write documentation for windows codesigning

[klali]

windows codesigning (both native and with osslsigncode) is possible, this should be documented.

[ismail]

I would appreciate some docs on this :-)

[denishonig]

Any news?

[adamretter]

Any documentation on using osslsigncode please?

[denishonig]

@klali do you know how to sign with osslsigncode if cert is in yubikey? Thanks

[klali]

I know that it used to work with the opensc pkcs11 module and a command line like:

$ osslsigncode sign -pkcs11engine /path/to/engine_pkcs11.so -pkcs11module /path/to/opensc-pkcs11.so -key slot_1-id_2 -certs /path/to/cert.pem -h sha256 -comm -t "http://tsa.starfieldtech.com" in.exe out.exe

This obviously requires a version of osslsigncode with pkcs11 support (and I haven't tried it for several years).

[g-bougard]

Just to put my 2 cents, I managed to use osslsigncode with yubico-piv-tool on Fedora 34 to sign with such a command:

osslsigncode sign -pkcs11engine /usr/lib64/engines-1.1/pkcs11.so -pkcs11module /usr/lib64/libykcs11.so.2 -key "pkcs11:id=%01;type=private?pin-value=XXXXXXXX" -certs ev-code-signing-chain.crt -h sha256 -ts http://ts.ssl.com not-signed.msi signed.msi

XXXXXXXX must be replaced by your yubikey pin for the 9a slot.
Here I'm using -ts http://ts.ssl.com as I'm using my yubikey provider RFC3161 timestamp server, but you can use -t option in place if your timestamp server is not RFC3161 compliant.
The -certs option point to a file where I concatenated my EV code-signing certificate with all CA and intermediate autority certificates.

I thanks @klali to point me on the right road ;-)