Vivek Thakur

How to sign binaries ?

Photo by Laurenz Heymann on Unsplash

How to sign binaries ?

Vivek Thakur's photo
Vivek Thakur
·

6 min read

OSX

Can you sign OSX binaries in Windows?

No, you cannot sign Windows binaries in Linux or vice versa for macOS. Each operating system has its own set of tools and processes for code signing, and the digital signature formats used by each system are not compatible with each other.

For example, Windows uses the Portable Executable (PE) format for executables and the Microsoft Authenticode technology for code signing. macOS, on the other hand, uses the Mach-O format for executables and the codesign tool for code signing. Linux uses the ELF format for executables and the OpenSSL library for code signing.

Therefore, you will need to sign your code binaries or executables on the operating system where they will be used. If you need to sign code for multiple operating systems, you will need to generate separate certificates and sign the code on each operating system.

Using codesign tool on OSX

Here are the steps to sign code binaries on macOS using the codesign tool:

  1. Install your code signing certificate on your macOS machine. You can import the certificate into the Keychain Access utility.

  2. Open the Terminal application on your macOS machine.

  3. Navigate to the directory where your binary file is located using the cd command.

  4. Enter the following command to sign your binary file:

     codesign --force -s "Developer ID Application: Your Company Name" your_binary_file_name

    Replace "Developer ID Application: Your Company Name" with the name of your code signing certificate as it appears in the Keychain Access utility, and replace "your_binary_file_name" with the name of your binary file.

  5. Enter your password when prompted.

  6. Verify the digital signature using the following command:

     codesign -dvvv your_binary_file_name

    This command will display information about the digital signature and whether it is valid or not.

    codesign --display --verbose=4 your_binary_file_name

    If the signature is valid, your binary file is now signed and can be distributed. If the signature is not valid, you may need to troubleshoot the issue or contact your certificate provider for assistance.

    Note that if your binary file contains additional files or resources (such as libraries or frameworks), you may need to sign those files as well using the codesign tool. You can also use the --deep option with the codesign command to recursively sign all files in your app bundle.

Linux

To sign code binaries on Linux, you can use the OpenSSL library. Here are the steps:

  1. Install the OpenSSL library on your Linux machine if it is not already installed. You can use the package manager for your Linux distribution to install it.

  2. Copy your code signing certificate and private key to your Linux machine.

  3. Open a Terminal window on your Linux machine.

  4. Navigate to the directory where your binary file is located using the cd command.

  5. Enter the following command to sign your binary file:

     openssl dgst -sha256 -sign "path_to_your_private_key" -out "your_binary_file_name.sig" "your_binary_file_name"

    Replace "path_to_your_private_key" with the path to your private key file, "your_binary_file_name.sig" with the name of the output signature file, and "your_binary_file_name" with the name of your binary file.

  6. Verify the digital signature using the following command:

     openssl dgst -sha256 -verify "path_to_your_public_key" -signature "your_binary_file_name.sig" "your_binary_file_name"

    Replace "path_to_your_public_key" with the path to your public key file, "your_binary_file_name.sig" with the name of the signature file, and "your_binary_file_name" with the name of your binary file.

    This command will display information about the digital signature and whether it is valid or not.

    If the signature is valid, your binary file is now signed and can be distributed. If the signature is not valid, you may need to troubleshoot the issue or contact your certificate provider for assistance.

    Note that if your binary file contains additional files or resources (such as shared libraries or configuration files), you may need to sign those files as well using the same process. You can also use the -md option with the openssl command to specify a different message digest algorithm if needed.

Windows

Here are the steps to sign code binaries on Windows using the SignTool utility:

  1. Install your code signing certificate on your Windows machine. You can import the certificate into the Certificate Manager using the Microsoft Management Console (MMC).

  2. Open a Command Prompt window on your Windows machine.

  3. Navigate to the directory where your binary file is located using the cd command.

  4. Enter the following command to sign your binary file:

signtool sign /a /t http://timestamp.digicert.com /f "path_to_your_pfx_file" your_binary_file_name

Replace "timestamp.digicert.com" with the URL of your timestamp server (if you have one), "path_to_your_pfx_file" with the path to your code signing certificate in PFX format, and "your_binary_file_name" with the name of your binary file.

  1. Enter the password for your PFX file when prompted.

  2. Verify the digital signature using the following command:

signtool verify /pa your_binary_file_name

This command will display information about the digital signature and whether it is valid or not.

If the signature is valid, your binary file is now signed and can be distributed. If the signature is not valid, you may need to troubleshoot the issue or contact your certificate provider for assistance.

Note that if your binary file contains additional files or resources (such as DLLs or drivers), you may need to sign those files as well using the SignTool utility. You can also use the /d option with the signtool command to add a description of your signed file to the digital signature.

Use .pfx certificate on linux

To use a .pfx certificate for code signing on Linux, you will need to convert it to separate .key and .cert files using the openssl utility. Here are the steps to do so:

  1. Copy your .pfx certificate to your Linux machine.

  2. Open a Terminal window on your Linux machine.

  3. Navigate to the directory where your .pfx file is located using the cd command.

  4. Enter the following command to convert the .pfx file to a .key and .cert file:

openssl pkcs12 -in "your_certificate.pfx" -nocerts -out "your_private_key.key"

This command will prompt you to enter the password for the .pfx file, and will then create a .key file containing the private key.

  1. Enter the following command to extract the public key from the .pfx file and save it to a .cert file:
openssl pkcs12 -in "your_certificate.pfx" -clcerts -nokeys -out "your_public_key.cert"

This command will prompt you to enter the password for the .pfx file, and will then create a .cert file containing the public key.

You now have separate .key and .cert files that you can use for code signing on Linux. You can refer to the earlier instructions for signing binaries using OpenSSL, replacing "path_to_your_private_key" with the path to your .key file, and "path_to_your_public_key" with the path to your .cert file.