe

The -pkcs11module switch takes the PKCS#11 library as a parameter, the parameter for -key is in the format slotID:keyID.

Comments