Signing Windows application on Linux-based distros
It's actually quite straight forward to do using Mono
's signtool; the tricky part (described in more detail in the linked Mozilla article) is copying the certificate in the correct format from Windows to Linux.
Converting the Windows PFX certificate file to PVK and SPC files, only needs to be done once when copying the certificate from Windows to Linux;
openssl pkcs12 -in authenticode.pfx -nocerts -nodes -out key.pem
openssl rsa -in key.pem -outform PVK -pvk-strong -out authenticode.pvk
openssl pkcs12 -in authenticode.pfx -nokeys -nodes -out cert.pem
openssl crl2pkcs7 -nocrl -certfile cert.pem -outform DER -out authenticode.spc
Actually signing the exe is straight forward;
signcode \
-spc authenticode.spc \
-v authenticode.pvk \
-a sha1 -$ commercial \
-n My\ Application \
-i http://www.example.com/ \
-t http://timestamp.digicert.com/scripts/timstamp.dll \
-tr 10 \
MyApp.exe
Obtain a certificate and sign an exe on Linux
Mono's signing tools allow to sign an executable on a Linux box.
First convert your .pfx
certificate to .pvk
and .spc
files :
openssl pkcs12 -in authenticode.pfx -nocerts -nodes -out key.pem
openssl rsa -in key.pem -outform PVK -pvk-strong -out authenticode.pvk
openssl pkcs12 -in authenticode.pfx -nokeys -nodes -out cert.pem
openssl crl2pkcs7 -nocrl -certfile cert.pem -outform DER -out authenticode.spc
And then sign it :
signcode \
-spc authenticode.spc \
-v authenticode.pvk \
-a sha1 -$ commercial \
-n My\ Application \
-i http://www.example.com/ \
-t http://timestamp.verisign.com/scripts/timstamp.dll \
-tr 10 \
application.exe
Signed executables under Linux
The DigSig kernel module implements verification of binaries signed by a tool called bsign
. However, there hasn't been any work on it since version 2.6.21 of the Linux kernel.
How to sign code (.EXE file) with a .SPC or .PEM file from GoDaddy (using Ubuntu)?
The problem was solved updating OSSLSIGNCODE in my Ubuntu...
What’s the best way to distribute a binary application for Linux?
Having been through this a couple of times with commercial products, I think the very best answer is to use the native installer for each supported platform. Anything else produces an unpleasant experience for the end-user, and in practice you have to test on every platform you want to support anyway, so it's not really a significant burden to maintain packages for each. The idea that you can create a binary that can "just work" on every platform out there, including some you've never even heard of, just really doesn't work all that well.
My recommendation is that you pick a platform or two to support initially (Red Hat and Ubuntu would be my suggestions) and then let user demand drive the creation of additional installation packages. Perhaps make it known that you're willing to support additional platforms, for a modest fee that covers your time and effort in packaging and testing on that platform. If a platform proves to be very different, you may need to charge more for ongoing support.
Oh, and I cannot overemphasize the value of virtual machines for scenarios like this. You need to build VMs for each platform you support, and perhaps multiple VMs per platform to make it easy to test different configurations.
Related Topics
Find All Files with Name Containing String
Get Ceiling Integer from Number in Linux (Bash)
How to Remove the Bom from a Utf-8 File
How to Attach a File Using Mail Command on Linux
How to Make Bash Treat Undefined Variables as Errors
How to Encrypt a Large File in Openssl Using Public Key
How to Execute Ssh-Keygen Without Prompt
How to Use Ioctl() to Manipulate My Kernel Module
What Is the Correct Way to Start a Mongod Service on Linux/Os X
Maximum Number of Concurrent Connections on a Single Port (Socket) of Server
Linux Terminal Input: Reading User Input from Terminal Truncating Lines at 4095 Character Limit
Get Yesterday's Date in Bash on Linux, Dst-Safe
How to Change the Filename of a Shared Library After Building a Program That Depends on It
Maximum Number of Bash Arguments != Max Num Cp Arguments
Why Do Shells Ignore Sigint and Sigquit in Backgrounded Processes
Setting Default Permissions for Newly Created Files and Sub-Directories Under a Directory in Linux