[tor-bugs] #15538 [Tor bundles/installation]: begin signing Windows packages the Linux way

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Apr 1 13:18:39 UTC 2015 

#15538: begin signing Windows packages the Linux way
------------------------------------------+-----------------
     Reporter:  gk                        |      Owner:  gk
         Type:  enhancement               |     Status:  new
     Priority:  normal                    |  Milestone:
    Component:  Tor bundles/installation  |    Version:
   Resolution:                            |   Keywords:
Actual Points:                            |  Parent ID:
       Points:                            |
------------------------------------------+-----------------

Comment (by gk):

 Useful information from #3861:
 {{{
  As an update on this: we have an Aladdin eToken PRO 72K with a Digicert
 certificate we plan to use for this. The first problem is we need binary
 blobs to get the eToken going, something that is called
 SafeNetAuthentication client. I plan to only use the minimal amount of
 binary files we actually need and try to get some sha256 sums from some
 official people. I looked into using OpenSC but our token is not
 supported: ​https://github.com/OpenSC/OpenSC/wiki/Frequently-Asked-
 Questions#q-can-i-use-aladdin-etoken-with-opensc

 The second problem is which software should we actually use for signing
 osslsigncode which would have been my favorite one cannot handle that
 token yet: ​http://sourceforge.net/p/osslsigncode/feature-requests/7/. I
 am not done with evaluating alternatives yet.
 }}}
 and
 {{{


 I have not found a suitable tool nor did the DigiCert people (I asked
 them). Thus, we need some custom code. I guess using osslsigncode is the
 right decision which gives us two options: 1) We let some PKCS#11 tool do
 the signing passing it a proper blob and getting that one signed back or
 2) We add the necessary PKCS#11 functionality to osslsigncode itself. I
 think I start with 1) which brings me back to looking for a proper tool.
 pkcs11-tool does not work with our token for some reason. The version in
 Ubuntu 12.04 breaks with:

 Using signature algorithm RSA-PKCS-PSS
 error: PKCS11 function C_SignInit failed: rv = CKR_MECHANISM_PARAM_INVALID
 (0x71)

 and the one built from opensc master breaks with:

 Using signature algorithm DES3-MAC
 error: PKCS11 function C_SignInit failed: rv = CKR_KEY_TYPE_INCONSISTENT
 (0x63)
 }}}

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/15538#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list