I am able to sign my Windows EXEs on Windows using SAC and singtool.exe
. But this requires a Windows machine which I don’t have readily available access to. I primarily work on Linux and the Sectigo support folks tell me this process is feasible on Linux but I’m running into issues.
I can run the SAC and see the certificate, etc. I have successfully inspected the certificate using pkcs11-tool
:
pkcs11-tool --module /usr/lib/pkcs11/libeToken.so --login --list-objects
I have found several references to osslsigncode
but yet they all use the certificate and key in the command line.
What tools and/or commands do I use to actually sign the Windows EXE on Ubuntu when the OV certificate bundle and private key are on a hardware token from Sectigo?
2
Answers
I ended up testing various methods using a variety of tools:
pkcs11-tool
,p11tool
,p11-kit
. The steps are as follows:Run
p11tool --provider=/usr/lib/libeTPkcs11.so --list-all
. This should list the actual URIs for the tokens. Other tools only gave URIs for other certificates but not my hardware token.Next, I had to wrangle with which
pkcs11engine
to use. I tried several mentioned in these posts and elsewhere but got errors. I finally foundpkcs11.so
for one of my snaps:Then I had to construct the command line. I started out using only the URI as the key, which didn't work. So I found the certificate ID,
pkcs11cert
, with this command:The ID was showing up via other command output, but in a form with colons so I wasn't sure how to use it (eg,
ID: xx:xx:xx:xx:xx:xx:xx:xx
).I finally landed on this command line:
I'm a bit weary of using that snap
pkcs11engine
but it is working. I'll continue to refine this process, but for now I'm satisfied with the progress.Anyone successfully used osslsigncode to code sign a Windows EXE on a Mac? Not sure how to translate the above command to work on a Mac.