commit 87de7243b91c9a9d452ad02f202b53402d7a3a31 Author: Georg Koppen gk@torproject.org Date: Mon Apr 4 14:10:26 2016 +0000
Bug 15538: Document authenticode signing
Thanks to a cypherpunk who suggested looking for missing intermediate certificates. And thanks to a second cypherpunk (who might be the same as the first one) for preparing a patch. --- processes/AuthenticodeSigning | 110 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 110 insertions(+)
diff --git a/processes/AuthenticodeSigning b/processes/AuthenticodeSigning new file mode 100644 index 0000000..453fb55 --- /dev/null +++ b/processes/AuthenticodeSigning @@ -0,0 +1,110 @@ +Signing Tor Browser bundles for Windows on a Linux machine +========================================================== + +These instructions are for our current token donated to us by Digicert. It is an +Aladdin eToken pro 72k. + +Software needed: +---------------- + +1) osslsigncode + + - any stable version > 1.7.1 will do; using the Git mirror at + http://git.code.sf.net/p/osslsigncode/osslsigncode/ commit + e72a1937d1a13e87074e4584f012f13e03fc1d64 is working fine + +2) SafeNetAuthenticationClient (eToken middleware) + + - version 9.0.43 (for Ubuntu 12.04+ and Debian Wheezy+); the SHA-256 sum of + SafeNetAuthenticationClient-SAC_9_0_43_Linux.zip is + 50545F3FF8BC561634363E683500DCF817CB9A8B379177886F043D14C774A36E or the one + of the ISO file included in the archive: + 31577e4590ea8c5dc0787fe1501d052dd7b4c0d7a4c4cfa25f6885f50415ee6c + - the core part is enough to get the signing going + +Installation +------------ + +1) Requirements + +- for the middleware: sudo apt-get install libccid pcscd openssl libpcsclite1 +- for the cert extraction/signing: sudo apt-get install opensc \ + libengine-pkcs11-openssl + +2) SafeNetAuthenticationClient + +- sudo dpkg -i SafenetAuthenticationClient-core-9.0.43-0_amd64.deb + +Signing and timestamping +------------------------ + +1) Getting the certificate + +- pkcs11-tool --module /usr/lib/libeTPkcs11.so --type cert --read-object \ + --id c27eac1b263465cdd73630d94b0b92e674f01501 > tpo_cert.der +- convert it to PEM: openssl x509 -in tpo_cert.der -inform der -outform pem \ + -out tpo_cert.crt + +2) Getting the intermediate certificate + +- torsocks wget https://www.digicert.com/CACerts/DigiCertEVCodeSigningCA-SHA2.crt +- convert it to PEM: openssl x509 -in DigiCertEVCodeSigningCA-SHA2.crt \ + -inform der -outform pem -out middle_cert.crt +- append it to tpo_cert.crt: cat middle_cert.crt >> tpo_cert.crt + +3) Signing the exectuable(s): + +- path/to/osslsigncode -pkcs11engine /usr/lib/engines/engine_pkcs11.so \ + -pkcs11module /usr/lib/libeTPkcs11.so \ + -certs tpo_cert.crt \ + -key c27eac1b263465cdd73630d94b0b92e674f01501 \ + torbrowser-install-XXX.exe tb-XXX-signed.exe + +- pass the passphrase to osslsigncode in case you want to script the whole +process by using `-pass $pass` as an additional commandline parameter + +4) Timestamping the executable(s): + +- path/to/osslsigncode add -t http://timestamp.digicert.com \ + -p socks://127.0.0.1:9050 \ + torbrowser-install-XXX.exe tb-XXX-timestamped.exe + +Note: the current tip of osslsigncode's master branch does not allow the +decoupling of signing and timestamping. In order to do so one needs to apply +the following patch: + +From 28b384e77fa0d4dd38751a0c72ab5976d2e38f75 Mon Sep 17 00:00:00 2001 +From: Georg Koppen gk@torproject.org +Date: Fri, 5 Feb 2016 09:23:10 +0000 +Subject: [PATCH] Allow timestamping with the 'add' command + + +diff --git a/osslsigncode.c b/osslsigncode.c +index 32e37c8..2978c02 100644 +--- a/osslsigncode.c ++++ b/osslsigncode.c +@@ -2556,16 +2556,16 @@ int main(int argc, char **argv) + if (--argc < 1) usage(argv0); + url = *(++argv); + #ifdef ENABLE_CURL +- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-t")) { ++ } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-t")) { + if (--argc < 1) usage(argv0); + turl[nturl++] = *(++argv); +- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-ts")) { ++ } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-ts")) { + if (--argc < 1) usage(argv0); + tsurl[ntsurl++] = *(++argv); +- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-p")) { ++ } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-p")) { + if (--argc < 1) usage(argv0); + proxy = *(++argv); +- } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-noverifypeer")) { ++ } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-noverifypeer")) { + noverifypeer = 1; + #endif + } else if ((cmd == CMD_SIGN || cmd == CMD_ADD) && !strcmp(*argv, "-addUnauthenticatedBlob")) { +-- +2.7.0 + +