Sign arbitrary data file and produce detached PKCS#7 signature file?

ebourg / jsign

Java implementation of Microsoft Authenticode for signing Windows executables, installers & scripts

https://ebourg.github.io/jsign

Apache License 2.0

250 stars 107 forks source link

Sign arbitrary data file and produce detached PKCS#7 signature file? #146

Closed wilx closed 1 year ago

wilx commented 1 year ago

Is it possible to use this utility to sign arbitrary data file and produce PKCS#7 detached signature which would be verifiable via, e.g., signver utility?

ebourg commented 1 year ago

Jsign can generate a detached PKCS#7 signature, but I don't think signver will be able to verify it. As I understand signver hashes the whole file, but an Authenticode signature hash may skip some parts of the file (such as the checksum field in a PE file, or the header in a MSI file).

wilx commented 1 year ago

Signing an entire file is what I want.

ebourg commented 1 year ago

Another point worth noting, the object signed by Authenticode is a SpcIndirectDataContent structure containing the hash of the file. Unless signver knows how to build this structure it won't be able to verify the signature.