Support for /dg and /di options from signtool

[obones]

Hello,

I currently have a situation where multiple windows machines need to sign with a code signing certificate that is on a physical token.
To achieve this, I have the following series of steps:

1. Generate the digest and p7 files

signtool.exe sign /q /f "%CertificatePublicKeyFilename%" /du %SignatureUrl%  /fd sha256 /dg . "%FileToSign%"

2. Send digest to remote service and retrieve signed digest
   remote service basically does this: signtool.exe sign /q /sha1 %CertificateThumbprint% /ds DigestFile.dig

set Digest=<"%FileToSign%.dig"
curl --fail-with-body -X GET -o "%FileToSign%.dig.signed" %SigningServerUrl%?digest=%Digest%

3. Apply signed digest to file

signtool.exe sign /q /f "%CertificatePublicKeyFilename%" /di . "%FileToSign%"

4. Timestamp the result

signtool.exe timestamp /q /tr %SignatureTimeStampURL% /td sha256 "%FileToSign%"

Steps 3 and 4 are separated because signtool does not support timestamping at the same time as ingesting a signed digest.

My problem is that I now need to reproduce this series of steps on Linux machines as well, and so am looking for a way to reproduce this with a tool that supports this operating system, which jsign is.

However, I could not find any command line options that would replicate the /dg and /di options from signtool.exe, whose descriptions are this:

/dg <path>   Generates the to be signed digest and the unsigned PKCS7 files.
             The output digest and PKCS7 files will be: <path>\<file>.dig and
             <path>\<file>.p7u. To output an additional XML file, see /dxml.
/di <path>   Creates the signature by ingesting the signed digest to the
             unsigned PKCS7 file. The input signed digest and unsigned
             PKCS7 files should be: <path>\<file>.dig.signed and
             <path>\<file>.p7u.

Is this something that is already available? Or could this be added to jsign?

[ebourg]

What is the remote service used?

[obones]

A simple REST API that I wrote in C# which spawns the signtool process that accesses a certificate stored on a Yubikey USB device.
What I want is to be able to sign from multiple machines while avoiding transferring the executable to be signed back and forth, it is a lot larger (several megabytes) than the digest (44 bytes).
Now, if there is a way to use another service that accepts multiple clients and provide what jsign needs while already being supported by jsign, that would be fine as well.

[ebourg]

I see, so the Yubikey is plugged on the server, and the clients use it through an API. There is SignServer that does something like this too, but Jsign can't call it directly.

If you don't mind coding a bit in Java you could implement the net.jsign.jca.SigningService interface to call your REST API. That's how Jsign calls AWS, Google Cloud and other signing services. Then you would sign though your API by using a custom storetype:

jsign --storetype MYKEYSTORE --storepass password --alias alias application.exe