Closed AllinCottrell closed 6 months ago
A little more info. I'm on Arch Linux, with libp11 and libeToken.so from SafeNet installed, running current osslsigncode from git, with the sectigo USB device inserted. But I don't know how to fill out the -pkcs11module and -pkcs11cert fields in the osslsigncode command.
OK, in case it helps anyone else, here's what it took to get my IDPrime smartcard from Sectigo working on Arch. I can't swear that every point is necessary, but they're jointly sufficient.
1) Install software: libp11 and ccid, via pacman
2) Install software: sac-core and sac-gui via AUR
3) start services: systemctl start pcscd.service systemctl status pcscd.socket systemctl start safenetauthenticationclient.service
4) Using SACTools, Export cert as sectigo.cer: see Advanced/Tokens/name/User certificates/name and right-click.
5) Apply patch to current osslsigncode from git -- see https://github.com/mtrojnar/osslsigncode/issues/316 -- then rebuild and install (unpatched osslsigncode segfaults).
6) Then my signing command looks like the following:
osslsigncode sign \
-pkcs11engine /usr/lib/engines-3/pkcs11.so \
-pkcs11module /usr/lib/pkcs11/libeToken.so \
-certs sectigo.cer \
-key 'pkcs11:token=<Token name>;type=private' \
-readpass pass.txt \
-t http://timestamp.sectigo.com?td=sha256 \
-in unsigned.exe -out signed.exe
I've been using osslsigncode for two years with no problems, and with gratitude, to sign a Windows installer on Linux -- thank you!
Now, on renewing my sectigo code-signing certificate, which was due to expire in January 2024, I find myself dumped into the confusing world of "eTokens": instead of getting a digital object from which I can extract both a certificate and a private key, I've got a little USB thingy which hides the private key.
I'd really appreciate a "dummy's guide" to using this thingy with osslsigncode. I tried to modify the example given on the website for use with SoftHSM but -- not surprisingly, since I didn't really understand what I was doing -- my hack didn't work.