osslsigncode============== WHAT IS IT?osslsigncode is a small tool that implements part of the functionalityof the Microsoft tool signtool.exe - more exactly the Authenticodesigning and timestamping. But osslsigncode is based on OpenSSL and cURL,and thus should be able to compile on most platforms where these exist.== WHY?Why not use signtool.exe? Because I don't want to go to a Windowsmachine every time I need to sign a binary - I can compile and buildthe binaries using Wine on my Linux machine, but I can't sign themsince the signtool.exe makes good use of the CryptoAPI in Windows, andthese APIs aren't (yet?) fully implemented in Wine, so the signtool.exetool  would fail. And, so, osslsigncode was born.== WHAT CAN IT DO?It can sign and timestamp PE (EXE/SYS/DLL/etc), CAB and MSI files. It supportsthe equivalent of signtool.exe's "-j javasign.dll -jp low", i.e. add avalid signature for a CAB file containing Java files. It supports gettingthe timestamp through a proxy as well. It also supports signature verification,removal and extraction.== INSTALLATIONThe usual way:  ./configure  make  make install== USAGEBefore you can sign a file you need a Software PublishingCertificate (spc) and a corresponding private key.This article provides a good starting point as to howto do the signing with the Microsoft signtool.exe:http://www.matthew-jones.com/articles/codesigning.htmlTo sign with osslsigncode you need the certificate file mentioned in thearticle above, in SPC or PEM format, and you will also need the privatekey which must be a key file in DER or PEM format, or if osslsigncode wascompiled against OpenSSL 1.0.0 or later, in PVK format.To sign a PE or MSI file you can now do:  osslsigncode sign -certs <cert-file> -key <der-key-file> \        -n "Your Application" -ihttp://www.yourwebsite.com/ \        -in yourapp.exe -out yourapp-signed.exeor if you are using a PEM or PVK key file with a password togetherwith a PEM certificate:  osslsigncode sign -certs <cert-file> \        -key <key-file> -pass <key-password> \        -n "Your Application" -ihttp://www.yourwebsite.com/ \        -in yourapp.exe -out yourapp-signed.exeor if you want to add a timestamp as well:  osslsigncode sign -certs <cert-file> -key <key-file> \        -n "Your Application" -ihttp://www.yourwebsite.com/ \        -thttp://timestamp.verisign.com/scripts/timstamp.dll \        -in yourapp.exe -out yourapp-signed.exeYou can use a certificate and key stored in a PKCS#12 container:  osslsigncode sign -pkcs12 <pkcs12-file> -pass <pkcs12-password> \        -n "Your Application" -ihttp://www.yourwebsite.com/ \        -in yourapp.exe -out yourapp-signed.exeTo sign a CAB file containing java class files:  osslsigncode sign -certs <cert-file> -key <key-file> \        -n "Your Application" -ihttp://www.yourwebsite.com/ \        -jp low \        -in yourapp.cab -out yourapp-signed.cabOnly the 'low' parameter is currently supported.You can check that the signed file is correct by right-clickingon it in Windows and choose Properties --> Digital Signatures,and then choose the signature from the list, and click onDetails. You should then be presented with a dialog that saysamongst other things that "This digital signature is OK".== CONVERTING FROM PVK TO DER(This guide was written by Ryan Rubley)If you've managed to finally find osslsigncode from some searches,you're most likely going to have a heck of a time getting your SPCand PVK files into the formats osslsigncode wants.On the computer where you originally purchased your certificate, youprobably had to use IE to get it. Run IE and select Tools/InternetOptions from the menu, then under the Content tab, click the Certificatesbutton. Under the Personal tab, select your certificate and click theExport button. On the second page of the wizard, select the PKCS #7Certificate (.P7B) format. This file you export as a *.p7b is what youuse instead of your *.spc file. It's the same basic thing, in a different format.For your PVK file, you will need to download a little utility calledPVK.EXE. This can currently be downloaded athttp://support.globalsign.net/en/objectsign/PVK.zipRun: pvk -in foo.pvk -nocrypt -out foo.pemThis will convert your PVK file to a PEM file.From there, you can copy the PEM file to a Linux box, and run:  openssl rsa -outform der -in foo.pem -out foo.derThis will convert your PEM file to a DER file.You need the *.p7b and *.der files to use osslsigncode, instead of your*.spc and *.pvk files.== BUGS, QUESTIONS etc.Send an email to pallansson@gmail.comBUT, if you have questions related to generating spc files,converting between different formats and so on, *please*spend a few minutes searching on google for your particularproblem since many people probably already have had yourproblem and solved it as well.