osslsigncode

Dockerfile

FROM ubuntu:18.04

RUN apt-get update && apt-get install -y \
                      openssl libcurl4-openssl-dev libssl-dev libengine-pkcs11-openssl \
                      curl libcurl4 \
                      git automake libtool pkg-config wget \
                      libccid libpcsclite1 pcscd usbutils opensc

RUN git clone https://github.com/mtrojnar/osslsigncode

RUN cd osslsigncode && ./autogen.sh && ./configure && make && make install

RUN wget https://github.com/yryz/docker-safenet-etoken/raw/master/SafenetAuthenticationClient-core-10.0.60-1_amd64.deb

RUN dpkg -i SafenetAuthenticationClient-core-10.0.60-1_amd64.deb

COPY entrypoint.sh /
RUN chmod +x /entrypoint.sh

ENTRYPOINT ["/entrypoint.sh"]

entrypoint.sh

#!/bin/sh

set -e

echo "Starting pcscd & SACSrv"
service pcscd start
service SACSrv start

exec /usr/local/bin/osslsigncode sign \
  -verbose \
  -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so \
  -pkcs11module /lib/libeToken.so.10 \
  -h sha256 \
  -n "Name of your app" \
  -t http://timestamp.verisign.com/scripts/timstamp.dll \
  -certs /etc/certs/ev.pem \
  $@

example.md

Build the docker from the osslsigncode directory.

docker build --rm -t osslsigncode .

Figure out the key by running the command below and enter the password (PIN). The command depends on which version of the token library you are using (9, 10 or maybe newer). Change the entrypoint.sh accordingly.

pkcs11-tool --module /lib/libeToken.so.9 -l -O
pkcs11-tool --module /lib/libeToken.so.10 -l -O

Export the pem from the USB. Sign the code. Pass the key ID and the password to the docker run.

 docker run --privileged --rm --disable-content-trust \ 
  -v /dev/bus/usb:/dev/bus/usb \ 
  -v /link-to-your.pem:/etc/certs/ev.pem \
  -v /link-to-your-electron-files:/electron \ 
  -ti osslsigncode \
  -key 'key' \
  -pass pass \
  -in /electron/app-2.1.0-setup.exe \
  -out /electron/app-2.1.0-setup-signed.exe