ebourg
commented
2 weeks ago Interesting idea, thank you. Signing a CSR is fairly easy in Java with Bouncy Castle (https://stackoverflow.com/questions/7230330/sign-csr-using-bouncy-castle), however Jsign handles PKCS#7 signatures instead of raw signed hashes as found in CSR files. It might be possible to wrap the raw hash into a fake PKCS#7 structure to work around this mismatch though, I'll think about it.
amlynnworth
Hi, this is just a suggestion for something I am trying to do without python, and that is to replace the signature and public key values within a Certificate Signing Request "CSR."
This is the python-based solution: https://github.com/g-a-d/aws-kms-sign-csr
I think that, combined with AWS KMS (not AWS CloudHMS), there could be a relatively cost effective solution for independent software developers who need to codesign in a continuous integration situation, i.e. from command line on a remote "build" computer. Step 1 of that is to securely sign a CSR to give to a third party certificate supplier, so that the resulting EXE signature shows up as valid.
Meanwhile thank you for everything jsign already does.