ismail
commented
7 years ago I would appreciate some docs on this :-)
Open klali opened 9 years ago
ismail
commented
7 years ago I would appreciate some docs on this :-)
denishonig
commented
4 years ago Any news?
adamretter
commented
4 years ago Any documentation on using osslsigncode please?
denishonig
commented
4 years ago @klali do you know how to sign with osslsigncode if cert is in yubikey? Thanks
klali
commented
4 years ago I know that it used to work with the opensc pkcs11 module and a command line like:
$ osslsigncode sign -pkcs11engine /path/to/engine_pkcs11.so -pkcs11module /path/to/opensc-pkcs11.so -key slot_1-id_2 -certs /path/to/cert.pem -h sha256 -comm -t "http://tsa.starfieldtech.com" in.exe out.exe
This obviously requires a version of osslsigncode with pkcs11 support (and I haven't tried it for several years).
g-bougard
commented
2 years ago Just to put my 2 cents, I managed to use osslsigncode with yubico-piv-tool on Fedora 34 to sign with such a command:
osslsigncode sign -pkcs11engine /usr/lib64/engines-1.1/pkcs11.so -pkcs11module /usr/lib64/libykcs11.so.2 -key "pkcs11:id=%01;type=private?pin-value=XXXXXXXX" -certs ev-code-signing-chain.crt -h sha256 -ts http://ts.ssl.com not-signed.msi signed.msiXXXXXXXX must be replaced by your yubikey pin for the 9a slot.
Here I'm using -ts http://ts.ssl.com as I'm using my yubikey provider RFC3161 timestamp server, but you can use -t option in place if your timestamp server is not RFC3161 compliant.
The -certs option point to a file where I concatenated my EV code-signing certificate with all CA and intermediate autority certificates.
I thanks @klali to point me on the right road ;-)
windows codesigning (both native and with osslsigncode) is possible, this should be documented.