winsign¶
winsign is a python module for signing and manipulating Authenticode signatures in PE and MSI files.
Works on Python 3.7 and up.
Free software: MPL2
Requirements¶
Most dependencies are specified in requirements/base.txt, however, currently you also need osslsigncode installed to perform signing. This utility can be fetched from your distribution’s package repository, or from e.g. https://github.com/theuni/osslsigncode
Signing MSIX/APPX files currently requires Mozilla’s fork of msix-packaging.
Installation¶
pip install winsign
CLI Usage¶
usage: winsign [-h] --certs CERTS --key PRIV_KEY [-n COMMENT] [-i URL] -d
{sha1,sha256} [-t {old,rfc3161}] [-v] [-q]
infile [outfile]
positional arguments:
infile unsigned file to sign
outfile where to write output to. defaults to infile
optional arguments:
-h, --help show this help message and exit
--certs CERTS certificates to include in the signature
--key PRIV_KEY private key used to sign
-n COMMENT comment to include in signature
-i URL url to include in signature
-d {sha1,sha256} digest to use for signing. must be one of sha1 or sha256
-t {old,rfc3161}
-v, --verbose
-q, --quiet
Future plans¶
Stop using osslsigncode for PE signatures
Refactor code so that osslsigncode functionality is in its own module
Add python support for MSI, then we can drop dependency on osslsigncode
Development¶
- Highly recommended to create a virtualenv, then run:
python setup.py develop
make your changes to the source files
run local tests: tox
- upon successful r+ and merging to master branch, you need to release a new version on PyPi.
edit setup.py to adjust the version
generate .whl file locally: python setup.py bdist_wheel
file will exist in: ./dist/winsign-{version}-py3-none-any.whl
(assuming you have pypi access to upload)
upload to pypi: twine upload –verbose dist/winsign-{version}-py3-none-any.whl
Credits¶
Chris AtLee
Ben Hearsum <bhearsum@mozilla.com>
Joel Maher <jmaher@mozilla.com>
How it works¶
First we generate a dummy signature for the file using builtin keys. This uses
the get_dummy_signature
method.
We then take the extracted signature, and retrieve the ASN.1 SignedData object from it. We replace the certificates in the SignerInfo object with the real certificates. Then we can generate a signature over the new SignerInfo object with whatever mechanism we wish.
Finally, the resulting signature is injected into the original file.