osslsigncode is a command-line tool used to code sign, timestamp, and verify signatures executable files. osslsigncode leverages the OpenSSL library for performing code signing operations. osslsigncode can be compiled on most platforms where OpenSSL and cURL exist.
Follow these instructions to sign directly using osslsigncode and securely reference your private key stored in DigiCert® Software Trust Manager. Alternatively, integrate osslsigncode with Signing Manager Controller (SMCTL) for simplified signing.
Dica
DigiCert® Software Trust Manager only supports osslsigncode signing on Linux.
To sign on Windows or macOS, use Jsign.
To avoid errors when signing large files, use osslsigncode instead of Jsign.
If you encounter unclear errors, it may be useful to sign via SMCTL and if errors persist, refer to SMCTL logs.
Linux operating system
Download your certificate
If you run Ubuntu version 24.04 or above, you may receive the following error when attempting a signature:
bad engine id
Failed to set 'dynamic' engine
Failed to read key or certificates
4019CC0F7E7F0000:error:1300006D:engine routines:dynamic_load:init failed:../crypto/engine/eng_dyn.c:514:
FailedThis error is caused by an incompatibility with the PKCS11 engine packaged with the OS and osslsigncode.
To troubleshoot:
Download and compile the latest version of LibP11 from GitHub.
Review the Unix Build instructions for compiling from GitHub.
Running the final make install command replaces the previously installed version of the libengine-pkcs11-openssl package.
The downloaded certificate is referred to as cert.pem in the scenarios below.
Nota
Use a full chain certificate instead of a keypair certificate. This action ensures the intermediate certificate is bundled with the signature, preventing chain validation failures during verification.
To download the full chain certificate, use the smctl command with the full chain flag enabled.
To sign and timestamp:
osslsigncode sign -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so -pkcs11module /root/smpkcs11.so -certs <path to keypair certificate> -key 'pkcs11:object=<keypair alias>;type=private' -in <file to be signed> -out <output signed file> -h sha256 -t http://timestamp.digicert.comCommand sample:
osslsigncode sign -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so -pkcs11module /root/smpkcs11.so -certs cert.pem -key 'pkcs11:object=keypair;type=private' -in test.msi -out test-signed.msi -h sha256 -t http://timestamp.digicert.comCommand output:
root@dcd6f73b44b0:~# osslsigncode sign -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so -pkcs11module /root/smpkcs11.so -certs cert.pem -key 'pkcs11:object=keypair;type=private' -in test.msi -out test-signed.msi -h sha256 -t http://timestamp.digicert.com
SucceededTo verify signature:
osslsigncode verify -in <signed file>Command sample:
osslsigncode verify -in test-signed.msiCommand output:
root@dcd6f73b44b0:~# osslsigncode verify -in test-signed.msi
Message digest algorithm : SHA256
Calculated DigitalSignature : 87ACE0A2CD533EDB8BFE20FF1250B121D591C358EDFAC1806087CCE75AE0449C
Signature verification: ok
Number of signers: 1
Signer #0:
Subject : /C=US/ST=TEST/L=XYZABCD/street=Test Address/postalCode=XYZABCD/O=My Org/CN=My Org
Issuer : /C=US/ST=TEST/L=XYZABCD/street=Test Address/postalCode=XYZABCD/O=My Org/CN=rsa-ica
Number of certificates: 3
Cert #0:
Subject : /C=US/ST=TEST/L=XYZABCD/street=Test Address/postalCode=XYZABCD/O=My Org/CN=My Org
Issuer : /C=US/ST=TEST/L=XYZABCD/street=Test Address/postalCode=XYZABCD/O=My Org/CN=rsa-ica
Cert #1:
Subject : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Assured ID Timestamping CA
Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
Cert #2:
Subject : /C=US/O=DigiCert, Inc./CN=DigiCert Timestamp 2021
Issuer : /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Assured ID Timestamping CA
Succeeded