Write custom data into a Microsoft Authenticode signed executable or MSI file without breaking the signature. Also write custom verifiable data into Linux ELF files. It does so by using magic and unicorns.
It can be built on Linux or cross-built for Linux from Windows. The target platform is Linux. It can be compiled for Windows, but a small part of the code path has not been finished, so it will not work as is.
-
On Linux
docker run --rm -e DOTNET_CLI_TELEMETRY_OPTOUT=true -v $PWD:/app --workdir /app mcr.microsoft.com/dotnet/sdk dotnet publish -c Release -r linux-x64 -
On Windows for Linux (why tho? switch to Linux already)
Get the dotnet sdk, then run.
dotnet publish -c Release -r linux-x64
The executable will be stored under /app/signreader/bin/Release/net5.0/win-x64/publish/. It is a self-contained executable
The Linux build relies on osslsigncode. The best way to get it is to
- Clone the repo
- Get teh build time dependencies -
apt-get install build-essential autoconf libtool libssl-dev python3-pkgconfig libcurl4-gnutls-dev - Get optional support for signing MSIs
apt install libgsf-dev - Then do the build dance:
./autogen.sh
./configure
make
The Windows build is using signtool from the windows 10 sdk
- dotnet from https://docs.microsoft.com/en-us/dotnet/core/install/linux-debian
- osslsigncode runtime dependencies: libgsf-1-114 libcurl.so.4
- libgssapi-krb5-2 and libssl1.1
Note: libgssapi-krb5-2 and libssl1.1 come as a part of apt-transport-https required to install dotnet
- Windows:
./signwriter signedexec.exe <server> <reg key here> <some other data> - Linux
./signwriter somelinuxelf <server> <reg key here> <some other data>
Don't expect good error messages, it's not a user friendly tool.
- To build a docker container see this
- Could also use signcode from mono-devel package - /usr/bin/mono /usr/lib/mono/4.5/signcode.exe "$@"