Skip to main content

Sign Authenticode files with Osslsigncode using OpenSSL PKCS11 engine

Osslsigncode is a command-line tool used to code sign, timestamp, and verify signatures executable files. Osslsigncode leverages the OpenSSL library for performing code signing operations. Osslsigncode can be compiled on most platforms where OpenSSL and cURL exist.

Follow these instructions to sign directly using Osslsigncode and securely reference your private key stored in DigiCert​​®​​ Software Trust Manager. Alternatively, integrate Osslsigncode with Signing Manager Controller (SMCTL) for simplified signing.

Tip

  • DigiCert​​®​​ Software Trust Manager only supports Osslsigncode signing on Linux.

  • To sign on Windows or macOS, use Jsign.

  • To avoid errors when signing large files, use osslsigncode instead of Jsign.

  • If you encounter unclear errors, it may be useful to sign via SMCTL and if errors persist, refer to SMCTL logs.

Prerequisites

Sign with Osslsigncode

The downloaded certificate is referred to as cert.pem in the scenarios below.

To sign and timestamp:

osslsigncode sign -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so -pkcs11module /root/smpkcs11.so -certs <path to keypair certificate> -key 'pkcs11:object=<keypair alias>;type=private' -in <file to be signed> -out <output signed file> -h sha256 -t http://timestamp.digicert.com

Command sample:

osslsigncode sign -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so -pkcs11module /root/smpkcs11.so -certs cert.pem -key 'pkcs11:object=keypair;type=private' -in test.msi -out test-signed.msi -h sha256 -t http://timestamp.digicert.com

Command output:

root@dcd6f73b44b0:~# osslsigncode sign     -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so     -pkcs11module /root/smpkcs11.so     -certs cert.pem     -key 'pkcs11:object=keypair;type=private'     -in test.msi -out test-signed.msi -h sha256 -t http://timestamp.digicert.com
Succeeded

Verify signature with Osslsigncode

To verify signature:

osslsigncode verify -in <signed file>

Command sample:

osslsigncode verify -in test-signed.msi

Command output:

root@dcd6f73b44b0:~# osslsigncode verify -in test-signed.msi
Message digest algorithm         : SHA256
Calculated DigitalSignature      : 87ACE0A2CD533EDB8BFE20FF1250B121D591C358EDFAC1806087CCE75AE0449C
 
Signature verification: ok
 
Number of signers: 1
        Signer #0:
                Subject : /C=US/ST=TEST/L=XYZABCD/street=Test Address/postalCode=XYZABCD/O=My Org/CN=My Org
                Issuer  : /C=US/ST=TEST/L=XYZABCD/street=Test Address/postalCode=XYZABCD/O=My Org/CN=rsa-ica
 
Number of certificates: 3
        Cert #0:
                Subject : /C=US/ST=TEST/L=XYZABCD/street=Test Address/postalCode=XYZABCD/O=My Org/CN=My Org
                Issuer  : /C=US/ST=TEST/L=XYZABCD/street=Test Address/postalCode=XYZABCD/O=My Org/CN=rsa-ica
        Cert #1:
                Subject : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Assured ID Timestamping CA
                Issuer  : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
        Cert #2:
                Subject : /C=US/O=DigiCert, Inc./CN=DigiCert Timestamp 2021
                Issuer  : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Assured ID Timestamping CA
 
 
Succeeded