file format fixes

CHANGELOG.md

@@ -1,63 +1,63 @@
-=== 2.0 (2018-xx-xx)
+### 2.0 (2018-xx-xx)
 
 - ported to OpenSSL 1.1.x
 - ported to SoftHSM2
 - add support for pkcs11-based hardware tokens
-	(Patch from Leif Johansson)
+  (Patch from Leif Johansson)
 - improved error reporting of timestamping errors
-        (Patch from Carlo Teubner)
+  (Patch from Carlo Teubner)
 
-=== 1.7.1 (2014-07-11)
+### 1.7.1 (2014-07-11)
 
 - MSI: added -add-msi-dse option
-	(Patch from Mikkel Krautz)
+  (Patch from Mikkel Krautz)
 - MSI: fix build when GSF_CAN_READ_MSI_METADATA defined
-	(Patch from Mikkel Krautz)
+  (Patch from Mikkel Krautz)
 
-=== 1.7 (2014-07-10)
+### 1.7 (2014-07-10)
 
 - add support for nested signatures
-	(Patch from Mikkel Krautz)
+  (Patch from Mikkel Krautz)
 - fix compilation problem with OpenSSL < 1.0.0
 - added OpenSSL linkage exception to license
 
-=== 1.6 (2014-01-21)
+### 1.6 (2014-01-21)
 
 - add support for reading password from file
 - add support for asking for password (on systems that
   provide support for it)
 - add support for compiling and running on Windows
-	 (Patch from Heiko Hund)
+  (Patch from Heiko Hund)
 - fix compilation without curl
-	 (Fix from Heiko Hund)
+  (Fix from Heiko Hund)
 - added support for giving multiple timestamp servers
   as arguments (first one that succeeds will be used)
 - signatures on hierarchical MSI files were broken
-	 (Fix from Mikkel Krautz)
+  (Fix from Mikkel Krautz)
 - MSI: Add support for MsiDigitalSignatureEx signature
-	 (Patch from Mikkel Krautz)
+  (Patch from Mikkel Krautz)
 - add support for adding additional/cross certificates
   through -ac option
-	 (Thanks to Lars Munch for idea + testing)
+  (Thanks to Lars Munch for idea + testing)
 - MSI: Add support for signature extract/remove/verify
-	 (Patches from Mikkel Krautz)
+  (Patches from Mikkel Krautz)
 - PE/MSI: Implement -require-leaf-hash for verify.
-	 (Patch from Mikkel Krautz)
+  (Patch from Mikkel Krautz)
 
-=== 1.5.2 (2013-03-13)
+### 1.5.2 (2013-03-13)
 
 - added support for signing with SHA-384 and SHA-512
 - added support for page hashing (-ph option)
 
-=== 1.5.1 (2013-03-12)
+### 1.5.1 (2013-03-12)
 
 - forgot to bump version number...
 
-=== 1.5 (2013-03-12)
+### 1.5 (2013-03-12)
 
 - added support for signing MSI files (patch from Marc-André Lureau)
 - calculate correct PE checksum instead of setting it to 0
-	 (patch from Roland Schwingel)
+  (patch from Roland Schwingel)
 - added support for RFC3161 timestamping (-ts option)
 - added support for extracting/removing/verifying signature on PE files
 - fixed problem with not being able to decode timestamps with no newlines
@@ -66,26 +66,25 @@
 - added support for reading certificates from PEM files
 - renamed program option: -spc to -certs (old option name still valid)
 
-
-=== 1.4 (2011-08-12)
+### 1.4 (2011-08-12)
 
 - improved build system (patch from Alon Bar-Lev)
 - support reading cert+key from PKCS12 file (patch from Alon Bar-Lev)
 - support reading key from PEM file
 - added support for sha1/sha256 - default hash is now sha1
 - added flag for commercial signing (default is individual)
 
-=== 1.3.1 (2009-08-07)
+### 1.3.1 (2009-08-07)
 
 - support signing of 64-bit executables (fix  from Paul Kendall)
 
-=== 1.3 (2008-01-31)
+### 1.3 (2008-01-31)
 
 - fixed padding problem (fix from Ryan Rubley)
 - allow signing of already signed files (fix from Ryan Rubley)
 - added Ryan Rubley's PVK-to-DER guide into the README
 
-=== 1.2 (2005-01-21)
+### 1.2 (2005-01-21)
 
 - autoconf:ed (Thanks to Roy Keene)
 - added documentation
@@ -94,6 +93,6 @@
 - compiles without curl, which means no timestamping
 - version number output
 
-=== 1.1 (2005-01-19)
+### 1.1 (2005-01-19)
 
 - Initial release

LICENSE.txt

@@ -1,33 +1,30 @@
-/*
-   OpenSSL based Authenticode signing for PE/MSI/Java CAB files.
+OpenSSL based Authenticode signing for PE/MSI/Java CAB files.
 
-   Copyright (C) 2005-2014 Per Allansson <[email protected]>
-   Copyright (C) 2018 Michał Trojnara <[email protected]>
+Copyright (C) 2005-2014 Per Allansson <[email protected]>
+Copyright (C) 2018 Michał Trojnara <[email protected]>
 
-   This program is free software: you can redistribute it and/or modify
-   it under the terms of the GNU General Public License as published by
-   the Free Software Foundation, either version 3 of the License, or
-   (at your option) any later version.
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
 
-   This program is distributed in the hope that it will be useful,
-   but WITHOUT ANY WARRANTY; without even the implied warranty of
-   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-   GNU General Public License for more details.
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
 
-   You should have received a copy of the GNU General Public License
-   along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-   In addition, as a special exception, the copyright holders give
-   permission to link the code of portions of this program with the
-   OpenSSL library under certain conditions as described in each
-   individual source file, and distribute linked combinations
-   including the two.
-   You must obey the GNU General Public License in all respects
-   for all of the code used other than OpenSSL.  If you modify
-   file(s) with this exception, you may extend this exception to your
-   version of the file(s), but you are not obligated to do so.  If you
-   do not wish to do so, delete this exception statement from your
-   version.  If you delete this exception statement from all source
-   files in the program, then also delete it here.
-*/
+You should have received a copy of the GNU General Public License
+along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
+In addition, as a special exception, the copyright holders give
+permission to link the code of portions of this program with the
+OpenSSL library under certain conditions as described in each
+individual source file, and distribute linked combinations
+including the two.
+You must obey the GNU General Public License in all respects
+for all of the code used other than OpenSSL.  If you modify
+file(s) with this exception, you may extend this exception to your
+version of the file(s), but you are not obligated to do so.  If you
+do not wish to do so, delete this exception statement from your
+version.  If you delete this exception statement from all source
+files in the program, then also delete it here.

README.md

@@ -1,16 +1,14 @@
 osslsigncode
 ============
 
-
-== WHAT IS IT?
+## WHAT IS IT?
 
 osslsigncode is a small tool that implements part of the functionality
 of the Microsoft tool signtool.exe - more exactly the Authenticode
 signing and timestamping. But osslsigncode is based on OpenSSL and cURL,
 and thus should be able to compile on most platforms where these exist.
 
-
-== WHY?
+## WHY?
 
 Why not use signtool.exe? Because I don't want to go to a Windows
 machine every time I need to sign a binary - I can compile and build
@@ -19,26 +17,24 @@ since the signtool.exe makes good use of the CryptoAPI in Windows, and
 these APIs aren't (yet?) fully implemented in Wine, so the signtool.exe
 tool  would fail. And, so, osslsigncode was born.
 
-
-== WHAT CAN IT DO?
+## WHAT CAN IT DO?
 
 It can sign and timestamp PE (EXE/SYS/DLL/etc), CAB and MSI files. It supports
 the equivalent of signtool.exe's "-j javasign.dll -jp low", i.e. add a
 valid signature for a CAB file containing Java files. It supports getting
 the timestamp through a proxy as well. It also supports signature verification,
 removal and extraction.
 
-
-== INSTALLATION
+## INSTALLATION
 
 The usual way:
-
+```
   ./configure
   make
   make install
+```
 
-
-== USAGE
+## USAGE
 
 Before you can sign a file you need a Software Publishing
 Certificate (spc) and a corresponding private key.
@@ -54,39 +50,39 @@ key which must be a key file in DER or PEM format, or if osslsigncode was
 compiled against OpenSSL 1.0.0 or later, in PVK format.
 
 To sign a PE or MSI file you can now do:
-
+```
   osslsigncode sign -certs <cert-file> -key <der-key-file> \
-        -n "Your Application" -i http://www.yourwebsite.com/ \
-        -in yourapp.exe -out yourapp-signed.exe
-
+    -n "Your Application" -i http://www.yourwebsite.com/ \
+    -in yourapp.exe -out yourapp-signed.exe
+```
 or if you are using a PEM or PVK key file with a password together
 with a PEM certificate:
-
+```
   osslsigncode sign -certs <cert-file> \
-        -key <key-file> -pass <key-password> \
-        -n "Your Application" -i http://www.yourwebsite.com/ \
-        -in yourapp.exe -out yourapp-signed.exe
-
+    -key <key-file> -pass <key-password> \
+    -n "Your Application" -i http://www.yourwebsite.com/ \
+    -in yourapp.exe -out yourapp-signed.exe
+```
 or if you want to add a timestamp as well:
-
+```
   osslsigncode sign -certs <cert-file> -key <key-file> \
-        -n "Your Application" -i http://www.yourwebsite.com/ \
-        -t http://timestamp.verisign.com/scripts/timstamp.dll \
-        -in yourapp.exe -out yourapp-signed.exe
-
+    -n "Your Application" -i http://www.yourwebsite.com/ \
+    -t http://timestamp.verisign.com/scripts/timstamp.dll \
+    -in yourapp.exe -out yourapp-signed.exe
+```
 You can use a certificate and key stored in a PKCS#12 container:
-
+```
   osslsigncode sign -pkcs12 <pkcs12-file> -pass <pkcs12-password> \
-        -n "Your Application" -i http://www.yourwebsite.com/ \
-        -in yourapp.exe -out yourapp-signed.exe
-
+    -n "Your Application" -i http://www.yourwebsite.com/ \
+    -in yourapp.exe -out yourapp-signed.exe
+```
 To sign a CAB file containing java class files:
-
+```
   osslsigncode sign -certs <cert-file> -key <key-file> \
-        -n "Your Application" -i http://www.yourwebsite.com/ \
-        -jp low \
-        -in yourapp.cab -out yourapp-signed.cab
-
+    -n "Your Application" -i http://www.yourwebsite.com/ \
+    -jp low \
+    -in yourapp.cab -out yourapp-signed.cab
+```
 Only the 'low' parameter is currently supported.
 
 You can check that the signed file is correct by right-clicking
@@ -95,9 +91,7 @@ and then choose the signature from the list, and click on
 Details. You should then be presented with a dialog that says
 amongst other things that "This digital signature is OK".
 
-
-
-== CONVERTING FROM PVK TO DER
+## CONVERTING FROM PVK TO DER
 
 (This guide was written by Ryan Rubley)
 
@@ -116,22 +110,24 @@ use instead of your *.spc file. It's the same basic thing, in a different format
 For your PVK file, you will need to download a little utility called
 PVK.EXE. This can currently be downloaded at
 
- http://support.globalsign.net/en/objectsign/PVK.zip
+  http://support.globalsign.net/en/objectsign/PVK.zip
 
-Run: pvk -in foo.pvk -nocrypt -out foo.pem
+Run:
+```
+  pvk -in foo.pvk -nocrypt -out foo.pem
+```
 
 This will convert your PVK file to a PEM file.
 From there, you can copy the PEM file to a Linux box, and run:
-
+```
   openssl rsa -outform der -in foo.pem -out foo.der
-
+```
 This will convert your PEM file to a DER file.
 
 You need the *.p7b and *.der files to use osslsigncode, instead of your
 *.spc and *.pvk files.
 
-
-== BUGS, QUESTIONS etc.
+## BUGS, QUESTIONS etc.
 
 Send an email to [email protected]
 

README.unauthblob.md

@@ -1,7 +1,9 @@
-# This is NOT the official repo for osslsigncode  
+# This is NOT the official repo for osslsigncode
+
 This project was copied from osslsigncode 1.7.1 to apply some patches for compiling with cygwin and being able to add unauthenticated blobs.  The official source for the project is at: http://sourceforge.net/projects/osslsigncode/
 
 ## Features added
+
 Adds the argument "-addUnauthenticatedBlob" to add a 1024 byte unauthenticated blob of data to the signature in the same area as the timestamp.  This can be used while signing, while timestamping (new `add` command added to allow just time-stamping, after a file has been code signed, or by itself.
 
 Examples:
@@ -34,10 +36,9 @@ This technique (but not this project) is used by Dropbox, GoToMeeting, and Summi
 - https://tech.dropbox.com/2014/08/tech-behind-dropboxs-new-user-experience-for-mobile/
 - http://blogs.msdn.com/b/ieinternals/archive/2014/09/04/personalizing-installers-using-unauthenticated-data-inside-authenticode-signed-binaries.aspx
 
-
 ## WARNING
-The capability this adds can allow you to do dumb things.  Be very careful with what you put in the unauthenticated blob, as an attacker could modify this.  Do NOT under any circumstances put a URL here that you will use to download an additional file.  If you do do that, you would need to check the newly downloaded file is code signed AND that it has been signed with your cert AND that it is the version you expect.  You should consider using asymmetrical encryption for the data you put in the blob, such that the executable contains the public key to decrypt the data.  Basically, be VERY careful.  
 
+The capability this adds can allow you to do dumb things.  Be very careful with what you put in the unauthenticated blob, as an attacker could modify this.  Do NOT under any circumstances put a URL here that you will use to download an additional file.  If you do do that, you would need to check the newly downloaded file is code signed AND that it has been signed with your cert AND that it is the version you expect.  You should consider using asymmetrical encryption for the data you put in the blob, such that the executable contains the public key to decrypt the data.  Basically, be VERY careful.
 
 ## Compiling under cygwin
 

misc/softhsm-example-token/README.txt → misc/softhsm-example-token/README.md

@@ -1,3 +1,4 @@
+# softhsm-example-token
 
 This directory contains a basic setup for testing pkcs11-support. If you get 
 this to work you have a decent chance of using your real HSM or hardware token.
@@ -10,9 +11,9 @@ You need the following packages (ubuntu/debian names):
 Type 'make' to generate a softhsm token with a test-key on id a1b2 with PIN-code
 "secret1". To use this token with osslsigncode try something like this (from this 
 directory):
-
-../../osslsigncode sign \
+```
+  ../../osslsigncode sign \
    -pkcs11engine /usr/lib/engines-1.1/pkcs11.so \
    -pkcs11module /usr/lib/libsofthsm2.so -key a1b2 -certs test.crt ...
-
+```
 Use 'secret1' as the password at the prompt.