Closed AlexanderVerner closed 1 year ago
We were just testing with Venafi/Safenet Luna HSM and worked without specifying the engine. We'd get the same errors if trying to add that parameter.
But then i have Failed to find and load 'pkcs11' engine
What about:
osslsigncode sign -verbose -pkcs11module /usr/local/lib/libeToken.dylib -h sha256 -n NAME -certs ~ /cert.pem -key 111111 -pass 111111 -in ~/dist/electron/App.exe -out ~/dist/electron/App.signed.exe
, i.e., without the -pkcs11engine parameter? You appear to have installed the default pkcs11 engine in your OpenSSL's default location. There is no need to override the path. This may break things instead of helping.
There is a chance that you have more than one OpenSSL installed, and your osslsigncode is compiled and linked against a version of OpenSSL other than the one configured to look for its engines in /usr/local/mac-dev/lib/engines-1.1/
.
@AlexanderVerner, speaking to how I've gotten this to work myself, it required:
For managing custom/patched versions of software you don't want installed systemwide or used except in the context of a specific process, I strongly recommend the package manager Nix. (I use it in favor of Macports/Homebrew anyhow regardless, but the above scenario is something that plays very much to its strengths).
Mixing OpenSSL versions breaks things indeed. I'm glad you got it fixed.
I only had OpenSSL 3. But removing the engine fixed it for me too. Even setting it to 'pkcs11' didn't work. So... this does very much feel like a bug, it took me ages to figure that out. (Especially since Digicert docs is actively writing lots of wrong things)
Building a consistent osslsigncode environment from scratch tends to be quite complex. For example, for a 64-bit osslsigncode built with OpenSSL 3.x you need a 64-bit pkcs11 engine built with OpenSSL 3.x, a 64-bit pkcs11 module compatible with your hardware and operating system, and 64-bit libcurl built with either with OpenSSL 3.x or with another TLS library. On macOS, the problem usually boils down to libraries being built with different versions of OpenSSL.
I intend to remove the need for libcurl with OpenSSL 3.0 and higher to remove at least one dependency.
The solution I use is deploying a Ubuntu VM on a VirtualBox guest instead of trying to trying to get all of the software installed on a platform with inconsistent OpenSSL versions.
I might have been unclear, this is indeed on Ubuntu, not Mac like OP. Where it is usually very strict with dynamic libraries, so you only need to update one package to fix all of them.
Maybe osslsigncode
could additionally give a hint about trying without -pkcs11engine
if it gets a crash like this? :shrug: It just feels very weird and unexpected to be.
I initially tried with the one in the ubuntu repos, maybe that'd have worked without the engine too didn't yet know about this trick then, but I eventually got it working with a manually compiled osslsigncode
. :)
I have a simliar error message on Ubuntu 22.04 LTS.
the pkcs11 engine is apparrently a package libengine-pkcs11-openssl
that I had to install manually. Then the engine could be loaded.
Hello!
I follow this guide, and last several days i trying sign bynary file with GlobalSign token on mac for windows-platform and get strange error:
Failed to set 'dynamic' engine
0086741501000000:error:1280006C:DSO support routines:DSO_load:functionality not supported:crypto/dso/dso_lib.c:148:
0086741501000000:error:13000084:engine routines:dynamic_load:dso not found:crypto/engine/eng_dyn.c:442:
Failed
Command
osslsigncode sign -verbose -pkcs11engine /usr/local/mac-dev/lib/engines-1.1/pkcs11.dylib -pkcs11module /usr/local/lib/libeToken.dylib -h sha256 -n NAME -certs ~ /cert.pem -key 111111 -pass 111111 -in ~/dist/electron/App.exe -out ~/dist/electron/App.signed.exe
Content in /usr/local/mac-dev/lib/engines-1.1/:
-rwxr-xr-x 1 runner wheel 16536 29 dec 18:50 capi.dylib
lrwxr-xr-x 1 runner wheel 12 29 dec 19:01 libpkcs11.dylib -> pkcs11.dylib
-rwxr-xr-x 1 runner wheel 53888 29 dec 18:50 padlock.dylib
-rwxr-xr-x 1 runner wheel 137224 29 dec 19:01 pkcs11.dylib
-rwxr-xr-x 1 runner wheel 981 29 dec 19:01 pkcs11.la
Content in /usr/local/lib/:
lrwxr-xr-x 1 root admin 69 27 dec 18:17 libeTPkcs11.dylib -> /Library/Frameworks/eToken.framework/Versions/Current/libeToken.dylib
lrwxr-xr-x 1 root admin 69 27 dec 18:17 libeToken.dylib -> /Library/Frameworks/eToken.framework/Versions/Current/libeToken.dylib
I saw a neighboring issue where a similar question was raised, but I already have openssl installed. Am I forgetting something? I don't know where to look next.