I have been looking for a way to sign an executable so that Windows stops saying that my own executable is a danger to my system.
A few information first:
What I did:
I did not know anything about certificates so I followed this answer to create all the (apparently) required certificates (steps 1 to 6 only).
Then, I signed the executable the way this answer suggests (the first way to sign).
I tried verifying it with the following command:
$ osslsigncode verify -in <myprogram>-signed.exe
But it fails with the following error:
PKCS7_verify error
40377E953E700000:error:10800075:PKCS7 routines:PKCS7_verify:certificate verify error:crypto/pkcs7/pk7_smime.c:296:Verify error: unable to get local issuer certificate
Signature verification: failed
On the internet, I have found two possible reasons for this error:
# code_sign_cert.conf
authorityKeyIdentifier = keyid,issuer
basicConstraints = CA:TRUE
subjectAltName = @alt_names
extendedKeyUsage = codeSigning
[alt_names]
DNS.1 = the-company.com # I don't even know what to put here
rootCA.crt was not added to the trusted ones, so I added it with this command:# trust anchor --store rootCA.crt
And even ran $ sudo update-ca-trust just in case, and nothing changed at all.
I can find the certificate (named after me instead of "rootCA") in the /etc/ca-certificates/ folder so it seems to have worked.
But in the end I still get the same error.
I'm at a loss because I'm confused with all the certificate formats, I don't know where to look at anymore.
Does anyone have a clue as to why the verification fails?
You have to specify the trusted certificates to osslsigncode with the -CAfile parameter:
osslsigncode verify -CAfile full-chain.pem -in <myprogram>-signed.exe