Verification success on v1.7.1 but failed on 2.2

[vm6ej04]

Hi there, I have an older Ubuntu 18 server, and a newer Ubuntu 22 server. On the Ubuntu 18, we have osslsigncode 1.7.1 installed, I believe it's deprecated and I couldn't find it anymore when installing it on Ubuntu 22. So the version on 22 is 2.2.0

I call the command osslsigncode verify sample.exe => succeeded on 1.7.1 but give out error sayng "please use -CAfile option to add one or more trusted CA certificates to verify....." with 2.2.0

I have few questions.

1. Where is 1.7.1 looking for it's CA files from? How come 2.2 doesn't behave the same?
2. When I try to call it with the command syntax osslsigncode verify sample.exe -CAfile /etc/ssl/certs/ca-certificate.crt(I saw this path somewhere in the issue, I assume this is what I should include) it returns "Unknown option: sample.exe"
3. Is it possible to give osslsigncode default CAfile path? or what's the properway to use -CAfile option..

[mtrojnar]

Great question. @olszomal has introduced a major improvement in the way verification works. Older versions of osslsigncode only verify whether the signature is correct (ignoring the signing certificate chain). New versions of osslsigncode also verify whether the signature is trusted (signed with a trusted certificate chain).

As for the command, did you mean osslsigncode verify -CAfile /etc/ssl/certs/ca-certificate.crt sample.exe?

[vm6ej04]

Thanks for the reply, I eventually figured out I have to call it like this osslsigncode verify -in file-to-be-verified.exe -CAfile /etc/ssl/certs/ca-certificates.crt Though it seemed to succeed, but I still got an error saying TSAfiles certificate not found....where can I find it on a Ubuntu machine for passing to -TSfile option?

[mtrojnar]

@olszomal: Do I correctly remember that you investigated usefulness of system certificates for authenticode verification? Can you help?

[olszomal]

On my Ubuntu 21:

$ curl-config --ca 
/etc/ssl/certs/ca-certificates.crt

osslsigncode searches -CAfile and -TSA-CAfile files in the following locations by default:

• "/etc/ssl/certs/ca-certificates.crt",
• "/etc/pki/tls/certs/ca-bundle.crt",
• "/usr/share/ssl/certs/ca-bundle.crt",
• "/usr/local/share/certs/ca-root-nss.crt",
• "/etc/ssl/cert.pem",

You can provide another files containing CA trusted certificates or Time-Stamp Authority certificates if you need.

[vm6ej04]

If osslsigncode searches those file by default, how come I still have to pass the CAfile option of /etc/ssl/certs/ca-certificates.crt I don't get it.

curl-config --ca returns empty line...meaning my Ubuntu doesn't know where to find the ca certs? where can I set it?

Also...I'm trying to find a so called Time-Stamp Authority certificates, where can I get it? Do i just randomly find it online? Sorry I'm total noob with code signing. Just helping out a coleague.

[vm6ej04]

osslsigncode -in sample.exe -CAfile /etc/ssl/certs/ca-certificates.crt -TSA-CAfile /etc/ssl/certs/ca-certificates.crt this SEEMS to work, one thng that's weird is an error message https://imgur.com/dvu3isd

[olszomal]

Version 2.2 is not the latest version of osslsigncode. Could you reproduce this issue against the latest release: https://github.com/mtrojnar/osslsigncode/releases/tag/2.5

[vm6ej04]

I used apt to install, apparently the latest on the registry is 2.2 I'll try install 2.5 using the tar.gz see if it makes any difference. (update) I tried to download the .gz and do the tar xvzf thing, now I couldn't find ./configure files like my Google result shows. Does the gz file in the release come with installation script? Do I need to build first? How do I install it manually? ^^"

[mtrojnar]

Have you tried reading README.md?

[vm6ej04]

Thanks, I went back and had a read. It may be crystal clear for people who has experience building executables on Linux using cmake, but not me.

For people who have no idea what to do with the tar.gz like I did...I'll leave my steps here for people to reference.

1. unzip the tar.gz from release
2. run sudo apt update && sudo apt install cmake libssl-dev libcurl4-openssl-dev to install tools for building
3. cd to the folder that's uncompressed (in this case osslsigncode-2.5)
4. mkdir build && cd build && cmake -S ..
5. You'll find your self in the osslsigncode-2.5/build folder
6. run cmake --build . (not sure if this step is necessary)
7. run sudo cmake --install .
8. you'll find an extra file named osslsigncode in the same folder
9. delete old version of osslsigncode if you have any by running sudo apt remove osslsigncode
10. move that osslsigncode file from step 8 into /usr/bin now you can run osslsigncode anywhere on the computer