1

I need a non-windows (linux or FreeBSD) way of signing a boot executable(EFI binaries) in the Authenticode PE format.

Currently there are some tools like pbsign, sbsign, uefisign, osslsigncode on *nix platforms, but the common pattern is they all need access to the private key.

My private key is in a HSM and I have a python tool that can interface with the HSM and get the output of signing a hash, with the private key in the HSM (which from my research is a step that all the PE signing tools do, though with explicit access to the private key).

Currently the HSM folks have a Thales tool for windows which works with the official Microsoft signtool on windows. But this is a lot of setup and non-portable solution. Also we need to maintain Windows Server Licences, etc.

How do I combine these steps (create an Authenticode PE file, but outsource the signing part alone to my python program) into something that can run on a *nix platform?

The HSM and its interface are non-negotiable (basically that choice is out of my hands).

Any pointers/ideas would be nice.

Improve this question
1
  • You're probably out of luck. "Authenticode is a Microsoft-specific signing technology ..." so the first question an HSM vendor is going to ask is... why would we (as a vendor) supply tools for *nix, when this is something MS specific? Why not just use Windows?..." Commented Aug 3, 2022 at 17:13

1 Answer 1

Reset to default
1

You could try Jsign which is a pure Java implementation of Authenticode signing (disclaimer: I'm the author). It works fine on Linux, you'll just need a PKCS#11 module for your specific HSM. To use it you create a SunPKCS configuration file specifying the path to the PKCS#11 module, and then call Jsign:

jsign --storetype PKCS11 --keystore myhsm.cfg --storepass secret --alias keyname \ 
      --certfile certificate.p7b application.exe
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.