Pure-Go Microsoft Authenticode signing for Windows PE (.exe / .dll) files. No CGO, no osslsigncode shell-out, no PKCS#11 engine — just encoding/asn1 and the standard crypto.Signer interface.
- Parses PE32 / PE32+ images and computes the Authenticode digest (skipping the file checksum, the attribute-certificate data directory entry, and the existing attribute certificate table, per Microsoft's spec).
- Builds the
SpcIndirectDataContentstructure and the CMSSignedDataContentInfo with the four Authenticode-required signed attributes (contentType,messageDigest,SpcSpOpusInfo,SpcStatementType). - Optionally requests an RFC 3161 timestamp from any
Content-Type: application/timestamp-queryTSA and embeds it underid-smime-aa-timeStampToken. - Wraps the result in a
WIN_CERTIFICATEand writes it into a new attribute certificate table on the PE.
Verified end-to-end with osslsigncode verify (DigiCert-issued code-signing chain, ECDSA P-384 / SHA-384).
import "github.com/KarpelesLab/authenticode"
// signer is anything implementing authenticode.Signer:
// crypto.Signer + Certificate() *x509.Certificate + CertificateChain() []*x509.Certificate
// (github.com/KarpelesLab/hsm Key satisfies it directly.)
signed, err := authenticode.Sign(peBytes, signer, authenticode.SignOptions{
Hash: crypto.SHA384,
TSAURL: "http://timestamp.digicert.com",
})SignWithChain is the lower-level form that accepts a raw crypto.Signer and an explicit chain.
- ECDSA leaf certs only (P-256, P-384, P-521); RSA leaf support and richer compatibility tests are open follow-ups.
MIT — see LICENSE.