Sign executable using pfx certificate

likesistemas · Jan 17, 2021 · 5a2c144 · 5a2c144
commit 5a2c144
Show file tree

Hide file tree

Showing 5 changed files with 87 additions and 0 deletions.
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1 @@
+work/
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,18 @@
+FROM debian:10-slim as sign
+
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends \
+    osslsigncode openssl \
+    && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /work/
+
+ENV CERT_FILE=certificate.pfx
+ENV CERT_PASSWORD=123456
+ENV EXE_FILE=app.exe
+ENV EXE_SIGNED=app_signed.exe
+
+COPY sign.sh /usr/local/bin/sign
+RUN chmod +x /usr/local/bin/sign
+
+ENTRYPOINT [ "sign" ]
diff --git a/README.md b/README.md
@@ -0,0 +1,14 @@
+# Executable Sign
+
+Docker image to sign an executable using osslsigncode.
+
+```docker
+docker run -v ${PWD}/work/:/work/ likesistemas/exe-sign:latest
+```
+
+## Enviroment Variables
+
+CERT_FILE: Certificate file that should be in the / work / folder. Default: certificate.pfx
+CERT_PASSWORD: Certificate password. Default: 123456
+EXE_FILE: Executable to be signed. Default: app.exe
+EXE_SIGNED: Final signed file name. Default: app_signed.exe
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -0,0 +1,11 @@
+version: "3"
+
+services:
+
+  sign-exe:
+    image: likesistemas/exe-sign:latest
+    build:
+      context: .
+      dockerfile: Dockerfile
+    volumes:
+      - ./work/:/work/
diff --git a/sign.sh b/sign.sh
@@ -0,0 +1,43 @@
+#!/bin/bash
+if [ ! -f ${CERT_FILE} ]; then
+    echo "Certificate ${CERT_FILE} file not found"
+    exit
+fi
+
+if [ ! -f ${EXE_FILE} ]; then
+    echo "Executable '${EXE_FILE}' not found"
+    exit
+fi
+
+mkdir -p sign
+
+KEY_PEM=sign/key.pem
+CERT_PEM=sign/cert.pem
+RSA_KEY=sign/authenticode.key
+RSA_SPC=sign/authenticode.spc
+
+openssl pkcs12 \
+    -password pass:${CERT_PASSWORD} \
+    -in ${CERT_FILE} \
+    -nocerts -nodes \
+    -out ${KEY_PEM}
+
+openssl pkcs12 \
+    -password pass:${CERT_PASSWORD} \
+    -in ${CERT_FILE} \
+    -nokeys -nodes \
+    -out ${CERT_PEM}
+
+openssl rsa \
+    -in ${KEY_PEM} \
+    -outform DER \
+    -out ${RSA_KEY}
+
+openssl crl2pkcs7 -nocrl -certfile ${CERT_PEM} \
+    -outform DER \
+    -out ${RSA_SPC}
+
+osslsigncode -spc ${RSA_SPC} -key ${RSA_KEY} \
+    -in ${EXE_FILE} -out ${EXE_SIGNED}
+
+osslsigncode verify ${EXE_SIGNED}