search

ebourg / jsign

Java implementation of Microsoft Authenticode for signing Windows executables, installers & scripts
https://ebourg.github.io/jsign
Apache License 2.0
250 stars 107 forks source link

Signing batches of files #87

Closed GunArm closed 2 years ago

GunArm commented 3 years ago

This wonderful project has saved me from a jam as a reliable, self contained, portable way to sign code in windows. I have a (simply configured) environment where the ms certificate security model is incomprehensibly "tripping over its feet". To spare the details, signing problems were holding up a project for quite some time. Big thanks!

I'm wondering if there's a way to sign multiple files at a time. I am signing with the jar file like java -jar jsign.x.jar ... because it was the easiest way to bootstrap it into my pipeline. I have only found a way to sign one file at a time, so it takes repeated calls to sign the 22 files in my application bundle. It takes about 6 seconds for each of these calls, in total it takes a bit over 2 minutes for my signing stage. I imagine the time is related to phoning out to the timestamp server, although surely starting the jvm each time is a factor as well, maybe a toss up between the two. I wonder if there was a way to have it sign multiple files in a batch, with the same jvm instance and a single call to the timestamp server, if it could do all files in 7 instead of 132 seconds.

I have tried providing a space delineated list of files after the command options. Is there another way to do it? Or would it be a worthwhile enhancement?

ebourg commented 3 years ago

Thank you for the feedback, I'm glad to hear jsign is useful to you.

Batch signing has already been suggested (#68) but hasn't been implemented yet. The processing time is dominated by the timestamping, I guess that could save about 0.5 second per file. Maybe more globally with some level of parallellism.

GunArm commented 3 years ago

Sorry, missed #68, on second look I might have only looked through the closed issues.

In principle, is it even possible to sign two files with one timestamp request? I'm not very knowledgeable about this but looking superficially at the code it seems like the request to the timestamp server includes a digest specific to a single file in question. Is this an unavoidable aspect of the nature of timestamped signatures?

ebourg commented 3 years ago

In principle, is it even possible to sign two files with one timestamp request?

No, the timestamping protocol is designed for one file per request only.

GunArm commented 3 years ago

I see. Thanks for the clarification. In that case it seems the most which could be done is to process each file provided sequentially, cutting the jvm init overhead from many repeated invocations. There would be no need to modify the jsign core. And implementing the feature for maven and CLI would probably be isolated to their respective "launch plugins".

It looks like the simplest approach for CLI would be a loop (and maybe some error checks) on lines 109-111 of JsignCLI.java

I would be willing to make a PR, but since I'm a decade rusty with java first I'd need to relearn some of the environment, figure out how to compile it and maybe a few write tests. Maybe when I reach a stopping point on my current project (now unclogged thanks to jsign) I'll revisit it. That is, if you approve of the approach and idea generally.

ebourg commented 2 years ago

Jsign 4.0 is now able to sign multiple files with a single invocation from the command line.