The signing configuration I used is this:

keys:
  devid:
    token: file
    keyfile: <path to p12 file>
    timestamp: true
    ispkcs12: true

tokens:
  file:
    type: file
timestamp:
  urls:
    - http://timestamp.apple.com/ts01

And this is the command:

relic sign -k devid -f <Mach-O binary> --hardened-runtime --config ./relic.yml

Signing succeeds, but when I verify with relic I get this:

> relic verify ./<Mach-O binary>
./<Mach-O binary> ERROR: validating timestamp: x509: “Timestamp Signer NWK1” certificate is not permitted for this usage
ERROR: 1 or more files did not validate

Verifying with codesign also fails:

> codesign -vvv ./macnotary
./<Mach-O binary>: CSSMERR_TP_NOT_TRUSTED
In architecture: x86_64

The relic version I have used:

relic version v7.6.2 (h1:rS44Lbv9G9eXsukknS4mSjIAuuX+lMq/FnStgmZlUv4=)

The host I ran this is: 14.2.1 (23C71) - MacOS Sonoma

Is this a bug, or there is a problem in the process I followed?

Hi, i used relic.exe to sign a apk file nicely, but it contains only the APK Signature Scheme V2 which was introduced in Android 7.0.
How to sign a apk and contains both v1 and v2 signatures？

Currently DMG files are signed without hardened-runtime which may cause apple notarization process to fail. Can this flag be added to DMG signing logic?

Would be great if Relic had support for NuGet package signing.

go run main_client.go verify 03c05ac7e5dad2bf0026530453c04a73f6e5a1a9916b8b30e92292f4ae64879f
03c05ac7e5dad2bf0026530453c04a73f6e5a1a9916b8b30e92292f4ae64879f ERROR: PE sections are out of order
ERROR: 1 or more files did not validate
exit status 1

03c05ac7e5dad2bf0026530453c04a73f6e5a1a9916b8b30e92292f4ae64879f.zip

SignTool provides a parameter called "description" which is used to display the name of the program in certain scenarios. It would be great if there was a possibility to specify the description as it is quite common to use it when signing files for Windows operating systems.

The software incorrectly computes the page hashes for PE files. It uses the section alignment as a memory page size, which is incorrect. Instead, real architecture page size should be used: https://devblogs.microsoft.com/oldnewthing/20210510-00/?p=105200.

You can easily confirm this bug if you try to verify the page hashes for the C:\Windows\SysWOW64\kernel32.dll file on Windows 10, which uses the section alignment 0x10000, but the real page size is 0x1000:

c:\windows\syswow64\kernel32.dll ERROR: page hash mismatch

You should look at the image file header machine field. If it is IA64 (0x200), Alpha AXP (0x184) or Alpha AXP x64 (0x284), then the page size is 8K. Otherwise, the page size is 4K.

I'm having a lot of trouble as there is very little documentation and examples are next to impossible to find due to conflicting "New Relic" projects.

I have a SafeNet USB key, and I'm trying to sign an MSIX package on a mac.

From what I gather, I'm supposed to start the server on my local machine, and the client should connect to it. But the server instructions are specific to linux. Do I run this in a docker container and share the USB key to the docker container? Or is USB signing only supported from linux?

I'd be very grateful for some help, this seems to be our last hope to sign in CI as all other methods have failed.

Hi, i got to sign a .msi，but report error “
PS C:\Users\rango> relic.exe sign -k my_file_key -c C:\Users\rango\Documents\relic_config\relic.yml -f ..\..\testdata\setup.msi -d 9 ERROR: archive/tar: missed writing 3194 bytes
”
what dose this error mean.....😭

Hi,

Looks like Line 14 of signers/dmg/dmg.go needs to be capitalized to be accessible outside the package. This signer should follow the pattern of the other signers in the signers package and have the global variable capitalized.

Currently, this module only works for signing RPMs that have md5/sha1 digests. The output below was generated with rpm -Kv to inspect RPMs built with fpm vs nfpm respectively.

    Header SHA1 digest: OK
    MD5 digest: OK

However, RPMs built with nfpm are with sha256 digests:

  Header SHA256 digest: OK
  Payload SHA256 digest: OK

I have uploaded the RPM built with nfpm for your testing purpose: nfpm.zip. You can also rerun the following commands to regenerate the RPM yourself:

nfpm package --config test.yaml --packager rpm 

You can further inspect the test RPM:

% rpm -Kv test-1.0.0.x86_64.rpm      
test-1.0.0.x86_64.rpm:
    Header SHA256 digest: OK
    Payload SHA256 digest: OK

% rpm -qpi  test-1.0.0.x86_64.rpm
Name        : test
Epoch       : 0
Version     : 1.0.0
Release     : 1
Architecture: x86_64
Install Date: (not installed)
Group       : 
Size        : 11
License     : MIT
Signature   : (none)
Source RPM  : test-1.0.0-1.src.rpm
Build Date  : Sat Aug 26 11:48:57 2023
Build Host  : buildkitsandbox
Packager    : test maintainer <[email protected]>
Vendor      : 
URL         : https://nfpm.goreleaser.com/
Summary     : Test RPM generated by nFPM
Description :
Test RPM generated by nFPM

please let me know if you need anything additional. Our use case here is to sign nfpm generated RPMs using SignRpmStream method. Currently these methods assumes md5 and sha1 digests by default.

If you try to sign the RPMs built with nfpm, you will get md5 digest mismatch error under current logic. This would be a nice feature as latest enterprise OS (e.g RHEL9) defaults to sha256 checksummed RPMs.

explorer.exe.zip

the error message is

 asn1: structure error: tags don't match (16 vs {class:2 tag:1 length:719 isCompound:true}) {optional:false explicit:false application:false private:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} certificate @4

What could be the process of signing the .app file for mac? Should we individually sign all the executables within the .app file? Is there a standard process where we can get a reference to use relic to sign the .app file?

Hi! Have you looked at adding in macOS code signing support?

Unfortunately, I don't know if there are cross platform ways to do it. In my own tools, I'm using Exec to call out

Hello,

I saw "relic" is able to sign appx packages. What was your references to develop it ?
I want to build a .appx signer in java but I found difficulties to find documentation about how theses types of files are signed.

Any help would be appreciated.

Thank you very much.

I'm sorry I can't put a patch up, but I wanted to mention that Apple now has a rest API for notarization. I think this creates the possibility of having relic do notary submissions.

https://developer.apple.com/videos/play/wwdc2022/10109 and https://developer.apple.com/documentation/notaryapi specifically.

Caveat -- it requires an S3 upload

Hi. I'm packaging relic for Debian, in order to get sigstore's rekor into Debian. We have github.com/AzureAD/microsoft-authentication-library-for-go in Debian but it is newer than you use, and causes the build error below. Could you update the dependency to the latest version of github.com/AzureAD/microsoft-authentication-library-for-go and fix your code?

# github.com/sassoftware/relic/cmdline/remotecmd
src/github.com/sassoftware/relic/cmdline/remotecmd/azure.go:65:20: cannot use &dvCache{…} (value of type *dvCache) as cache.ExportReplace value in argument to public.WithCache: *dvCache does not implement cache.ExportReplace (wrong type for method Export)
		have Export(cache.Marshaler, string)
		want Export(context.Context, cache.Marshaler, cache.ExportHints) error
src/github.com/sassoftware/relic/cmdline/remotecmd/azure.go:79:12: not enough arguments in call to s.cli.Accounts
	have ()
	want (context.Context)
src/github.com/sassoftware/relic/cmdline/remotecmd/azure.go:79:12: assignment mismatch: 1 variable but s.cli.Accounts returns 2 values
github.com/Azure/go-autorest/autorest/azure/auth

Thanks,
Simon

I'm not sure if this a bug in library code or a problem with the file that I used for test.

package main

import (
	"fmt"

	"github.com/sassoftware/relic/v7/lib/comdoc"
)

func main() {
	doc, err := comdoc.WritePath("xls.xls")
	if err != nil {
		fmt.Println(err)
	}

	if err := doc.AddFile("filename", []byte{1, 2, 3}); err != nil {
		fmt.Println(err)
	}
}

expected: doc.AddFile returns nil
what happened: doc.AddFile returns writeat xls.xls: negative offset

xls.xls

Hi,

Is it possible to sign PE Executables with both sha1 and sha256 digests? osslsigncode has a "-nest" option for this.

Thanks!

First of all, let me say I've been testing Relic for our needs and have been very impressed by it. Documentation could be improved, but it only took a couple of hours to get something working.

One minor suggestion for improvement that would be useful, at least when running as a standalone signing tool would be able to provide multiple files to sign at a time (with the same signature type, of course), particularly if that can lead to performance improvements during the operation. For example, we often use SignTool passing in 16-20 files at a time, and it reduces total signing time by ~50% compared to signing them one at a time.

I took a quick look at the code and doesn't seem like the "take multiple files at a time" part would be too hard to do, though not sure about the performance part.

We're upgrading our installer from JDK8 to JDK11 and the generated MSI files can't be signed.

The error is:

archive/tar: missed writing 500 bytes

We generate the MSI files with the wix toolset (https://wixtoolset.org/documentation/manual/v3/overview/alltools.html)

The way how we generate the MSIs is:

unzip jre.zip -d tmp
JREDIR=tmp/jdk-11.0.16.1+1-jre
echo "JRE=$JREDIR"
heat dir "$JREDIR" -o jre.wxs -sfrag -sreg -nologo -srd -gg -cg JreComponents -dr JreDir -var var.JreDir

# pick up java.exe File ID
JavaExeId=$(grep java.exe jre.wxs | grep -o "fil[0-9A-F]*")

candle -dJreDir="$JREDIR" -dWAR="$war" -dJavaExeId=$JavaExeId -nologo -ext WixUIExtension -ext WixUtilExtension -ext WixFirewallExtension jenkins.wxs jre.wxs
# '-sval' skips validation. without this, light somehow doesn't work on automated build environment
# set to -dcl:low during debug and -dcl:high for release
light -o @@ARTIFACTNAME@@.msi -sval -nologo -dcl:high -cultures:en-us -loc en_us.wxl -ext WixUIExtension -ext WixUtilExtension -ext WixFirewallExtension jenkins.wixobj jre.wixobj

If you're interested I can share the MSI installer with you for debug purposes.

If we use the JDK8 JRE, the signing process works fine, it only fails with JDK11.

Issue Overview

When signing an Advanced Installer MSI file with Relic, the resulting signed MSI can no longer be executed. If I use SignTool.exe with the same installer and signing certificate then the MSI is successfully signed and not corrupted. This issue seems to be specific to Advanced Installer MSI files as Relic is able to sign other MSI files, such as those generated with WiX or MSIWrapper.

Reproduction Steps

NOTE: The requisite signing certificate, relic.yml, unsigned MSI and corrupted MSI files are all attached at the end of this report.

Creating a Signing Certificate

I used the following PowerShell script to generate a signing certificate:

$certProperties = @{
    DnsName         = "codesigning.local"
    CertStoreLocation = "Cert:\CurrentUser\My"
    KeyUsage        = "DigitalSignature"
    FriendlyName    = "My Code Signing Certificate"
    NotAfter        = (Get-Date).AddYears(5)
    Type            = "CodeSigningCert"
}

$cert = New-SelfSignedCertificate @certProperties

$password = ConvertTo-SecureString -String "password" -Force -AsPlainText
Export-PfxCertificate -Cert $cert.PSPath -FilePath "signingcert.pfx" -Password $password

Creating an Advanced Installer MSI

1. Download and install Advanced Installer.
2. Launch Advanced Installer and select "Installer Project | Simple"
3. Click "Build"
4. Save the AIP file to the location you want your MSI file.
5. The MSI file will now be created.

Signing MSI with Relic

relic.yml

tokens:
  file:
    type: file
    pin: password

keys:
  my_file_key:
    token: file
    keyfile: ./signingcert.pfx
    ispkcs12: true

timestamp:
  urls:
    - http://timestamp.digicert.com

Running Relic

relic sign --config relic.yml --file aitestinstaller.msi --output aitestinstallersigned.msi --key my_file_key

Executing the Installer

When attempting to execute the signed MSI, the following dialog is displayed:

Additional Information

Using SignTool.exe

signtool sign /f signingcert.pfx /p password /fd SHA256 /t http://timestamp.digicert.com /v aitestinstaller.msi

Test Files

RelicCorruptedMSITestFiles.zip

• relic.yml (Relic Config)
• signingcert.pfx (Signing Certificate)
• aitestinstaller.msi (Original MSI File)
• aitestinstallersigned.msi (Corrupted MSI File)

Hi,
Is there any guide for adding a new pkg format? I would be willing to donate a patch for adding support for Arch Linux based distributions, but I don't know where to start :)

I'm having a "certificate does not match key in token" issue where the exponent is showing up as 65537 in relic token contents
and the certificate also shows 65537.

I dumped the objects in the SameKey function, and key.E is 16777472, while cert.Leaf.PublicKey.E is 65537, triggering an error (both N are identical and the token works with other apps)

Using a pkcs11 token with an RSA key.

Extra info:

65537 seems to be a reserved/default value https://www.cryptsoft.com/pkcs11doc/v220/group__SEC__12__1__4__PKCS____1__RSA__KEY__PAIR__GENERATION.html

16777472 is 65537 when using the wrong endianness. So there might be an issue there.

I could try to compare with another token in my possession that was working correctly previously when using a different CA.