Code-Signing Windows EXE with Sectigo Hardware Token (SafeNet Authentication Client) on Ubuntu 22.04 Using PKCS11 Tools and osslsigncode

Question

I am able to sign my Windows EXEs on Windows using SAC and singtool.exe. But this requires a Windows machine which I don't have readily available access to. I primarily work on Linux and the Sectigo support folks tell me this process is feasible on Linux but I'm running into issues.

I can run the SAC and see the certificate, etc. I have successfully inspected the certificate using pkcs11-tool:

pkcs11-tool --module /usr/lib/pkcs11/libeToken.so --login --list-objects

I have found several references to osslsigncode but yet they all use the certificate and key in the command line.

What tools and/or commands do I use to actually sign the Windows EXE on Ubuntu when the OV certificate bundle and private key are on a hardware token from Sectigo?

Answer 1

I ended up testing various methods using a variety of tools: pkcs11-tool, p11tool, p11-kit. The steps are as follows:

Run p11tool --provider=/usr/lib/libeTPkcs11.so --list-all. This should list the actual URIs for the tokens. Other tools only gave URIs for other certificates but not my hardware token.

Next, I had to wrangle with which pkcs11engine to use. I tried several mentioned in these posts and elsewhere but got errors. I finally found pkcs11.so for one of my snaps:

/snap/core22/858/usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so

Then I had to construct the command line. I started out using only the URI as the key, which didn't work. So I found the certificate ID, pkcs11cert, with this command:

pkcs11-tool --module /usr/lib/pkcs11/libeToken.so --login --list-objects --id 01

The ID was showing up via other command output, but in a form with colons so I wasn't sure how to use it (eg, ID: xx:xx:xx:xx:xx:xx:xx:xx).

I finally landed on this command line:

osslsigncode sign -askpass -verbose -h sha256 \
-pkcs11engine /snap/core22/858/usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so \
-pkcs11module /lib/libeToken.so \
-t http://timestamp.sectigo.com \
-pkcs11cert xxxx \
-key "pkcs11:model=xxxx;manufacturer=xxxx;serial=xxxx;token=xxxx;object=xxxx;type=cert" \
-in /path/to/executable_UNSIGNED.exe \
-out /path/to/executable_LINUX_SIGNED.exe

I'm a bit weary of using that snap pkcs11engine but it is working. I'll continue to refine this process, but for now I'm satisfied with the progress.

Answer 2

What tools and/or commands do I use to actually sign the Windows EXE on Ubuntu when the OV certificate bundle and private key are on a hardware token from Sectigo?

You can also use Jsign, the syntax looks like this:

jsign --storetype ETOKEN --storepass <PIN> -t http://timestamp.sectigo.com application.exe

It figures out the location of the SAC PKCS#1 module, and if there is only one key on the token it's selected automatically.

(disclaimer: I'm the author of this project)