{"id":13840599,"url":"https://github.com/mtrojnar/osslsigncode","last_synced_at":"2026-02-02T19:05:53.444Z","repository":{"id":38291451,"uuid":"158653995","full_name":"mtrojnar/osslsigncode","owner":"mtrojnar","description":"OpenSSL-based Authenticode signing for PE, CAB, CAT, MSI, APPX, and script file","archived":false,"fork":false,"pushed_at":"2026-01-20T23:09:36.000Z","size":2530,"stargazers_count":1001,"open_issues_count":0,"forks_count":144,"subscribers_count":15,"default_branch":"master","last_synced_at":"2026-01-21T08:39:30.776Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mtrojnar.png","metadata":{"files":{"readme":"README.md","changelog":"NEWS.md","contributing":null,"funding":null,"license":"COPYING.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2018-11-22T06:43:20.000Z","updated_at":"2026-01-21T07:03:23.000Z","dependencies_parsed_at":"2022-07-17T08:46:16.082Z","dependency_job_id":"4b054dc3-1432-4535-964d-5c4c8b59375c","html_url":"https://github.com/mtrojnar/osslsigncode","commit_stats":{"total_commits":466,"total_committers":26,"mean_commits":"17.923076923076923","dds":"0.44420600858369097","last_synced_commit":"44a6768089404762e8db21b75264347065203ff6"},"previous_names":[],"tags_count":12,"template":false,"template_full_name":null,"purl":"pkg:github/mtrojnar/osslsigncode","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mtrojnar%2Fosslsigncode","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mtrojnar%2Fosslsigncode/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mtrojnar%2Fosslsigncode/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mtrojnar%2Fosslsigncode/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mtrojnar","download_url":"https://codeload.github.com/mtrojnar/osslsigncode/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mtrojnar%2Fosslsigncode/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29017941,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-02T18:51:31.335Z","status":"ssl_error","status_checked_at":"2026-02-02T18:49:20.777Z","response_time":58,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-04T17:00:50.815Z","updated_at":"2026-02-02T19:05:53.435Z","avatar_url":"https://github.com/mtrojnar.png","language":"C","readme":"osslsigncode\n============\n\n## BUILD STATUS\n\n[![CI](https://github.com/mtrojnar/osslsigncode/actions/workflows/ci.yml/badge.svg)](https://github.com/mtrojnar/osslsigncode/actions/workflows/ci.yml)\n\n## WHAT IS IT?\n\nosslsigncode is a small tool that implements part of the functionality\nof the Microsoft tool signtool.exe - more exactly the Authenticode\nsigning and timestamping. But osslsigncode is based on OpenSSL and cURL,\nand thus should be able to compile on most platforms where these exist.\n\n## WHY?\n\nWhy not use signtool.exe? Because I don't want to go to a Windows\nmachine every time I need to sign a binary - I can compile and build\nthe binaries using Wine on my Linux machine, but I can't sign them\nsince the signtool.exe makes good use of the CryptoAPI in Windows, and\nthese APIs aren't (yet?) fully implemented in Wine, so the signtool.exe\ntool would fail. And, so, osslsigncode was born.\n\n## WHAT CAN IT DO?\n\nIt can sign and timestamp PE (EXE/SYS/DLL/etc), CAB, CAT, MSI and APPX files,\nas well as script files with extensions `.ps1`, `.ps1xml`, `.psc1`, `.psd1`,\n`.psm1`, `.cdxml`, `.mof`, and `.js`.\nIt supports the equivalent of signtool.exe's \"-j javasign.dll -jp low\",\ni.e. add a valid signature for a CAB file containing Java files.\nIt supports getting the timestamp through a proxy as well. It also\nsupports signature verification, removal and extraction.\n\n## BUILDING\n\nThis section covers building osslsigncode for [Unix-like](https://en.wikipedia.org/wiki/Unix-like) operating systems.\nSee [INSTALL.W32.md](https://github.com/mtrojnar/osslsigncode/blob/master/INSTALL.W32.md) for Windows notes.\nWe highly recommend downloading a [release tarball](https://github.com/mtrojnar/osslsigncode/releases) instead of cloning from a git repository.\n\n### Configure, build, make tests and install osslsigncode\n\n* Install prerequisites on a Debian-based distributions, such as Ubuntu:\n```\n  sudo apt update \u0026\u0026 sudo apt install cmake libssl-dev libcurl4-openssl-dev zlib1g-dev python3\n```\n* Install prerequisites on macOS with Homebrew:\n```\n  brew install cmake pkg-config openssl@1.1\n  export PKG_CONFIG_PATH=\"/usr/local/opt/openssl@1.1/lib/pkgconfig\"\n```\n**NOTE:** osslsigncode requires CMake 3.17 or newer.\n\nYou may need to use `cmake3` instead of `cmake` to complete the following steps on your system.\n* Navigate to the build directory and run CMake to configure the osslsigncode project\n  and generate a native build system:\n```\n  mkdir build \u0026\u0026 cd build \u0026\u0026 cmake -S ..\n```\n  optional CMake parameters:\n```\n  -DCMAKE_BUILD_TYPE=Debug\n  -DCMAKE_C_COMPILER=clang\n  -DCMAKE_PREFIX_PATH=[openssl directory];[curl directory]\n  -DCMAKE_INSTALL_PREFIX=[installation directory]\n  -DBASH_COMPLETION_USER_DIR=[bash completion installation directory]\n\n```\n* Then call that build system to actually compile/link the osslsigncode project (alias `make`):\n```\n  cmake --build .\n```\n* Make test:\n```\n  ctest -C Release\n```\n* Make install:\n```\n  sudo cmake --install .\n```\n* Make tarball (simulate autotools' `make dist`):\n```\n  cmake --build . --target package_source\n```\n\n## USAGE\n\nBefore you can sign a file you need a Software Publishing\nCertificate (spc) and a corresponding private key.\n\nThis article provides a good starting point as to how\nto do the signing with the Microsoft signtool.exe:\n\n  http://www.matthew-jones.com/articles/codesigning.html\n\nTo sign with osslsigncode you need the certificate file mentioned in the\narticle above, in SPC or PEM format, and you will also need the private\nkey which must be a key file in DER or PEM format, or if osslsigncode was\ncompiled against OpenSSL 1.0.0 or later, in PVK format.\n\nTo sign a PE or MSI file you can now do:\n```\n  osslsigncode sign -certs \u003ccert-file\u003e -key \u003cder-key-file\u003e \\\n    -n \"Your Application\" -i http://www.yourwebsite.com/ \\\n    -in yourapp.exe -out yourapp-signed.exe\n```\nor if you are using a PEM or PVK key file with a password together\nwith a PEM certificate:\n```\n  osslsigncode sign -certs \u003ccert-file\u003e \\\n    -key \u003ckey-file\u003e -pass \u003ckey-password\u003e \\\n    -n \"Your Application\" -i http://www.yourwebsite.com/ \\\n    -in yourapp.exe -out yourapp-signed.exe\n```\nor if you want to add a timestamp as well:\n```\n  osslsigncode sign -certs \u003ccert-file\u003e -key \u003ckey-file\u003e \\\n    -n \"Your Application\" -i http://www.yourwebsite.com/ \\\n    -t http://timestamp.digicert.com \\\n    -in yourapp.exe -out yourapp-signed.exe\n```\nYou can use a certificate and key stored in a PKCS#12 container:\n```\n  osslsigncode sign -pkcs12 \u003cpkcs12-file\u003e -pass \u003cpkcs12-password\u003e \\\n    -n \"Your Application\" -i http://www.yourwebsite.com/ \\\n    -in yourapp.exe -out yourapp-signed.exe\n```\nTo sign a CAB file containing Java class files:\n```\n  osslsigncode sign -certs \u003ccert-file\u003e -key \u003ckey-file\u003e \\\n    -n \"Your Application\" -i http://www.yourwebsite.com/ \\\n    -jp low \\\n    -in yourapp.cab -out yourapp-signed.cab\n```\nOnly the 'low' parameter is currently supported.\n\n### Using the PKCS#11 Engine with osslsigncode\nIf you want to use a PKCS#11 token, specify the PKCS#11 engine and module.\nExample usage with SoftHSM:\n```\n  osslsigncode sign \\\n    -engine /usr/lib64/engines-1.1/pkcs11.so \\\n    -pkcs11module /usr/lib64/pkcs11/libsofthsm2.so \\\n    -pkcs11cert 'pkcs11:token=softhsm-token;object=cert' \\\n    -key 'pkcs11:token=softhsm-token;object=key' \\\n    -in yourapp.exe -out yourapp-signed.exe\n```\n\n### Using the PKCS#11 Provider with osslsigncode (OpenSSL 3.x only)\nOpenSSL 3.0 introduced a new provider-based architecture. To use a PKCS#11 token\n with `osslsigncode`, specify the PKCS#11 provider and module.\nExample usage with OpenSC:\n```\n  osslsigncode sign \\\n    -provider /usr/lib64/ossl-modules/pkcs11prov.so \\\n    -pkcs11module /usr/lib64/opensc-pkcs11.so \\\n    -pkcs11cert 'pkcs11:token=my-token;object=cert' \\\n    -key 'pkcs11:token=my-token;object=key' \\\n    -in yourapp.exe -out yourapp-signed.exe\n```\n\n### Using the CNG Engine with osslsigncode (Windows only)\nThe CNG engine allows using certificates and keys stored in the Windows\nCertificate Store. It requires CNG engine version 1.1 or later. For more\ninformation, refer to\n\n  https://www.stunnel.org/cng-engine.html\n\nA non-commercial edition of CNG engine is available for testing, personal,\neducational, or research purposes.\n\nTo ensure `osslsigncode` can locate and load the CNG engine module (`cng.dll`)\neven when it is not installed in the default system engine directory, you can:\n\n- Specify the full or relative path to `cng.dll`:\n```\n  osslsigncode sign -engine C:\\my\\engines\\cng.dll ...\n```\n- Or set the `OPENSSL_ENGINES` environment variable to the directory containing\n`cng.dll`, and refer to the engine by its ID:\n```\n  set OPENSSL_ENGINES=C:\\my\\engines\n  osslsigncode sign -engine cng ...\n```\n\nBelow is an example of how to use `osslsigncode` with the CNG engine on Windows:\n```\n  set OPENSSL_ENGINES=C:\\my\\engines\n  osslsigncode sign ^\n    -engine cng ^\n    -pkcs11cert osslsigncode_cert ^\n    -key osslsigncode_cert ^\n    -engineCtrl store_flags:0 ^\n    -engineCtrl store_name:MY ^\n    -engineCtrl PIN:yourpass ^\n    -in yourapp.exe -out yourapp-signed.exe\n```\n\nYou can check that the signed file is correct by right-clicking\non it in Windows and choose Properties --\u003e Digital Signatures,\nand then choose the signature from the list, and click on\nDetails. You should then be presented with a dialog that says\namongst other things that \"This digital signature is OK\".\n\n## UNAUTHENTICATED BLOBS\n\nThe \"-addUnauthenticatedBlob\" parameter adds a 1024-byte unauthenticated blob\nof data to the signature in the same area as the timestamp.  This can be used\nwhile signing, while timestamping, after a file has been code signed, or by\nitself.  This technique (but not this project) is used by Dropbox, GoToMeeting,\nand Summit Route.\n\n### Example 1. Sign and add blob to unsigned file\n\n```shell\nosslsigncode sign -addUnauthenticatedBlob -pkcs12 yourcert.pfx -pass your_password -n \"Your Company\" -i https://YourSite.com/ -in srepp.msi -out srepp_added.msi\n```\n\n### Example 2. Timestamp and add blob to signed file\n\n```shell\nosslsigncode.exe add -addUnauthenticatedBlob -t http://timestamp.digicert.com -in your_signed_file.exe -out out.exe\n```\n\n### Example 3. Add blob to signed and time-stamped file\n\n```shell\nosslsigncode.exe add -addUnauthenticatedBlob -in your_signed_file.exe -out out.exe\n```\n\n### WARNING\n\nThis feature allows for doing dumb things.  Be very careful with what you put\nin the unauthenticated blob, as an attacker could modify this.  Do NOT, under\nany circumstances, put a URL here that you will use to download an additional\nfile.  If you do that, you would need to check the newly downloaded file is\ncode signed AND that it has been signed with your cert AND that it is the\nversion you expect.\n\n## BUGS, QUESTIONS etc.\n\nCheck whether your question or suspected bug was already\ndiscussed on https://github.com/mtrojnar/osslsigncode/issues.\nOtherwise, open a new issue.\n\nBUT, if you have questions related to generating spc files,\nconverting between different formats and so on, *please*\nspend a few minutes searching on google for your particular\nproblem since many people probably already have had your\nproblem and solved it as well.\n","funding_links":[],"categories":["C"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmtrojnar%2Fosslsigncode","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmtrojnar%2Fosslsigncode","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmtrojnar%2Fosslsigncode/lists"}