DigiCert KnowledgeBase - Technical Support-hero

Knowledge Base

Sign a Windows App on Linux Using osslsigncode

Solution ID : TL010623000733
Last Modified : 05/10/2024


This article walks you through the steps to set up a Token on a Linux system and guides you on how to use the token once set up. 
The below instructions apply to Code Signing certificates only.

Prevent email tampering and phishing with a DigiCert S/MIME certificate.

Linux (Ubuntu): Setup osslsigncode

1) Update repository package info: 

sudo apt update

2) Install dependencies:s set up.

sudo apt install openssl libcurl4-openssl-dev libssl-dev libengine-pkcs11-openssl curl libcurl4 git automake libtool pkg-config wget libccid libpcsclite1 pcscd usbutils opensc p7zip-full

3) Create a folder to store osslsigncode:

sudo mkdir /usr/local/win-dev

4) Login to super user account temporarily for the next steps:

sudo su

5) Download and extract osslsigncode from zip:

1.  cd /usr/local/win-dev

2.  wget  https://github.com/mtrojnar/osslsigncode/releases/download/2.1/osslsigncode-2.1.0.tar.gz

3.  tar -xvzf osslsigncode-2.1.0.tar.gz

4.  cd osslsigncode-2.1.0

6) Compile and install osslsigncode: 

./autogen.sh ./configure && make && make install

7) Exit super user shell:




Sign Using a EV Code Signing Certificate (Linux)

1) Install the SafeNet Drivers

1.  sudo apt install unzip

2.  wget https://www.digicert.com/StaticFiles/SAC_10_7_Linux_GA.zip

3.  unzip -q SAC_10_7_Linux_GA.zip

4.  cd SAC_10_7_Linux_GA/Installation/Standard/DEB

5.  sudo dpkg -i safenetauthenticationclient_10.7.77_amd64.deb

2) Install OpenSC and other dependencies

sudo apt install opensc opensc-pkcs11 pcscd gnutls-bin

3) Enter admin shell for the next steps:

sudo su

4) Download libp11

1.  cd /usr/local/win-dev

2.  wget https://github.com/OpenSC/libp11/releases/download/libp11-0.4.11/libp11-0.4.11.tar.gz && tar -xzvf libp11-0.4.11.tar.gz

3.  cd libp11-0.4.11

5) Install libp11

./configure --prefix=/usr/local/mac-dev && make && make install

6) Download a copy of your certificate in PEM format and save it as certificate.pem. You can easily download the certificate by logging into your account, replace the order number (xxxxxx) in the below URL with your own, and then open the link:


7) Get the key id URL for the certificate to sign with. You know which URL to copy based on the Label which will have your organization or personal name.

p11tool --provider=/usr/lib/libeTPkcs11.so --list-all

8) Sign your code (Be sure to update the token information to match your token info found in step 7. As well as updating the path to the application to be signed, and the path to safe the signed application):

osslsigncode sign -verbose -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so -pkcs11module /lib/libeToken.so -h sha256 -n test-name -t http://timestamp.digicert.com -certs path/to/certificate.pem -key "pkcs11:model=eToken;manufacturer=SafeNet%2C%20Inc.;serial=029a748f;token=ExampleHSM;id=%C8%69%6E%65%0E%32%61%8E%49%27%2E%E6%6J%2E%1C%25%90%E3%50%45;object=Rex%20Linder;type=cert" -in path/to/application.exe -out path/to/new/signedApp.exe