"-nest" for "add"
westyles opened this issue ยท 10 comments
Hello.
No way to sign a built-in TSA timestamp on the second signature with a separate operation.
For example, add the "-nest" parameter for "add"
Like what I mean:
del /f /q vfd_*.sys
osslsigncode sign -in vfd.sys -out vfd_2.sys -h sha1 -time 1420059600 -spc My_Client+Int.crt -key My_.key -ac My_Cross.crt -nolegacy
osslsigncode add -in vfd_2.sys -out vfd_3.sys -h sha1 -TSA-time 1420059600 -TSA-certs My-TSA1.crt -TSA-key My-TSA.key
osslsigncode sign -nest -in vfd_3.sys -out vfd_4.sys -h sha256 -time 1420059601 -spc My_Client+Int.crt -key My_.key -ac My_Cross.crt -nolegacy
osslsigncode add -nest -in vfd_4.sys -out vfd_5.sys -h sha256 -TSA-time 1420059601 -TSA-certs My-TSA2.crt -TSA-key My-TSA.key
Or you can add a parameter to specify the certificate index number as is done with signtool.exe
For example: -n 2
If it is not difficult or more convenient to do this.
It is possible to make both options work at once to use according to the situation.
Either the program itself determines, or by the specified index.
2 indexes works, thanks.
If you add a third index, it breaks the second index:
osslsigncode sign -nest
the first and third work, but the second is broken.
was detected during testing. but overall the result is good.
both tests pass with two signatures:
signtool verify /v /pa
signtool verify /v /kp
I tested several signatures on the same certificates.
Please elaborate on what you mean by including the full verification result.
del /f /q vfd_*.sys
:: Index: 0 (Good):
osslsigncode sign -in vfd.sys -out vfd_2.sys -h sha1 -time 1420059600 -spc My_Client+Int.crt -key My_.key -ac My_Cross.crt -nolegacy
osslsigncode add -in vfd_2.sys -out vfd_3.sys -h sha1 -TSA-time 1420059600 -TSA-certs My-TSA1.crt -TSA-key My-TSA.key
:: Index: 1 (Good):
osslsigncode sign -nest -in vfd_3.sys -out vfd_4.sys -h sha256 -time 1420059601 -spc My_Client+Int.crt -key My_.key -ac My_Cross.crt -nolegacy
osslsigncode add -index 1 -in vfd_4.sys -out vfd_5.sys -h sha256 -TSA-time 1420059601 -TSA-certs My-TSA2.crt -TSA-key My-TSA.key
:: Index: 2 (remove/replace index: 1 timestamp):
osslsigncode sign -nest -in vfd_5.sys -out vfd_6.sys -h sha256 -time 1420059602 -spc My_Client+Int.crt -key My_.key -ac My_Cross.crt -nolegacy
More precisely it (Index: 2) seems to remove the timestamp from Index: 1 signature.
I replicate this test:
osslsigncode sign -in unsigned.exe -out signed.exe -h sha1 -time 1556668800 -cert cert.pem -key key.pem
osslsigncode add -in signed.exe -out signed1.exe -h sha1 -TSA-time 1556668800 -TSA-certs TSA.pem -TSA-key TSA.key
osslsigncode sign -nest -in signed1.exe -out nested.exe -h sha256 -time 1556668801 -certs cert.pem -key key.pem
osslsigncode add -index 1 -in nested.exe -out nested1.exe -h sha256 -TSA-time 1556668801 -TSA-certs TSA.pem -TSA-key TSA.key
osslsigncode sign -nest -in nested1.exe -out nested2.exe -h sha384 -time 1556668802 -certs cert.pem -key key.pem
- signtool verification:
Signature Index: 0 (Primary Signature): sha1, timestamped: Wed May 01 01:00:00 2019
Signature Index: 1: sha384, not timestamped
Signature Index: 2: sha256, timestamped: Wed May 01 01:00:01 2019
signtool verify /pa /all /v nested2.exe
Verifying: nested2.exe
Signature Index: 0 (Primary Signature)
Hash of file (sha1): 802FC5BA67A9B06DEC18A0D5A380A8A5954B5EF0
Signing Certificate Chain:
Issued to: Root CA
Issued by: Root CA
Expires: Tue Nov 10 01:00:00 2026
SHA1 hash: F9D7EF2721C71D88E05B7140F8D350D79350FDFA
Issued to: Intermediate CA
Issued by: Root CA
Expires: Thu Jan 01 01:00:00 2026
SHA1 hash: 0DF29EDEBB924E11D29364B1BEF85948DBE8DEB5
Issued to: Certificate
Issued by: Intermediate CA
Expires: Tue Dec 31 01:00:00 2024
SHA1 hash: 96698FFC4F2A600B7D72B4D17E882E40DD47A9F2
The signature is timestamped: Wed May 01 01:00:00 2019
Timestamp Verified by:
Issued to: TSA Root CA
Issued by: TSA Root CA
Expires: Tue Nov 10 01:00:00 2026
SHA1 hash: DEBD6225D592A1539E6867EDDF44C22E653D07CF
Issued to: Test TSA
Issued by: TSA Root CA
Expires: Sat Jan 01 01:00:00 2028
SHA1 hash: 2FB7A7E4667666BDE2B3CB570FF1984FC9DCE582
Signature Index: 1
Hash of file (sha384): 810AA940BD63EEFDB2E11720F9422BEF4E45C7444154D59C6571FB31BCBE9FD2C497091A28B69935A7B693F97FA7A179
Signing Certificate Chain:
Issued to: Root CA
Issued by: Root CA
Expires: Tue Nov 10 01:00:00 2026
SHA1 hash: F9D7EF2721C71D88E05B7140F8D350D79350FDFA
Issued to: Intermediate CA
Issued by: Root CA
Expires: Thu Jan 01 01:00:00 2026
SHA1 hash: 0DF29EDEBB924E11D29364B1BEF85948DBE8DEB5
Issued to: Certificate
Issued by: Intermediate CA
Expires: Tue Dec 31 01:00:00 2024
SHA1 hash: 96698FFC4F2A600B7D72B4D17E882E40DD47A9F2
File is not timestamped.
Signature Index: 2
Hash of file (sha256): 2D2C7B382C8163A419B9FF214A7B651C33F9EA43335907F11377290C5158A7A4
Signing Certificate Chain:
Issued to: Root CA
Issued by: Root CA
Expires: Tue Nov 10 01:00:00 2026
SHA1 hash: F9D7EF2721C71D88E05B7140F8D350D79350FDFA
Issued to: Intermediate CA
Issued by: Root CA
Expires: Thu Jan 01 01:00:00 2026
SHA1 hash: 0DF29EDEBB924E11D29364B1BEF85948DBE8DEB5
Issued to: Certificate
Issued by: Intermediate CA
Expires: Tue Dec 31 01:00:00 2024
SHA1 hash: 96698FFC4F2A600B7D72B4D17E882E40DD47A9F2
The signature is timestamped: Wed May 01 01:00:01 2019
Timestamp Verified by:
Issued to: TSA Root CA
Issued by: TSA Root CA
Expires: Tue Nov 10 01:00:00 2026
SHA1 hash: DEBD6225D592A1539E6867EDDF44C22E653D07CF
Issued to: Test TSA
Issued by: TSA Root CA
Expires: Sat Jan 01 01:00:00 2028
SHA1 hash: 2FB7A7E4667666BDE2B3CB570FF1984FC9DCE582
Successfully verified: nested2.exe
Number of signatures successfully Verified: 3
Number of warnings: 0
Number of errors: 0
- osslsigncode verification:
Signature Index: 0 (Primary Signature): SHA1, Signing time: May 1 00:00:00 2019 GMT, Timestamp time: May 1 00:00:00 2019 GMT
Signature Index: 1: SHA384, Sequence number: 2, Signing time: May 1 00:00:02 2019 GMT, Timestamp is not available
Signature Index: 2: SHA256, Sequence number: 1, Signing time: May 1 00:00:01 2019 GMT, Timestamp time: May 1 00:00:01 2019 GMT
osslsigncode verify -in nested2.exe -CAfile CACert.pem -TSA-CAfile TSACA.pem
PE checksum : 0001BE6C
Signature Index: 0 (Primary Signature)
Message digest algorithm : SHA1
Current message digest : 802FC5BA67A9B06DEC18A0D5A380A8A5954B5EF0
Calculated message digest : 802FC5BA67A9B06DEC18A0D5A380A8A5954B5EF0
Signer's certificate:
------------------
Signer #0:
Subject: /C=PL/ST=Mazovia Province/L=Warsaw/O=osslsigncode/OU=CSP/CN=Certificate/emailAddress=osslsigncode@example.com
Issuer : /C=PL/O=osslsigncode/OU=Certification Authority/CN=Intermediate CA
Serial : 2D6C27FE02DC3CC00EFFBA06AB1E40DF4EA6C5C9
Certificate expiration date:
notBefore : Jan 1 00:00:00 2018 GMT
notAfter : Dec 31 00:00:00 2024 GMT
Message digest algorithm: SHA1
Authenticated attributes:
Signing time: May 1 00:00:00 2019 GMT
Microsoft Individual Code Signing purpose
Message digest: E14161E0290DCC17B55D9F43CE188FB830AE3F3E
Countersignatures:
Timestamp time: May 1 00:00:00 2019 GMT
Signing time: Jan 25 09:22:28 2024 GMT
Hash Algorithm: sha1
Issuer: /C=PL/O=osslsigncode/OU=Timestamp Authority Root CA/CN=TSA Root CA
Serial: 0711AB5969FE824D8ED27C5478E42FA5CBB41D44
CAfile: CACert.pem
TSA's certificates file: TSACA.pem
Timestamp verified by:
------------------
Signer #1:
Subject: /C=PL/O=osslsigncode/OU=Timestamp Authority Root CA/CN=TSA Root CA
Issuer : /C=PL/O=osslsigncode/OU=Timestamp Authority Root CA/CN=TSA Root CA
Serial : 7F675FF6501C92E071B004FB524B494E91FC1F71
Certificate expiration date:
notBefore : Jan 1 00:00:00 2017 GMT
notAfter : Nov 10 00:00:00 2026 GMT
------------------
Signer #0:
Subject: /C=PL/O=osslsigncode/OU=Timestamp Authority/CN=Test TSA
Issuer : /C=PL/O=osslsigncode/OU=Timestamp Authority Root CA/CN=TSA Root CA
Serial : 0711AB5969FE824D8ED27C5478E42FA5CBB41D44
Certificate expiration date:
notBefore : Jan 1 00:00:00 2018 GMT
notAfter : Jan 1 00:00:00 2028 GMT
TSA's CRL distribution point: http://127.0.0.1:19254/TSACA
Connecting to http://127.0.0.1:19254/TSACA
CURL failure: Couldn't connect to server http://127.0.0.1:19254/TSACA
Warning: Faild to get CRL from http://127.0.0.1:19254/TSACA
Use the "-TSA-CRLfile" option to add one or more Time-Stamp Authority CRLs in PEM format.
Timestamp serial number: CBE7DF70A7DBD3AC
Timestamp Server Signature verification: ok
Signature verification time: May 1 00:00:00 2019 GMT
Signing Certificate Chain:
------------------
Signer #2:
Subject: /C=PL/O=osslsigncode/OU=Certification Authority/CN=Root CA
Issuer : /C=PL/O=osslsigncode/OU=Certification Authority/CN=Root CA
Serial : 7EE1151CD03FD552C3248F6684036B0677488FAB
Certificate expiration date:
notBefore : Jan 1 00:00:00 2017 GMT
notAfter : Nov 10 00:00:00 2026 GMT
------------------
Signer #1:
Subject: /C=PL/O=osslsigncode/OU=Certification Authority/CN=Intermediate CA
Issuer : /C=PL/O=osslsigncode/OU=Certification Authority/CN=Root CA
Serial : 5E17036DBFF7BCFA56A050A67AC2B0D1D6B36F32
Certificate expiration date:
notBefore : Jan 1 00:00:00 2018 GMT
notAfter : Jan 1 00:00:00 2026 GMT
------------------
Signer #0:
Subject: /C=PL/ST=Mazovia Province/L=Warsaw/O=osslsigncode/OU=CSP/CN=Certificate/emailAddress=osslsigncode@example.com
Issuer : /C=PL/O=osslsigncode/OU=Certification Authority/CN=Intermediate CA
Serial : 2D6C27FE02DC3CC00EFFBA06AB1E40DF4EA6C5C9
Certificate expiration date:
notBefore : Jan 1 00:00:00 2018 GMT
notAfter : Dec 31 00:00:00 2024 GMT
Signature verification: ok
Signature Index: 1
Message digest algorithm : SHA384
Current message digest : 810AA940BD63EEFDB2E11720F9422BEF4E45C7444154D59C6571FB31BCBE9FD2C497091A28B69935A7B693F97FA7A179
Calculated message digest : 810AA940BD63EEFDB2E11720F9422BEF4E45C7444154D59C6571FB31BCBE9FD2C497091A28B69935A7B693F97FA7A179
Signer's certificate:
------------------
Signer #0:
Subject: /C=PL/ST=Mazovia Province/L=Warsaw/O=osslsigncode/OU=CSP/CN=Certificate/emailAddress=osslsigncode@example.com
Issuer : /C=PL/O=osslsigncode/OU=Certification Authority/CN=Intermediate CA
Serial : 2D6C27FE02DC3CC00EFFBA06AB1E40DF4EA6C5C9
Certificate expiration date:
notBefore : Jan 1 00:00:00 2018 GMT
notAfter : Dec 31 00:00:00 2024 GMT
Message digest algorithm: SHA384
Authenticated attributes:
Sequence number: 2
Signing time: May 1 00:00:02 2019 GMT
Microsoft Individual Code Signing purpose
Message digest: 7D5318A1023C1BE56BCFB84F491638DF3C4CFA098DFAF4B4F4F6EF7FFE0C397034C4B6680D7211ED1808E61BF6CB07F2
CAfile: CACert.pem
TSA's certificates file: TSACA.pem
Timestamp is not available
Signing Certificate Chain:
------------------
Signer #2:
Subject: /C=PL/O=osslsigncode/OU=Certification Authority/CN=Root CA
Issuer : /C=PL/O=osslsigncode/OU=Certification Authority/CN=Root CA
Serial : 7EE1151CD03FD552C3248F6684036B0677488FAB
Certificate expiration date:
notBefore : Jan 1 00:00:00 2017 GMT
notAfter : Nov 10 00:00:00 2026 GMT
------------------
Signer #1:
Subject: /C=PL/O=osslsigncode/OU=Certification Authority/CN=Intermediate CA
Issuer : /C=PL/O=osslsigncode/OU=Certification Authority/CN=Root CA
Serial : 5E17036DBFF7BCFA56A050A67AC2B0D1D6B36F32
Certificate expiration date:
notBefore : Jan 1 00:00:00 2018 GMT
notAfter : Jan 1 00:00:00 2026 GMT
------------------
Signer #0:
Subject: /C=PL/ST=Mazovia Province/L=Warsaw/O=osslsigncode/OU=CSP/CN=Certificate/emailAddress=osslsigncode@example.com
Issuer : /C=PL/O=osslsigncode/OU=Certification Authority/CN=Intermediate CA
Serial : 2D6C27FE02DC3CC00EFFBA06AB1E40DF4EA6C5C9
Certificate expiration date:
notBefore : Jan 1 00:00:00 2018 GMT
notAfter : Dec 31 00:00:00 2024 GMT
Signature verification: ok
Signature Index: 2
Message digest algorithm : SHA256
Current message digest : 2D2C7B382C8163A419B9FF214A7B651C33F9EA43335907F11377290C5158A7A4
Calculated message digest : 2D2C7B382C8163A419B9FF214A7B651C33F9EA43335907F11377290C5158A7A4
Signer's certificate:
------------------
Signer #0:
Subject: /C=PL/ST=Mazovia Province/L=Warsaw/O=osslsigncode/OU=CSP/CN=Certificate/emailAddress=osslsigncode@example.com
Issuer : /C=PL/O=osslsigncode/OU=Certification Authority/CN=Intermediate CA
Serial : 2D6C27FE02DC3CC00EFFBA06AB1E40DF4EA6C5C9
Certificate expiration date:
notBefore : Jan 1 00:00:00 2018 GMT
notAfter : Dec 31 00:00:00 2024 GMT
Message digest algorithm: SHA256
Authenticated attributes:
Sequence number: 1
Signing time: May 1 00:00:01 2019 GMT
Microsoft Individual Code Signing purpose
Message digest: ED2CF03C79C03BCB691002A2E8314493D97302AC6C90D8A472CB1D24B5AB364B
Countersignatures:
Timestamp time: May 1 00:00:01 2019 GMT
Signing time: Jan 25 09:22:57 2024 GMT
Hash Algorithm: sha256
Issuer: /C=PL/O=osslsigncode/OU=Timestamp Authority Root CA/CN=TSA Root CA
Serial: 0711AB5969FE824D8ED27C5478E42FA5CBB41D44
CAfile: CACert.pem
TSA's certificates file: TSACA.pem
Timestamp verified by:
------------------
Signer #1:
Subject: /C=PL/O=osslsigncode/OU=Timestamp Authority Root CA/CN=TSA Root CA
Issuer : /C=PL/O=osslsigncode/OU=Timestamp Authority Root CA/CN=TSA Root CA
Serial : 7F675FF6501C92E071B004FB524B494E91FC1F71
Certificate expiration date:
notBefore : Jan 1 00:00:00 2017 GMT
notAfter : Nov 10 00:00:00 2026 GMT
------------------
Signer #0:
Subject: /C=PL/O=osslsigncode/OU=Timestamp Authority/CN=Test TSA
Issuer : /C=PL/O=osslsigncode/OU=Timestamp Authority Root CA/CN=TSA Root CA
Serial : 0711AB5969FE824D8ED27C5478E42FA5CBB41D44
Certificate expiration date:
notBefore : Jan 1 00:00:00 2018 GMT
notAfter : Jan 1 00:00:00 2028 GMT
TSA's CRL distribution point: http://127.0.0.1:19254/TSACA
Connecting to http://127.0.0.1:19254/TSACA
CURL failure: Couldn't connect to server http://127.0.0.1:19254/TSACA
Warning: Faild to get CRL from http://127.0.0.1:19254/TSACA
Use the "-TSA-CRLfile" option to add one or more Time-Stamp Authority CRLs in PEM format.
Timestamp serial number: 9CA07C9BE77D154E
Timestamp Server Signature verification: ok
Signature verification time: May 1 00:00:01 2019 GMT
Signing Certificate Chain:
------------------
Signer #2:
Subject: /C=PL/O=osslsigncode/OU=Certification Authority/CN=Root CA
Issuer : /C=PL/O=osslsigncode/OU=Certification Authority/CN=Root CA
Serial : 7EE1151CD03FD552C3248F6684036B0677488FAB
Certificate expiration date:
notBefore : Jan 1 00:00:00 2017 GMT
notAfter : Nov 10 00:00:00 2026 GMT
------------------
Signer #1:
Subject: /C=PL/O=osslsigncode/OU=Certification Authority/CN=Intermediate CA
Issuer : /C=PL/O=osslsigncode/OU=Certification Authority/CN=Root CA
Serial : 5E17036DBFF7BCFA56A050A67AC2B0D1D6B36F32
Certificate expiration date:
notBefore : Jan 1 00:00:00 2018 GMT
notAfter : Jan 1 00:00:00 2026 GMT
------------------
Signer #0:
Subject: /C=PL/ST=Mazovia Province/L=Warsaw/O=osslsigncode/OU=CSP/CN=Certificate/emailAddress=osslsigncode@example.com
Issuer : /C=PL/O=osslsigncode/OU=Certification Authority/CN=Intermediate CA
Serial : 2D6C27FE02DC3CC00EFFBA06AB1E40DF4EA6C5C9
Certificate expiration date:
notBefore : Jan 1 00:00:00 2018 GMT
notAfter : Dec 31 00:00:00 2024 GMT
Signature verification: ok
Number of verified signatures: 3
Succeeded
Everything works as expected.
I understood after adding 3 signatures "2 indexes" as sha384, the program swaps 1 and 2 indexes:
0 > 0,1 > 0,2,1
So if you specify -index 1 again for timstamp after "2 index", the timestamp will be set to the new "1 index", which should be the "2 index".
And all three indexes will be working! (2 times add -index 1):
del /f /q vfd_*.sys
:: Index: 0 (Good):
osslsigncode sign -in vfd.sys -out vfd_2.sys -h sha1 -time 1420059600 -spc My_Client+Int.crt -key My_.key -ac My_Cross.crt -nolegacy
osslsigncode add -in vfd_2.sys -out vfd_3.sys -h sha1 -TSA-time 1420059600 -TSA-certs My-TSA1.crt -TSA-key My-TSA.key
:: Index: 1 (Good):
osslsigncode sign -nest -in vfd_3.sys -out vfd_4.sys -h sha256 -time 1420059601 -spc My_Client+Int.crt -key My_.key -ac My_Cross.crt -nolegacy
osslsigncode add -index 1 -in vfd_4.sys -out vfd_5.sys -h sha256 -TSA-time 1420059601 -TSA-certs My-TSA2.crt -TSA-key My-TSA.key
:: Index: 2 (this -nest add to Index: 1; swops index: 1 to index: 2):
osslsigncode sign -nest -in vfd_5.sys -out vfd_6.sys -h sha384 -time 1420059602 -spc My_Client+Int.crt -key My_.key -ac My_Cross.crt -nolegacy
osslsigncode add -index 1 -in vfd_6.sys -out vfd_7.sys -h sha384 -TSA-time 1420059602 -TSA-certs My-TSA2.crt -TSA-key My-TSA.key
That is, the problem is sorting the indexes when -nest is added a second time.
That is, the problem is sorting the indexes when -nest is added a second time.
Unfortunately, the problem is caused by signtool in your case. It does not preserve the order of displayed signatures from the signed file. Consequently, there is no guarantee about the index of the newly added signature. We try to mimic this behavior in osslsigncode. Please let us know if you find osslsigncode displaying signatures in an order different from signtool.
I haven't used signtool now, I saw in the parameters of file after the commands
osslsigncode above. I added sha384 with the third action.
https://i.imgur.com/Uy9XbFY.png
I'll try to try to do 3 signatures via signtool, probably tomorrow. It's easy to get confused and misinterpret what you see. But in idea the signatures should be added in order next, 0 > 0,1 > 0,1,2 etc.
Checked signtool, an example of how I tried it:
signtool sign /debug /fd SHA1 /v /f my.pfx /P **** "vfd2.sys"
signtool timestamp /t "http://......" "vfd2.sys"
signtool sign /as /debug /fd SHA256 /v /f my.pfx /P **** "vfd2.sys"
signtool timestamp /tp 1 /tr "http://......" /td SHA256 "vfd2.sys"
signtool sign /as /debug /fd SHA384 /v /f my.pfx /P **** "vfd2.sys"
signtool timestamp /tp 1 /tr "http://......" /td SHA256 "vfd2.sys"
signtool sign /as /debug /fd SHA512 /v /f my.pfx /P **** "vfd2.sys"
signtool timestamp /tp 1 /tr "http://......" /td SHA256 "vfd2.sys"
Result: https://i.imgur.com/exwfO6g.png
Right, the signtool has the same principle of adding signatures: 0 > 0,1 > 0,2,1 > 0,3,2,1
it's not logical, but it's true.
This method has a nice advantage: you don't have to figure out which index to put the timestamp in, and the command is always the same when adding a new signature and timestamp.
So you have done everything correctly by repeating the actions of signtool. Well done :)
Then everything's fine. Didn't know about this specificity of multiple signatures.
I usually check everything several times to confirm. I apologize for interrupting.
If I see anything, I'll create a issue.
I'm glad you like it. Thank you for testing.