begin signing Windows packages the Linux way

In #3861 (closed) we started signing Windows packages the Windows way. But what we really want is being able to do that on a Linux box in order to be able to distribute this signing task as well.

added GeorgKoppen201602 MikePerry201602R TorBrowserTeam201603R component::applications/tor bundles/installation owner::gk priority::medium resolution::fixed severity::normal status::closed type::enhancement labels

Useful information from #3861 (closed):

"As an update on this: we have an Aladdin eToken PRO 72K with a Digicert certificate we plan to use for this. The first problem is we need binary blobs to get the eToken going, something that is called SafeNetAuthentication client. I plan to only use the minimal amount of binary files we actually need and try to get some sha256 sums from some official people. I looked into using OpenSC but our token is not supported: ​https://github.com/OpenSC/OpenSC/wiki/Frequently-Asked-Questions#q-can-i-use-aladdin-etoken-with-opensc

The second problem is which software should we actually use for signing osslsigncode which would have been my favorite one cannot handle that token yet: ​http://sourceforge.net/p/osslsigncode/feature-requests/7/. I am not done with evaluating alternatives yet."

and

"I have not found a suitable tool nor did the DigiCert people (I asked them). Thus, we need some custom code. I guess using osslsigncode is the right decision which gives us two options: 1) We let some PKCS#11 tool do the signing passing it a proper blob and getting that one signed back or 2) We add the necessary PKCS#11 functionality to osslsigncode itself. I think I start with 1) which brings me back to looking for a proper tool. pkcs11-tool does not work with our token for some reason. The version in Ubuntu 12.04 breaks with:

Using signature algorithm RSA-PKCS-PSS
error: PKCS11 function C_SignInit failed: rv = CKR_MECHANISM_PARAM_INVALID (0x71)

and the one built from opensc master breaks with:

Using signature algorithm DES3-MAC
error: PKCS11 function C_SignInit failed: rv = CKR_KEY_TYPE_INCONSISTENT (0x63)

"

Trac:
Cc: N/A to mcs

pkcs11-tool does not work with our token for some reason. The version in Ubuntu 12.04 breaks

It's time to collect cool success stories from internet then.

https://r3blog.nl/index.php/etoken-pro-72k/ link to collection

eToken Pro 72k and Linux

This document is a compilation from various sources found on the internet.

Details about proprietary Safenet Authentication Client required for eToken Pro 72k:

The eToken PRO 72K Javacard model and some of the other newer models require the proprietary Safenet Authentication Client in order to work on Linux. You'll have to find SAC via Google as it isn't freely available. The most recent version I'm aware of is SAC 8.3, but I don't have it and I'm currently using SAC 8.1 on Ubuntu 13.04 without much trouble.

For SAC 8.1 I needed to install libhal1 and create some symlinks before everything worked:

apt-get install libhal1
dpkg -i SafenetAuthenticationClient-8.1.0-5_amd64.deb
ln -s /lib64/libeToken.so.8.1 /usr/lib64/eToken/libeToken.so.8
ln -s /lib64/libeTokenUI.so.8.1 /usr/lib64/eToken/libeTokenUI.so.8

to do that on a Linux box in order to be able to distribute this signing task as well. Uh, seems like SAC model distribution incompatible with announced task, it requires some license key (probably full client, not core part, but anyway).

It's better to find ways to use another open-source friendly tokens. If not then system need two proprietary binary files to process token: driver libAksIfdh (with stuff information in text files) used by pcscd and module libeToken used by pkcs11-tool (module reading proprietary text file /etc/eToken.conf). Seems like somebody from internet able to use this token such way.

try to get some sha256 sums from some official people They builds signed RPM-based packages, (keyid 3EE056D51F83E0FE), (gpg key shipped in zip file they using to distribute software).

http://sourceforge.net/u/leifjohansson/osslsigncode/ci/67ef46984fc6da4e2f20c280506a5f8358b46c76 might be helpful and interesting to look at.

Trac:
Keywords: N/A deleted, TorBrowserTeam201507, GeorgKoppen201507 added

Trac:
Keywords: TorBrowserTeam201507, GeorgKoppen201507 deleted, GeorgKoppen201508, TorBrowserTeam201508 added

Replying to gk:

http://sourceforge.net/u/leifjohansson/osslsigncode/ci/67ef46984fc6da4e2f20c280506a5f8358b46c76 might be helpful and interesting to look at.

This is indeed helpful. This allows me to access the token we have from within osslsigncode. The only bit I still need to figure out is how to get rid of the -certs option properly as we don't have a certificate file we can point to. "properly" includes getting the actual signing working.

Oh, I think we need the certs parameter to get the relevant ones added to the .exe...

Seems I got this working on an Ubuntu 12.04 \o/. Still need to clean-up things and write some documentation. I'll test signing the next alpha on a Linux box.

Move remaining August tickets to September.

Trac:
Keywords: TorBrowserTeam201508 deleted, TorBrowserTeam201509 added

Trac:
Keywords: GeorgKoppen201508 deleted, GeorgKoppen201509 added

Okay, this is working for me now on different Ubuntu versions and on Debian testing at least (I learned the hard way that some distros require a restart to get things working while others not... /me looks at Debian).

The attached patch documents the requirements. I'll test this during the next alpha release. If it is still working then we can close this ticket.

Trac:
Keywords: TorBrowserTeam201509 deleted, TorBrowserTeam201509R, MikePerry201509R added
Status: new to needs_review

Trac:
0001-Bug-15538-Document-authenticode-signing.patch

I think we should link to the zip itself if we can, along with a way to check for updates. I just asked if we can do this.

Also, the patch refers to an ISO inside the zip? Do you mean a .deb? Or is it a .zip that contains a .iso that contains a .deb?

Replying to mikeperry:

I think we should link to the zip itself if we can, along with a way to check for updates. I just asked if we can do this.

Yes. I've been writing this under the impression that access to the software is bound to an actual cert one buys. But maybe I am wrong.

Also, the patch refers to an ISO inside the zip? Do you mean a .deb? Or is it a .zip that contains a .iso that contains a .deb?

The latter (FWIW it contains rpms as well if someone is preferring that package format flavor).