[tor-bugs] #3861 [Tor bundles/installation]: begin signing Windows packages the Windows way

[Tor Bug Tracker & Wiki]

#3861: begin signing Windows packages the Windows way
-------------------------------------+-------------------------------------
     Reporter:  erinn                |      Owner:  erinn
         Type:  enhancement          |     Status:  new
     Priority:  normal               |  Milestone:
    Component:  Tor                  |    Version:
  bundles/installation               |   Keywords:  tbb-3.0, tbb-security,
   Resolution:                       |  tbb-usability-stoppoint-app,
Actual Points:                       |  tbb-4.5-alpha
       Points:                       |  Parent ID:
-------------------------------------+-------------------------------------

Comment (by gk):

 I have not found a suitable tool nor did the DigiCert people (I asked
 them). Thus, we need some custom code. I guess using `osslsigncode` is the
 right decision which gives us two options: 1) We let some PKCS#11 tool do
 the signing passing it a proper blob and getting that one signed back or
 2) We add the necessary PKCS#11 functionality to `osslsigncode` itself. I
 think I start with 1) which brings me back to looking for a proper tool.
 `pkcs11-tool` does not work with our token for some reason. The version in
 Ubuntu 12.04 breaks with:
 {{{
 Using signature algorithm RSA-PKCS-PSS
 error: PKCS11 function C_SignInit failed: rv = CKR_MECHANISM_PARAM_INVALID
 (0x71)
 }}}
 and the one built from opensc master breaks with:
 {{{
 Using signature algorithm DES3-MAC
 error: PKCS11 function C_SignInit failed: rv = CKR_KEY_TYPE_INCONSISTENT
 (0x63)
 }}}

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/3861#comment:19>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online