Code Signing with CMS Signatures
Similarly to the plain signature format, the Cryptographic Message Syntax (CMS) format based on PKCS#7 can be used to sign arbitrary data. Many signature formats include CMS signatures, such as Authenticode and JAR signing. The format can also be useful standalone for signing firmware or release packages. Existing tools like OpenSSL can in many cases be used to verify the signatures.
The CMS signature includes the signer certificate and can also optionally include a time-stamp token from a Time-Stamping Authority (TSA) using the RFC#3161 format.
The CMS signature can be created with the content of the original document encapsulated within the signature. More useful for code signing is generally the detached signature option where the signature can be in a separate file.
Adding a CMS Signer
There are multiple CMS signers in SignServer, for example:
- CMS Signer: Provides basic functionality.
- Extended CMS Signer: Provides additional functionality like time-stamping support and is thus the recommended one to use.
To add an Extended CMS Signer, follow the steps described in the Adding a Plain Signer section but use the template called extended_cms_signer.properties.
For code signing, you likely would like to use the DETACHEDSIGNATURE=true option.
Using the CMS Signer
The different methods for submitting a file to be signed described in section Using the Plain Signer are also applicable for CMS signing.
Verifying a CMS Detached Signature
As the signature and the file are in separate files, both are needed when verifying the signature. Let's say you have a file called software-release-1.0.zip
and have provided it to the CMS Signer and obtained a detached signature now stored in a file called software-release-1.0.zip.p7s.
Using OpenSSL, the signature can be verified according to the following example:
OpenSSL CMS Example
openssl cms -verify -in software-release-1.0.zip.p7s -inform DER -content software-release-1.0.zip -CAfile ca.pem > /dev/null
Note that the input format is specified as in DER (binary) format.
The redirect to /dev/null
at the end is made as OpenSSL would otherwise output the content of the file.
CMS Signer Options
The following lists relevant properties to configure for the CMS Signer:
Worker Property | Description |
---|---|
SIGNATUREALGORITHM | Specifying the algorithm used to use for the signature. |
DETACHEDSIGNATURE | Set to true to use the detached signature mode where the content is not being included in the signature. |
CLIENTSIDEHASHING | If the input to the signer should not be the content but a hash of it. For more information, see Client-Side Hashing. |
For all available properties, refer to the CMS Signer section of the SignServer Manual.