Osslsigncode

Osllsigncode is a platform-independent tool for signing Windows .msi ,.exe, .dll, .sys,.cab ,and .cat files. It implements the Authenticode signing similar to the Windows signtool.exe. Signing the above files, uses two files - a file with the key material and a file with its certificate.

osslsigncode sign \
-certs certificate.pem \
-key key.pem \
-in <file> \
-out <file> \
-t http://timestamp.digicert.com

For further description and examples, see Osllsigncode.

This section specifies:

  • Integration of osslsigncode with CORE on RHEL platforms.
  • Preparation of the CORE objects and the corresponding files for use by the osslsigncode.

Prerequisites

On a server designated to run the osslsigncode:

  1. Install osslsigncode:
  2. Install the CORE client.
  3. Register the client with the CORE partition designated to store the signing keys and their certificates.
  4. OpenSSL 1.0.2 or 1.1.x

Setup

  1. Integrate CORE OpenSSL Engine with the OpenSSL. See OpenSSL Engine Configuration on Linux.

    2. Verify the integration

    openssl genrsa -out test.pem
    cat test.pem

    The output should show CORE obfuscated key file. See Obfuscated Private Key PEM File.

  2. Verify the osslsigncode setup. We will create a key and self-signed certificate, and sign "msi" file:
    1. Generate private RSA key (rsa4sign) applicable for signing (--purpose S):

      2. ucl generate -t rsa --name rsa4sign --purpose S

    2. Export its private key in the PEMClosedBase64 encoded DER wrapped by "--- BEGIN <type> ---" and "--- END <type> ----"-obfuscated file (rsa4sign.key). See Export Obfuscated Private Key:

      3. ucl export --name rsa4sign -o rsa4sign.key --obfuscate

    3. Generate a self-signed certificate for the key and export the certificate to a PEMClosedBase64 encoded DER wrapped by "--- BEGIN <type> ---" and "--- END <type> ----" file (rsa4sign.cer). See ucl self-sign:

      4. ucl self-sign -n rsa4sign --subject "CN=Test" --days 365 -o rsa4sign.cer -f PEM

    4. Obtain an msi file (for example, Win32OpenSSL_Light-1_1_1j.msi) and sign it

      5. osslsigncode sign -certs ./rsa4sign.cer -key ./rsa4sign.key -in Win32OpenSSL_Light-1_1_1j.msi -out test.msi

      Succeeded

    5. Run verify to make sure that it has been signed by "CN=Test"

      6. osslsigncode verify test.msi

Use CORE Key and CA Certificate

In this scenario, we use the signing key generated by CORE and signed by the organization's CA.

  1. Prepare the key and its certificate:
    1. Generate private RSA key (rsa4sign) applicable for signing (--purpose S):

      2. ucl generate -t rsa --name rsa4sign --purpose S

    2. Export its private key in the PEMClosedBase64 encoded DER wrapped by "--- BEGIN <type> ---" and "--- END <type> ----"-obfuscated file (rsa4sign.key). See Export Obfuscated Private Key:

      3. ucl export --name rsa4sign -o rsa4sign.key --obfuscate

    3. Generate a CSRClosedCertificate Signing Request - a message sent from an applicant to a certificate authority in order to apply for a digital identity certificate for the key (rsa4sign.csr) in PEMClosedBase64 encoded DER wrapped by "--- BEGIN <type> ---" and "--- END <type> ----" format. See ucl csr:

      4. ucl csr --name rsa4sign -o rsa4sign.csr -f PEM --subject "CN=A, OU=B, O=C"

    4. Obtain CA-signed certificate for the CSRClosedCertificate Signing Request - a message sent from an applicant to a certificate authority in order to apply for a digital identity certificate (rsa4sign.cer). As needed, convert it to PEMClosedBase64 encoded DER wrapped by "--- BEGIN <type> ---" and "--- END <type> ----" format and import it to the partition that stores the rsa4sign key. See ucl import:

      5. ucl import -i rsa4sign.cer --in-format PEM --name rsa4sign-cer --process-ca

  2. Checklist. Make sure you have the following:
    •  Files: rsa4sign.key, rsa4sign.cer
    • CORE objects: rsa4sign, rsa4sign-cer
  3. Sign and verify

    1. osslsigncode sign -certs ./rsa4sign.cer -key ./rsa4sign.key -t http://timestamp.digicert.com -in <Win-file> -out <Win-file>

    2. osslsigncode verify <Win-file>

Use Imported Key and Certificate

We assume that the key and certificate are provided in P12 (PFXClosedAn archive file format for storing cryptography objects using Base64 encoding) file (keycert.pfx)

  1. Prepare the key and its certificate:
    1. Import PFXClosedAn archive file format for storing cryptography objects using Base64 encoding file. Name its material rsa4sign. See Import Key and Certificate

      2. ucl import -i keycert.pxf --in-format PFX --file-pass ******* --name rsa4sign --process-ca --purpose S

    2. Export its private key in the PEMClosedBase64 encoded DER wrapped by "--- BEGIN <type> ---" and "--- END <type> ----"-obfuscated file (rsa4sign.key). See Export Obfuscated Private Key:

      3. ucl export --name rsa4sign -o rsa4sign.key --obfuscate

    3. Export its certificate in PEMClosedBase64 encoded DER wrapped by "--- BEGIN <type> ---" and "--- END <type> ----" format. See Export Certificate:

      4. ucl export -u <UID of rsa4sign Certificate> -f PEM --name rsa4sign-cer

  2. Checklist. Make sure you have the following:
    •  Files: rsa4sign.key, rsa4sign.cer
    • CORE objects: rsa4sign(key), rsa4sign(cer)
  3. Sign and verify

    1. osslsigncode sign -certs ./rsa4sign.cer -key ./rsa4sign.key -t http://timestamp.digicert.com -in <Win-file> -out <Win-file>

    2. osslsigncode verify <Win-file>

Appendix

Install Osslsigncode on RHEL 8

  1. Obtain Fedora EPEL repository. It containsthe osslsigncodetool.

    2. sudo yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm

    Installed: epel-release-8-13.el8.noarch

  2. Installthe latest osslsigncode-2.2 for el8.x86_64

    3. sudo dnf install osslsigncode.x86_64

    Installed: osslsigncode-2.2-1.el8.x86_64

Build Osslsigncode for RHEL 7

To install osslsigncode:

  1. Download the latest package from https://sourceforge.net/projects/osslsigncode:

    wget https://downloads.sourceforge.net/project/osslsigncode/osslsigncode/osslsigncode-1.7.1.tar.gz

  2. Unpack it:

    tar -xvf osslsigncode-1.7.1.tar.gz

  3. Install libgsf, a library for reading and writing structured files such as .msi files:

    sudo yum install libgsf.x86_64

  4. As needed, install prerequisite packages for building osslsigncode:
    • autoconf
    • openssl-devel
    • libcurl-devel
    • libgsf-devel
  5. Build osslsigncode:

    6. cd osslsigncode-1.7.1
    ./configure
    make
    sudo make install