4

We need to sign Windows software with sha2 algorithm but installing signtool seems to be a problem, since I am having difficulties to install the software on my machines.

Moreover, I would like to sign the exes on linux.

We used to perform the task with signcode but it only supports sha1 and md5. Since 01.01.2016, sha1 and md5 are not accepted anymore.

Therefore I would like to know what are the alternatives to perform the task.

Update: I did get a signtool extracted from another computer and it did sign the files also with a timestamp:

signtool.exe sign /fd SHA256 /a  /f file.pfx /p my password /t http://timestamp.verisign.com/scripts/timstamp.dll  filetosign.exe

and it did appear as signed with SHA256 and it has a timestamp but InternetExplorer is still making problems.

IMHO there is still a need for this question, to know whether there is an alternative, and whether this alternative would work under Linux, because an alternative tool which would do the work would mean, that the solution is not working because of signtool, as opposed as to a certificate problem or an IE problem.

user1102074
  • 59
  • 1
  • 7
  • Are you having trouble installing SignTool on Linux? Because that makes sense, it's a Windows application. The easiest way to get it going on WIndows is to download and install the [Windows SDK](https://www.microsoft.com/en-us/download/details.aspx?id=8279). – Cody Gray - on strike Feb 24 '16 at 12:25
  • No... I haven't tried that yet. But I tried to install the windows SDK on different machines... and it did not work. I only need to automate the signing of the files. Thank you. – user1102074 Feb 24 '16 at 13:24
  • Is it possible to run it under Wine? – ddbug Feb 24 '16 at 19:08
  • yes this would be possible. – user1102074 Mar 29 '16 at 07:58
  • 1
    `"IMHO there is still a need for this question, to know whether there is an alternative, and whether this alternative would work under Linux"` Agreed, this information is valuable and since the question was opened, > 3K views as well as two viable solutions have been proposed. Proprietary technologies (such as Authenticode) often need general "Does any alternative exist" questions and are valuable to developers and the community at large. Unfortunately, they can draw in subjective answers (e.g. "Foo is best"), which is why they're often closed before any helpful answers start rolling in. – tresf Apr 18 '22 at 16:14

2 Answers2

2

https://github.com/mtrojnar/osslsigncode -- use -h sha2 parameter when signing

elmarco
  • 31,633
  • 21
  • 64
  • 68
Uddhav P. Gautam
  • 7,362
  • 3
  • 47
  • 64
1

Another alternative is ebourg/jsign, which is written in Java.

It can be called directly from Java or provided as an ant task.

Since it's written in Java, this tool can be used on any platform which runs Java, including (but not limited to) Linux, Solaris and macOS.

Quoting the README.md

Jsign is a Java implementation of Microsoft Authenticode that lets you sign and timestamp executable files for Windows, Microsoft Installers (MSI) and PowerShell scripts. Jsign is platform independent and provides an alternative to native tools like signcode/signtool on Windows or the Mono development tools on Unix systems.

Jsign comes as an easy to use task/plugin for the main build systems (Maven, Gradle, Ant). It's especially suitable for signing executable wrappers and installers generated by tools like NSIS, msitools, install4j, exe4j or launch4j. Jsign can also be used programmatically or standalone as a command line tool.

Jsign is free to use and licensed under the Apache License version 2.0.

tresf
  • 7,103
  • 6
  • 40
  • 101
  • 1
    thanks for the answer... which came quite late since I had the problem in 2016... – user1102074 Apr 17 '22 at 19:28
  • 2
    Yeah, it's unfortunate that the question was closed. `jsign` was [originally written in 2012](https://github.com/ebourg/jsign/commit/9e1ac6ef01628508ef48967ab3619d64748918b1), so it would have been a viable answer, even back then. These questions do lend themselves to subjective answers, but simply asking if a technology exists is half the battle sometimes. Furthemore, this questions is fairly popular, has been viewed over 3,000 times. Personally, I've been using `jsign` to authenticode sign Windows executables on MacOS, Linux and Windows for years and is a viable solution. – tresf Apr 18 '22 at 16:10
  • well as I was the owner and had not noticed the answer. it seems I can edit the question and then the answer could be appropriate... though the other answer might be a better solution – user1102074 Apr 19 '22 at 20:04