I am able to sign my Windows EXEs on Windows using SAC and singtool.exe. But this requires a Windows machine which I don’t have readily available access to. I primarily work on Linux and the Sectigo support folks tell me this process is feasible on Linux but I’m running into issues.
I can run the SAC and see the certificate, etc. I have successfully inspected the certificate using pkcs11-tool:
pkcs11-tool --module /usr/lib/pkcs11/libeToken.so --login --list-objects
I have found several references to osslsigncode but yet they all use the certificate and key in the command line.
What tools and/or commands do I use to actually sign the Windows EXE on Ubuntu when the OV certificate bundle and private key are on a hardware token from Sectigo?
2
Answers
I ended up testing various methods using a variety of tools:
pkcs11-tool,p11tool,p11-kit. The steps are as follows:Run
p11tool --provider=/usr/lib/libeTPkcs11.so --list-all. This should list the actual URIs for the tokens. Other tools only gave URIs for other certificates but not my hardware token.Next, I had to wrangle with which
pkcs11engineto use. I tried several mentioned in these posts and elsewhere but got errors. I finally foundpkcs11.sofor one of my snaps:Then I had to construct the command line. I started out using only the URI as the key, which didn't work. So I found the certificate ID,
pkcs11cert, with this command:The ID was showing up via other command output, but in a form with colons so I wasn't sure how to use it (eg,
ID: xx:xx:xx:xx:xx:xx:xx:xx).I finally landed on this command line:
I'm a bit weary of using that snap
pkcs11enginebut it is working. I'll continue to refine this process, but for now I'm satisfied with the progress.Anyone successfully used osslsigncode to code sign a Windows EXE on a Mac? Not sure how to translate the above command to work on a Mac.