ocra icon indicating copy to clipboard operation
ocra copied to clipboard
verified publisher icon larsch

Code signing support

Open banister opened this issue 8 years ago • 1 comments

First I want to say that Ocra is a great tool, it solves a real problem in a very clever way 😄.

However, at work we've come across a limitation - currently an executable built by Ocra cannot be digitally signed using the Windows Authenticode code signing system

I looked into it, and think I got my head around the issue, so I thought I'd open up a PR to add code-signing support.

Ocra expects the executable to look like this:

| stub.exe content | opcodes | opcodes offset | ocra signature |

But, after Code Signing they look like this instead:

| stub.exe content | opcodes | opcodes offset | ocra signature | dig sig |

This breaks Ocra's expectations and prevents the signed executables from working.

The proposed fix is to update stub.c to use the executable headers (specifically the DataDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY] header) to retrieve the size and location of the embedded Digital Signature.

Using this information we can tell the Ocra generated executable where to look for its own signature and opcodes. This allows an executable to continue to work whether it's been signed or not.

Tests:

I wrote tests for this using a custom fake code signing object (test/fake_code_signer.rb) as i thought the requirement for code signing tools was too much.

This FakeCodeSigner correctly updates the headers and appends a "digital signature" to the file, however the signature that gets appended is just jibberish. But this is enough to test the Ocra code, which is also indifferent to the actual signature content.

To perform a real code sign, do the following:

First install the code signing tools (I forget the link for this now, but googling will help you find makecert, signtool etc)

Then create a self-signed cert using:

$ makecert.exe -n "CN=CARoot" -r -pe -a sha512 -len 4096 -cy authority -sv CARoot.pvk -sr LocalMachine -ss Root CARoot.cer

Generate the pfx file using:

$ pvk2pfx.exe -pvk CARoot.pvk -spc CARoot.cer -pfx CARoot.pfx -po Test123

Then sign an Ocra binary using:

$ signtool sign /f ./CARoot.pfx /p Test123 helloworld.exe

Finally test if helloworld.exe works using the updated code.

EDIT: Also happy to rebase if you would prefer I pruned some of the commits

banister avatar Dec 14 '17 03:12 banister

While I have a Github account, I have not figured out how to merge this pull request into my own Github fork of Ocra, so I have my own fork here:

https://www.codebykevin.com/fossil.cgi/stringscan/dir?ci=72deeb91ec0fb17e&name=ocra-master

I simply took your stub.c file and replaced the one in the current gem of Ocra, and rebuilt stub.exe. Code-signing works perfectly and I plan to deploy it in the next Windows release of my Ruby-Tk app, Stringscan: https://www.codebykevin.com/stringscan.html

Thanks for contributing this! Hopefully the Ocra developer will merge this pull request in a future release.

codebykevin avatar May 01 '20 13:05 codebykevin