Closed westyles closed 10 months ago
westyles
commented
10 months ago 2 indexes works, thanks.
If you add a third index, it breaks the second index:
osslsigncode sign -nest
the first and third work, but the second is broken.
was detected during testing. but overall the result is good.
both tests pass with two signatures:
signtool verify /v /pa
signtool verify /v /kpI tested several signatures on the same certificates.
olszomal
commented
10 months ago Please elaborate on what you mean by including the full verification result.
westyles
commented
10 months ago del /f /q vfd_*.sys
:: Index: 0 (Good):
osslsigncode sign -in vfd.sys -out vfd_2.sys -h sha1 -time 1420059600 -spc My_Client+Int.crt -key My_.key -ac My_Cross.crt -nolegacy
osslsigncode add -in vfd_2.sys -out vfd_3.sys -h sha1 -TSA-time 1420059600 -TSA-certs My-TSA1.crt -TSA-key My-TSA.key
:: Index: 1 (Good):
osslsigncode sign -nest -in vfd_3.sys -out vfd_4.sys -h sha256 -time 1420059601 -spc My_Client+Int.crt -key My_.key -ac My_Cross.crt -nolegacy
osslsigncode add -index 1 -in vfd_4.sys -out vfd_5.sys -h sha256 -TSA-time 1420059601 -TSA-certs My-TSA2.crt -TSA-key My-TSA.key
:: Index: 2 (remove/replace index: 1 timestamp):
osslsigncode sign -nest -in vfd_5.sys -out vfd_6.sys -h sha256 -time 1420059602 -spc My_Client+Int.crt -key My_.key -ac My_Cross.crt -nolegacy
More precisely it (Index: 2) seems to remove the timestamp from Index: 1 signature.
olszomal
commented
10 months ago I replicate this test:
osslsigncode sign -in unsigned.exe -out signed.exe -h sha1 -time 1556668800 -cert cert.pem -key key.pem
osslsigncode add -in signed.exe -out signed1.exe -h sha1 -TSA-time 1556668800 -TSA-certs TSA.pem -TSA-key TSA.key
osslsigncode sign -nest -in signed1.exe -out nested.exe -h sha256 -time 1556668801 -certs cert.pem -key key.pem
osslsigncode add -index 1 -in nested.exe -out nested1.exe -h sha256 -TSA-time 1556668801 -TSA-certs TSA.pem -TSA-key TSA.key
osslsigncode sign -nest -in nested1.exe -out nested2.exe -h sha384 -time 1556668802 -certs cert.pem -key key.pemsigntool verify /pa /all /v nested2.exe
Verifying: nested2.exe
Signature Index: 0 (Primary Signature)
Hash of file (sha1): 802FC5BA67A9B06DEC18A0D5A380A8A5954B5EF0
Signing Certificate Chain:
Issued to: Root CA
Issued by: Root CA
Expires: Tue Nov 10 01:00:00 2026
SHA1 hash: F9D7EF2721C71D88E05B7140F8D350D79350FDFA
Issued to: Intermediate CA
Issued by: Root CA
Expires: Thu Jan 01 01:00:00 2026
SHA1 hash: 0DF29EDEBB924E11D29364B1BEF85948DBE8DEB5
Issued to: Certificate
Issued by: Intermediate CA
Expires: Tue Dec 31 01:00:00 2024
SHA1 hash: 96698FFC4F2A600B7D72B4D17E882E40DD47A9F2
The signature is timestamped: Wed May 01 01:00:00 2019
Timestamp Verified by:
Issued to: TSA Root CA
Issued by: TSA Root CA
Expires: Tue Nov 10 01:00:00 2026
SHA1 hash: DEBD6225D592A1539E6867EDDF44C22E653D07CF
Issued to: Test TSA
Issued by: TSA Root CA
Expires: Sat Jan 01 01:00:00 2028
SHA1 hash: 2FB7A7E4667666BDE2B3CB570FF1984FC9DCE582
Signature Index: 1
Hash of file (sha384): 810AA940BD63EEFDB2E11720F9422BEF4E45C7444154D59C6571FB31BCBE9FD2C497091A28B69935A7B693F97FA7A179
Signing Certificate Chain:
Issued to: Root CA
Issued by: Root CA
Expires: Tue Nov 10 01:00:00 2026
SHA1 hash: F9D7EF2721C71D88E05B7140F8D350D79350FDFA
Issued to: Intermediate CA
Issued by: Root CA
Expires: Thu Jan 01 01:00:00 2026
SHA1 hash: 0DF29EDEBB924E11D29364B1BEF85948DBE8DEB5
Issued to: Certificate
Issued by: Intermediate CA
Expires: Tue Dec 31 01:00:00 2024
SHA1 hash: 96698FFC4F2A600B7D72B4D17E882E40DD47A9F2
File is not timestamped.
Signature Index: 2
Hash of file (sha256): 2D2C7B382C8163A419B9FF214A7B651C33F9EA43335907F11377290C5158A7A4
Signing Certificate Chain:
Issued to: Root CA
Issued by: Root CA
Expires: Tue Nov 10 01:00:00 2026
SHA1 hash: F9D7EF2721C71D88E05B7140F8D350D79350FDFA
Issued to: Intermediate CA
Issued by: Root CA
Expires: Thu Jan 01 01:00:00 2026
SHA1 hash: 0DF29EDEBB924E11D29364B1BEF85948DBE8DEB5
Issued to: Certificate
Issued by: Intermediate CA
Expires: Tue Dec 31 01:00:00 2024
SHA1 hash: 96698FFC4F2A600B7D72B4D17E882E40DD47A9F2
The signature is timestamped: Wed May 01 01:00:01 2019
Timestamp Verified by:
Issued to: TSA Root CA
Issued by: TSA Root CA
Expires: Tue Nov 10 01:00:00 2026
SHA1 hash: DEBD6225D592A1539E6867EDDF44C22E653D07CF
Issued to: Test TSA
Issued by: TSA Root CA
Expires: Sat Jan 01 01:00:00 2028
SHA1 hash: 2FB7A7E4667666BDE2B3CB570FF1984FC9DCE582
Successfully verified: nested2.exe
Number of signatures successfully Verified: 3
Number of warnings: 0
Number of errors: 0
osslsigncode verify -in nested2.exe -CAfile CACert.pem -TSA-CAfile TSACA.pem
PE checksum : 0001BE6CSignature Index: 0 (Primary Signature)
Message digest algorithm : SHA1 Current message digest : 802FC5BA67A9B06DEC18A0D5A380A8A5954B5EF0 Calculated message digest : 802FC5BA67A9B06DEC18A0D5A380A8A5954B5EF0
Signer #0:
Subject: /C=PL/ST=Mazovia Province/L=Warsaw/O=osslsigncode/OU=CSP/CN=Certificate/emailAddress=osslsigncode@example.com
Issuer : /C=PL/O=osslsigncode/OU=Certification Authority/CN=Intermediate CA
Serial : 2D6C27FE02DC3CC00EFFBA06AB1E40DF4EA6C5C9
Certificate expiration date:
notBefore : Jan 1 00:00:00 2018 GMT
notAfter : Dec 31 00:00:00 2024 GMTMessage digest algorithm: SHA1
Authenticated attributes: Signing time: May 1 00:00:00 2019 GMT Microsoft Individual Code Signing purpose Message digest: E14161E0290DCC17B55D9F43CE188FB830AE3F3E
Countersignatures: Timestamp time: May 1 00:00:00 2019 GMT Signing time: Jan 25 09:22:28 2024 GMT Hash Algorithm: sha1 Issuer: /C=PL/O=osslsigncode/OU=Timestamp Authority Root CA/CN=TSA Root CA Serial: 0711AB5969FE824D8ED27C5478E42FA5CBB41D44
CAfile: CACert.pem TSA's certificates file: TSACA.pem
Signer #1:
Subject: /C=PL/O=osslsigncode/OU=Timestamp Authority Root CA/CN=TSA Root CA
Issuer : /C=PL/O=osslsigncode/OU=Timestamp Authority Root CA/CN=TSA Root CA
Serial : 7F675FF6501C92E071B004FB524B494E91FC1F71
Certificate expiration date:
notBefore : Jan 1 00:00:00 2017 GMT
notAfter : Nov 10 00:00:00 2026 GMT
------------------
Signer #0:
Subject: /C=PL/O=osslsigncode/OU=Timestamp Authority/CN=Test TSA
Issuer : /C=PL/O=osslsigncode/OU=Timestamp Authority Root CA/CN=TSA Root CA
Serial : 0711AB5969FE824D8ED27C5478E42FA5CBB41D44
Certificate expiration date:
notBefore : Jan 1 00:00:00 2018 GMT
notAfter : Jan 1 00:00:00 2028 GMTTSA's CRL distribution point: http://127.0.0.1:19254/TSACA Connecting to http://127.0.0.1:19254/TSACA CURL failure: Couldn't connect to server http://127.0.0.1:19254/TSACA Warning: Faild to get CRL from http://127.0.0.1:19254/TSACA
Use the "-TSA-CRLfile" option to add one or more Time-Stamp Authority CRLs in PEM format.
Signer #2:
Subject: /C=PL/O=osslsigncode/OU=Certification Authority/CN=Root CA
Issuer : /C=PL/O=osslsigncode/OU=Certification Authority/CN=Root CA
Serial : 7EE1151CD03FD552C3248F6684036B0677488FAB
Certificate expiration date:
notBefore : Jan 1 00:00:00 2017 GMT
notAfter : Nov 10 00:00:00 2026 GMT
------------------
Signer #1:
Subject: /C=PL/O=osslsigncode/OU=Certification Authority/CN=Intermediate CA
Issuer : /C=PL/O=osslsigncode/OU=Certification Authority/CN=Root CA
Serial : 5E17036DBFF7BCFA56A050A67AC2B0D1D6B36F32
Certificate expiration date:
notBefore : Jan 1 00:00:00 2018 GMT
notAfter : Jan 1 00:00:00 2026 GMT
------------------
Signer #0:
Subject: /C=PL/ST=Mazovia Province/L=Warsaw/O=osslsigncode/OU=CSP/CN=Certificate/emailAddress=osslsigncode@example.com
Issuer : /C=PL/O=osslsigncode/OU=Certification Authority/CN=Intermediate CA
Serial : 2D6C27FE02DC3CC00EFFBA06AB1E40DF4EA6C5C9
Certificate expiration date:
notBefore : Jan 1 00:00:00 2018 GMT
notAfter : Dec 31 00:00:00 2024 GMTSignature verification: ok
Signature Index: 1
Message digest algorithm : SHA384 Current message digest : 810AA940BD63EEFDB2E11720F9422BEF4E45C7444154D59C6571FB31BCBE9FD2C497091A28B69935A7B693F97FA7A179 Calculated message digest : 810AA940BD63EEFDB2E11720F9422BEF4E45C7444154D59C6571FB31BCBE9FD2C497091A28B69935A7B693F97FA7A179
Signer #0:
Subject: /C=PL/ST=Mazovia Province/L=Warsaw/O=osslsigncode/OU=CSP/CN=Certificate/emailAddress=osslsigncode@example.com
Issuer : /C=PL/O=osslsigncode/OU=Certification Authority/CN=Intermediate CA
Serial : 2D6C27FE02DC3CC00EFFBA06AB1E40DF4EA6C5C9
Certificate expiration date:
notBefore : Jan 1 00:00:00 2018 GMT
notAfter : Dec 31 00:00:00 2024 GMTMessage digest algorithm: SHA384
Authenticated attributes: Sequence number: 2 Signing time: May 1 00:00:02 2019 GMT Microsoft Individual Code Signing purpose Message digest: 7D5318A1023C1BE56BCFB84F491638DF3C4CFA098DFAF4B4F4F6EF7FFE0C397034C4B6680D7211ED1808E61BF6CB07F2
CAfile: CACert.pem TSA's certificates file: TSACA.pem
Timestamp is not available
Signer #2:
Subject: /C=PL/O=osslsigncode/OU=Certification Authority/CN=Root CA
Issuer : /C=PL/O=osslsigncode/OU=Certification Authority/CN=Root CA
Serial : 7EE1151CD03FD552C3248F6684036B0677488FAB
Certificate expiration date:
notBefore : Jan 1 00:00:00 2017 GMT
notAfter : Nov 10 00:00:00 2026 GMT
------------------
Signer #1:
Subject: /C=PL/O=osslsigncode/OU=Certification Authority/CN=Intermediate CA
Issuer : /C=PL/O=osslsigncode/OU=Certification Authority/CN=Root CA
Serial : 5E17036DBFF7BCFA56A050A67AC2B0D1D6B36F32
Certificate expiration date:
notBefore : Jan 1 00:00:00 2018 GMT
notAfter : Jan 1 00:00:00 2026 GMT
------------------
Signer #0:
Subject: /C=PL/ST=Mazovia Province/L=Warsaw/O=osslsigncode/OU=CSP/CN=Certificate/emailAddress=osslsigncode@example.com
Issuer : /C=PL/O=osslsigncode/OU=Certification Authority/CN=Intermediate CA
Serial : 2D6C27FE02DC3CC00EFFBA06AB1E40DF4EA6C5C9
Certificate expiration date:
notBefore : Jan 1 00:00:00 2018 GMT
notAfter : Dec 31 00:00:00 2024 GMTSignature verification: ok
Signature Index: 2
Message digest algorithm : SHA256 Current message digest : 2D2C7B382C8163A419B9FF214A7B651C33F9EA43335907F11377290C5158A7A4 Calculated message digest : 2D2C7B382C8163A419B9FF214A7B651C33F9EA43335907F11377290C5158A7A4
Signer #0:
Subject: /C=PL/ST=Mazovia Province/L=Warsaw/O=osslsigncode/OU=CSP/CN=Certificate/emailAddress=osslsigncode@example.com
Issuer : /C=PL/O=osslsigncode/OU=Certification Authority/CN=Intermediate CA
Serial : 2D6C27FE02DC3CC00EFFBA06AB1E40DF4EA6C5C9
Certificate expiration date:
notBefore : Jan 1 00:00:00 2018 GMT
notAfter : Dec 31 00:00:00 2024 GMTMessage digest algorithm: SHA256
Authenticated attributes: Sequence number: 1 Signing time: May 1 00:00:01 2019 GMT Microsoft Individual Code Signing purpose Message digest: ED2CF03C79C03BCB691002A2E8314493D97302AC6C90D8A472CB1D24B5AB364B
Countersignatures: Timestamp time: May 1 00:00:01 2019 GMT Signing time: Jan 25 09:22:57 2024 GMT Hash Algorithm: sha256 Issuer: /C=PL/O=osslsigncode/OU=Timestamp Authority Root CA/CN=TSA Root CA Serial: 0711AB5969FE824D8ED27C5478E42FA5CBB41D44
CAfile: CACert.pem TSA's certificates file: TSACA.pem
Signer #1:
Subject: /C=PL/O=osslsigncode/OU=Timestamp Authority Root CA/CN=TSA Root CA
Issuer : /C=PL/O=osslsigncode/OU=Timestamp Authority Root CA/CN=TSA Root CA
Serial : 7F675FF6501C92E071B004FB524B494E91FC1F71
Certificate expiration date:
notBefore : Jan 1 00:00:00 2017 GMT
notAfter : Nov 10 00:00:00 2026 GMT
------------------
Signer #0:
Subject: /C=PL/O=osslsigncode/OU=Timestamp Authority/CN=Test TSA
Issuer : /C=PL/O=osslsigncode/OU=Timestamp Authority Root CA/CN=TSA Root CA
Serial : 0711AB5969FE824D8ED27C5478E42FA5CBB41D44
Certificate expiration date:
notBefore : Jan 1 00:00:00 2018 GMT
notAfter : Jan 1 00:00:00 2028 GMTTSA's CRL distribution point: http://127.0.0.1:19254/TSACA Connecting to http://127.0.0.1:19254/TSACA CURL failure: Couldn't connect to server http://127.0.0.1:19254/TSACA Warning: Faild to get CRL from http://127.0.0.1:19254/TSACA
Use the "-TSA-CRLfile" option to add one or more Time-Stamp Authority CRLs in PEM format.
Signer #2:
Subject: /C=PL/O=osslsigncode/OU=Certification Authority/CN=Root CA
Issuer : /C=PL/O=osslsigncode/OU=Certification Authority/CN=Root CA
Serial : 7EE1151CD03FD552C3248F6684036B0677488FAB
Certificate expiration date:
notBefore : Jan 1 00:00:00 2017 GMT
notAfter : Nov 10 00:00:00 2026 GMT
------------------
Signer #1:
Subject: /C=PL/O=osslsigncode/OU=Certification Authority/CN=Intermediate CA
Issuer : /C=PL/O=osslsigncode/OU=Certification Authority/CN=Root CA
Serial : 5E17036DBFF7BCFA56A050A67AC2B0D1D6B36F32
Certificate expiration date:
notBefore : Jan 1 00:00:00 2018 GMT
notAfter : Jan 1 00:00:00 2026 GMT
------------------
Signer #0:
Subject: /C=PL/ST=Mazovia Province/L=Warsaw/O=osslsigncode/OU=CSP/CN=Certificate/emailAddress=osslsigncode@example.com
Issuer : /C=PL/O=osslsigncode/OU=Certification Authority/CN=Intermediate CA
Serial : 2D6C27FE02DC3CC00EFFBA06AB1E40DF4EA6C5C9
Certificate expiration date:
notBefore : Jan 1 00:00:00 2018 GMT
notAfter : Dec 31 00:00:00 2024 GMTSignature verification: ok
Number of verified signatures: 3 Succeeded
Everything works as expected.I understood after adding 3 signatures "2 indexes" as sha384, the program swaps 1 and 2 indexes: 0 > 0,1 > 0,2,1 So if you specify -index 1 again for timstamp after "2 index", the timestamp will be set to the new "1 index", which should be the "2 index". And all three indexes will be working! (2 times add -index 1):
del /f /q vfd_*.sys
:: Index: 0 (Good):
osslsigncode sign -in vfd.sys -out vfd_2.sys -h sha1 -time 1420059600 -spc My_Client+Int.crt -key My_.key -ac My_Cross.crt -nolegacy
osslsigncode add -in vfd_2.sys -out vfd_3.sys -h sha1 -TSA-time 1420059600 -TSA-certs My-TSA1.crt -TSA-key My-TSA.key
:: Index: 1 (Good):
osslsigncode sign -nest -in vfd_3.sys -out vfd_4.sys -h sha256 -time 1420059601 -spc My_Client+Int.crt -key My_.key -ac My_Cross.crt -nolegacy
osslsigncode add -index 1 -in vfd_4.sys -out vfd_5.sys -h sha256 -TSA-time 1420059601 -TSA-certs My-TSA2.crt -TSA-key My-TSA.key
:: Index: 2 (this -nest add to Index: 1; swops index: 1 to index: 2):
osslsigncode sign -nest -in vfd_5.sys -out vfd_6.sys -h sha384 -time 1420059602 -spc My_Client+Int.crt -key My_.key -ac My_Cross.crt -nolegacy
osslsigncode add -index 1 -in vfd_6.sys -out vfd_7.sys -h sha384 -TSA-time 1420059602 -TSA-certs My-TSA2.crt -TSA-key My-TSA.key
That is, the problem is sorting the indexes when -nest is added a second time.
mtrojnar
commented
10 months ago That is, the problem is sorting the indexes when -nest is added a second time.
Unfortunately, the problem is caused by signtool in your case. It does not preserve the order of displayed signatures from the signed file. Consequently, there is no guarantee about the index of the newly added signature. We try to mimic this behavior in osslsigncode. Please let us know if you find osslsigncode displaying signatures in an order different from signtool.
westyles
commented
10 months ago I haven't used signtool now, I saw in the parameters of file after the commands osslsigncode above. I added sha384 with the third action. https://i.imgur.com/Uy9XbFY.png I'll try to try to do 3 signatures via signtool, probably tomorrow. It's easy to get confused and misinterpret what you see. But in idea the signatures should be added in order next, 0 > 0,1 > 0,1,2 etc.
westyles
commented
10 months ago Checked signtool, an example of how I tried it:
signtool sign /debug /fd SHA1 /v /f my.pfx /P **** "vfd2.sys"
signtool timestamp /t "http://......" "vfd2.sys"
signtool sign /as /debug /fd SHA256 /v /f my.pfx /P **** "vfd2.sys"
signtool timestamp /tp 1 /tr "http://......" /td SHA256 "vfd2.sys"
signtool sign /as /debug /fd SHA384 /v /f my.pfx /P **** "vfd2.sys"
signtool timestamp /tp 1 /tr "http://......" /td SHA256 "vfd2.sys"
signtool sign /as /debug /fd SHA512 /v /f my.pfx /P **** "vfd2.sys"
signtool timestamp /tp 1 /tr "http://......" /td SHA256 "vfd2.sys"
Result: https://i.imgur.com/exwfO6g.png
Right, the signtool has the same principle of adding signatures: 0 > 0,1 > 0,2,1 > 0,3,2,1 it's not logical, but it's true. This method has a nice advantage: you don't have to figure out which index to put the timestamp in, and the command is always the same when adding a new signature and timestamp. So you have done everything correctly by repeating the actions of signtool. Well done :) Then everything's fine. Didn't know about this specificity of multiple signatures. I usually check everything several times to confirm. I apologize for interrupting. If I see anything, I'll create a issue.
mtrojnar
commented
10 months ago I'm glad you like it. Thank you for testing.
Hello. No way to sign a built-in TSA timestamp on the second signature with a separate operation. For example, add the "-nest" parameter for "add"
Like what I mean:
Or you can add a parameter to specify the certificate index number as is done with signtool.exe For example: -n 2 If it is not difficult or more convenient to do this.
It is possible to make both options work at once to use according to the situation. Either the program itself determines, or by the specified index.