authenticode

package module

v0.1.0 Latest Latest Go to latest Published: May 16, 2026 License: MIT Imports: 15 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/KarpelesLab/authenticode

Links

Open Source Insights

README ¶

authenticode

Pure-Go Microsoft Authenticode signing for Windows PE (.exe / .dll) files. No CGO, no osslsigncode shell-out, no PKCS#11 engine — just encoding/asn1 and the standard crypto.Signer interface.

What it does

Parses PE32 / PE32+ images and computes the Authenticode digest (skipping the file checksum, the attribute-certificate data directory entry, and the existing attribute certificate table, per Microsoft's spec).
Builds the SpcIndirectDataContent structure and the CMS SignedData ContentInfo with the four Authenticode-required signed attributes (contentType, messageDigest, SpcSpOpusInfo, SpcStatementType).
Optionally requests an RFC 3161 timestamp from any Content-Type: application/timestamp-query TSA and embeds it under id-smime-aa-timeStampToken.
Wraps the result in a WIN_CERTIFICATE and writes it into a new attribute certificate table on the PE.

Verified end-to-end with osslsigncode verify (DigiCert-issued code-signing chain, ECDSA P-384 / SHA-384).

Usage

import "github.com/KarpelesLab/authenticode"

// signer is anything implementing authenticode.Signer:
//   crypto.Signer + Certificate() *x509.Certificate + CertificateChain() []*x509.Certificate
// (github.com/KarpelesLab/hsm Key satisfies it directly.)
signed, err := authenticode.Sign(peBytes, signer, authenticode.SignOptions{
    Hash:   crypto.SHA384,
    TSAURL: "http://timestamp.digicert.com",
})

SignWithChain is the lower-level form that accepts a raw crypto.Signer and an explicit chain.

Status

ECDSA leaf certs only (P-256, P-384, P-521); RSA leaf support and richer compatibility tests are open follow-ups.

License

MIT — see LICENSE.

Documentation ¶

Overview ¶

Package authenticode implements Microsoft Authenticode PE signing in pure Go. It computes the Authenticode digest, builds the CMS SignedData (with SpcIndirectDataContent), embeds an RFC3161 timestamp, and writes the resulting WIN_CERTIFICATE into the PE's attribute certificate table. It signs through any crypto.Signer (e.g. the github.com/KarpelesLab/hsm IDPrime backend driving a USB token).

Index ¶

func BuildSignedData(spc []byte, signer crypto.Signer, chain []*x509.Certificate, opts SignOptions) ([]byte, error)
func BuildSpcIndirectDataContent(peDigest []byte, h crypto.Hash) ([]byte, error)
func RequestTimestamp(ctx context.Context, tsaURL string, signature []byte, h crypto.Hash) ([]byte, error)
func Sign(pe []byte, signer Signer, opts SignOptions) ([]byte, error)
func SignWithChain(pe []byte, signer crypto.Signer, chain []*x509.Certificate, opts SignOptions) ([]byte, error)
type PE
- func Parse(raw []byte) (*PE, error)
- func (p *PE) AuthenticodeDigest(h hash.Hash) []byte
- func (p *PE) EmbedSignature(cms []byte) []byte
type SignOptions
type Signer

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func BuildSignedData ¶

func BuildSignedData(spc []byte, signer crypto.Signer, chain []*