osslsigncode

osslsigncode is a small tool that implements part of the functionality of the Microsoft tool signtool.exe - more exactly the Authenticode signing and timestamping. But osslsigncode is based on OpenSSL and cURL, and thus should be able to compile on most platforms where these exist.

Installation

Linux

Check github.com for installation instructions.

macOS

brew install osslsigncode

Usage

osslsigncode [OPTIONS]

Flags

Commands:
add                    = add an unauthenticated blob or a timestamp to a previously-signed file
attach-signature       = sign file using a given signature
extract-signature      = extract signature from a previously-signed file
remove-signature       = remove sections of the embedded signature on a file
sign                   = digitally sign a file
verify                 = verifies the digital signature of a file

For help on a specific command, enter osslsigncode <command> --help

Usage: 

 [ --version | -v ]
 [ --help ]

 [ sign ] ( -certs | -spc <certfile> -key <keyfile> | -pkcs12 <pkcs12file> |
              [ -pkcs11engine <engine> ] -pkcs11module <module> -pkcs11cert <pkcs11 cert id> |
              -certs <certfile> -key <pkcs11 key id>)
            [ -pass <password>  [ -askpass ] [ -readpass <file> ]
            [ -ac <crosscertfile> ]
            [ -h {md5,sha1,sha2(56),sha384,sha512} ]
            [ -n <desc> ] [ -i <url> ] [ -jp <level> ] [ -comm ]
            [ -ph ]
            [ -t <timestampurl> [ -t ... ] [ -p <proxy> ] [ -noverifypeer  ]
            [ -ts <timestampurl> [ -ts ... ] [ -p <proxy> ] [ -noverifypeer ] ]
            [ -st <unix-time> ]
            [ -addUnauthenticatedBlob ]
            [ -nest ]
            [ -verbose ]
            [ -add-msi-dse ]
            [ -in ] <infile> [-out ] <outfile>

 add [-addUnauthenticatedBlob]
            [ -t <timestampurl> [ -t ... ] [ -p <proxy> ] [ -noverifypeer  ]
            [ -ts <timestampurl> [ -ts ... ] [ -p <proxy> ] [ -noverifypeer ] ]
            [ -verbose ]
            [ -add-msi-dse ]
            [ -in ] <infile> [ -out ] <outfile>

 attach-signature [ -sigin ] <sigfile>
            [ -CAfile <infile> ]
            [ -CRLfile <infile> ]
            [ -TSA-CAfile <infile> ]
            [ -TSA-CRLfile <infile> ]
            [ -nest ]
            [ -add-msi-dse ]
            [ -in ] <infile> [ -out ] <outfile>

 extract-signature [ -pem ]
            [ -in ] <infile> [ -out ] <sigfile>

 remove-signature [ -in ] <infile> [ -out ] <outfile>

 verify [ -in ] <infile>
            [ -c | -catalog <infile> ]
            [ -CAfile <infile> ]
            [ -CRLfile <infile> ]
            [ -TSA-CAfile <infile> ]
            [ -TSA-CRLfile <infile> ]
            [ -require-leaf-hash {md5,sha1,sha2(56),sha384,sha512}:XXXXXXXXXXXX... ]
            [ -timestamp-expiration ]
            [ -verbose ]

Examples

osslsigncode verify PsExec64.exe 
Current PE checksum   : 0008B793
Calculated PE checksum: 0008B793

Signature Index: 0  (Primary Signature)
Message digest algorithm  : SHA256
Current message digest    : BD7E69C22664A04B7B0E4C6A7B154E6E01C6CE9599B694BC19179AC7E2B77EE3
Calculated message digest : BD7E69C22664A04B7B0E4C6A7B154E6E01C6CE9599B694BC19179AC7E2B77EE3

Signer's certificate:
        Signer #0:
                Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation
                Issuer : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Code Signing PCA 2011
                Serial : 33000002528B33AAF895F339DB000000000252
                Certificate expiration date:
                        notBefore : Sep  2 18:32:59 2021 GMT
                        notAfter : Sep  1 18:32:59 2022 GMT

Number of certificates: 2
        Signer #0:
                Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation
                Issuer : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Code Signing PCA 2011
                Serial : 33000002528B33AAF895F339DB000000000252
                Certificate expiration date:
                        notBefore : Sep  2 18:32:59 2021 GMT
                        notAfter : Sep  1 18:32:59 2022 GMT
        ------------------
        Signer #1:
                Subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Code Signing PCA 2011
                Issuer : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Root Certificate Authority 2011
                Serial : 610E90D2000000000003
                Certificate expiration date:
                        notBefore : Jul  8 20:59:09 2011 GMT
                        notAfter : Jul  8 21:09:09 2026 GMT

Authenticated attributes:
        Message digest algorithm: SHA256
        Message digest: 75704792B1FA7A2BB1AA671436E1C8139CA9F8BAB822E666E1EBBB014847B7CE
        Signing time: N/A
        Microsoft Individual Code Signing purpose
        URL description: https://www.sysinternals.com
        Text description: psexec

The signature is timestamped: Jul 19 14:50:05 2022 GMT
Hash Algorithm: sha256
Timestamp Verified by:
                Issuer : /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Time-Stamp PCA 2010
                Serial : 330000018A3E388DD20E02FAE800010000018A

CAfile: /etc/ssl/cert.pem
TSA's certificates file: /etc/ssl/cert.pem
CRL distribution point: http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl

URL list