AlexBB77
commented
1 year ago We were just testing with Venafi/Safenet Luna HSM and worked without specifying the engine. We'd get the same errors if trying to add that parameter.
Closed AlexanderVerner closed 1 year ago
AlexBB77
commented
1 year ago We were just testing with Venafi/Safenet Luna HSM and worked without specifying the engine. We'd get the same errors if trying to add that parameter.
AlexanderVerner
commented
1 year ago But then i have Failed to find and load 'pkcs11' engine
mtrojnar
commented
1 year ago What about:
osslsigncode sign -verbose -pkcs11module /usr/local/lib/libeToken.dylib -h sha256 -n NAME -certs ~ /cert.pem -key 111111 -pass 111111 -in ~/dist/electron/App.exe -out ~/dist/electron/App.signed.exe, i.e., without the -pkcs11engine parameter? You appear to have installed the default pkcs11 engine in your OpenSSL's default location. There is no need to override the path. This may break things instead of helping.
mtrojnar
commented
1 year ago There is a chance that you have more than one OpenSSL installed, and your osslsigncode is compiled and linked against a version of OpenSSL other than the one configured to look for its engines in /usr/local/mac-dev/lib/engines-1.1/.
charles-dyfis-net
commented
1 year ago @AlexanderVerner, speaking to how I've gotten this to work myself, it required:
For managing custom/patched versions of software you don't want installed systemwide or used except in the context of a specific process, I strongly recommend the package manager Nix. (I use it in favor of Macports/Homebrew anyhow regardless, but the above scenario is something that plays very much to its strengths).
mtrojnar
commented
1 year ago Mixing OpenSSL versions breaks things indeed. I'm glad you got it fixed.
odinho
commented
11 months ago I only had OpenSSL 3. But removing the engine fixed it for me too. Even setting it to 'pkcs11' didn't work. So... this does very much feel like a bug, it took me ages to figure that out. (Especially since Digicert docs is actively writing lots of wrong things)
mtrojnar
commented
11 months ago Building a consistent osslsigncode environment from scratch tends to be quite complex. For example, for a 64-bit osslsigncode built with OpenSSL 3.x you need a 64-bit pkcs11 engine built with OpenSSL 3.x, a 64-bit pkcs11 module compatible with your hardware and operating system, and 64-bit libcurl built with either with OpenSSL 3.x or with another TLS library. On macOS, the problem usually boils down to libraries being built with different versions of OpenSSL.
I intend to remove the need for libcurl with OpenSSL 3.0 and higher to remove at least one dependency.
The solution I use is deploying a Ubuntu VM on a VirtualBox guest instead of trying to trying to get all of the software installed on a platform with inconsistent OpenSSL versions.
odinho
commented
11 months ago I might have been unclear, this is indeed on Ubuntu, not Mac like OP. Where it is usually very strict with dynamic libraries, so you only need to update one package to fix all of them.
Maybe osslsigncode could additionally give a hint about trying without -pkcs11engine if it gets a crash like this? :shrug: It just feels very weird and unexpected to be.
I initially tried with the one in the ubuntu repos, maybe that'd have worked without the engine too didn't yet know about this trick then, but I eventually got it working with a manually compiled osslsigncode. :)
jakob-ledermann
commented
6 months ago I have a simliar error message on Ubuntu 22.04 LTS.
the pkcs11 engine is apparrently a package libengine-pkcs11-openssl that I had to install manually. Then the engine could be loaded.
Hello!
I follow this guide, and last several days i trying sign bynary file with GlobalSign token on mac for windows-platform and get strange error:
Failed to set 'dynamic' engine0086741501000000:error:1280006C:DSO support routines:DSO_load:functionality not supported:crypto/dso/dso_lib.c:148:0086741501000000:error:13000084:engine routines:dynamic_load:dso not found:crypto/engine/eng_dyn.c:442:FailedCommand
osslsigncode sign -verbose -pkcs11engine /usr/local/mac-dev/lib/engines-1.1/pkcs11.dylib -pkcs11module /usr/local/lib/libeToken.dylib -h sha256 -n NAME -certs ~ /cert.pem -key 111111 -pass 111111 -in ~/dist/electron/App.exe -out ~/dist/electron/App.signed.exeContent in /usr/local/mac-dev/lib/engines-1.1/:
-rwxr-xr-x 1 runner wheel 16536 29 dec 18:50 capi.dyliblrwxr-xr-x 1 runner wheel 12 29 dec 19:01 libpkcs11.dylib -> pkcs11.dylib-rwxr-xr-x 1 runner wheel 53888 29 dec 18:50 padlock.dylib-rwxr-xr-x 1 runner wheel 137224 29 dec 19:01 pkcs11.dylib-rwxr-xr-x 1 runner wheel 981 29 dec 19:01 pkcs11.laContent in /usr/local/lib/:
lrwxr-xr-x 1 root admin 69 27 dec 18:17 libeTPkcs11.dylib -> /Library/Frameworks/eToken.framework/Versions/Current/libeToken.dyliblrwxr-xr-x 1 root admin 69 27 dec 18:17 libeToken.dylib -> /Library/Frameworks/eToken.framework/Versions/Current/libeToken.dylibI saw a neighboring issue where a similar question was raised, but I already have openssl installed. Am I forgetting something? I don't know where to look next.