Reputation: 59
Is there an open source alternative to signtool from Microsoft to sign exes with sha2?
We need to sign Windows software with sha2 algorithm but installing signtool seems to be a problem, since I am having difficulties to install the software on my machines.
Moreover, I would like to sign the exes on linux.
We used to perform the task with signcode but it only supports sha1 and md5. Since 01.01.2016, sha1 and md5 are not accepted anymore.
Therefore I would like to know what are the alternatives to perform the task.
Update: I did get a signtool extracted from another computer and it did sign the files also with a timestamp:
signtool.exe sign /fd SHA256 /a /f file.pfx /p my password /t http://timestamp.verisign.com/scripts/timstamp.dll filetosign.exe
and it did appear as signed with SHA256 and it has a timestamp but InternetExplorer is still making problems.
IMHO there is still a need for this question, to know whether there is an alternative, and whether this alternative would work under Linux, because an alternative tool which would do the work would mean, that the solution is not working because of signtool, as opposed as to a certificate problem or an IE problem.
Upvotes: 4
Views: 5751
Answers (2)
Reputation: 7636
https://github.com/mtrojnar/osslsigncode -- use -h sha2 parameter when signing
Upvotes: 2
Reputation: 7922
Another alternative is ebourg/jsign, which is written in Java.
It can be called directly from Java or provided as an ant task.
Since it's written in Java, this tool can be used on any platform which runs Java, including (but not limited to) Linux, Solaris and macOS.
Quoting the README.md
Jsign is a Java implementation of Microsoft Authenticode that lets you sign and timestamp executable files for Windows, Microsoft Installers (MSI) and PowerShell scripts. Jsign is platform independent and provides an alternative to native tools like signcode/signtool on Windows or the Mono development tools on Unix systems.
Jsign comes as an easy to use task/plugin for the main build systems (Maven, Gradle, Ant). It's especially suitable for signing executable wrappers and installers generated by tools like NSIS, msitools, install4j, exe4j or launch4j. Jsign can also be used programmatically or standalone as a command line tool.
Jsign is free to use and licensed under the Apache License version 2.0.
Upvotes: 1
Related Questions
- Is there a way to speed up signtool? It is slow
- SignTool Error: The specified timestamp server either could not be reached or returned an invalid response
- signtool failing to dual sign SHA2 and SHA1 with timestamps
- How to setup signtool with SHA256 on Windows 7?
- How do you append SHA1 signature after the SHA256 signature?
- SignTool Verify equivalent for .application and .manifest files?