Closed Niaxor closed 7 months ago
It would be convenient if it were possible to specify only -in without -out, so that the result would be in the same file. Or possibility to specify the same file in -in and -out.
@olszomal Can you take a look? While refusing of in-place signing attempts is the intended behavior, removing the content of input file looks like a regression of a bug we fixed a long time ago.
Usage: ./osslsigncode [ sign ] (...)
[ -in ] <infile> [-out ] <outfile>
osslsigncode
opens the input file for reading, and the output file for writing. It would overwrite its own input if the same file is was used for input and output.
The workaround is either to:
Correct me if I'm wrong but won't deleting the output file just result in a missing input file and still a super confused user?
As far as I'm concerned the issue here is two-fold:
I think currently both of these issues will still be present.
A dedicated error message and then early exit of signing attempt would be much better imo
Here is a dedicated error message:
./osslsigncode sign -in file.exe -out file.exe (...)
Failed to create file: Testing/files/file.exe
My bad! I may have taken the pr name at face value.
I'll test the PR tomorrow - thanks for addressing this issue ❤️
@Niaxor Please include your operating system version and your command line for executing osslsigncode.
Windows 10 - Build 19045.3570
osslsigncode sign -pkcs11engine "<pkcs11_engine_path>" -pkcs11module "<pkcs11_module_path>" -pass "<passcode>" -key "<pkcs11_key_uri>" -certs "<path_to_cert>" -in "Input.exe" -out "Input.exe"
Just confirming I tested with Cygwin and Powershell and it is consistently reproducible. No graceful handling of the error, always results in a 0Kb input/output file, same error.
You’re right, my mistake, I’m correcting it now. PR #315
It seems that osslsigncode doesn't support setting your input file as the same as the output file (to overwrite the input file).
However, this seems to be handled ungracefully, it results in the error:
Unrecognized file type - file is too short: <input file.exe>
and leaves the input/output file as a 0kb file.Support for overwriting the input file is a pretty handy feature since signing an executable is generally one step amongst many others as part of a build pipeline, but at the least if support is not intended I feel there should be a dedicated error message, as this may confuse some.