Signature verification

[MushyMiddle]

First, many thanks to @ebourg and committers for keeping Jsign up to date - it's a lifesaver for us. I just updated from Jsign 2.0 to 6.0, fairly quickly and painlessly. I was very happy to get rid of code that forked osslsigncode for MSI signing.

Anyway, I'm keenly interested in the hopefully-upcoming signature verification support, as it may allow me to finally get rid of osslsigncode.

I'm re-working our build environment, somewhat related to our upcoming EV cert renewal, for which we'll have to buy new tokens, so am moving to a shared code-signing server (cluster) to minimize the number of tokens needed. (My signing servers now use Jsign 6.0 API, as mentioned).

I'd still like to do signature verification without relying on tokens during a build, thus am curious if the planned verification support will have an option to just verify the signature, but skip verifying the cert chain of the cert CA/timestamps? Unless I stash the token CA and TS CA certs somewhere, requiring chain verification would be impossible since the tokens won't be around during the builds. I suppose I could add that functionality to my signing servers, but it would still require that option in the API, vs. ant task, e.g. And, doing verification remotely will slow things down.

Why do I need to verify signatures? In some cases, we deploy pre-signed artifacts, and I need to make sure unsigned or broken artifacts don't leak into the build.

FWIW, my main problem with osslsigncode is that the old version would return 0 even if verification failed. While newer versions properly return non-zero for a broken/missing signature, there is no option to eliminate at least the CA chain verification, which I don't need except in unusual circumstances.

Also, I'd be happy to test signature verification at whatever point you have something available. On the build side, I'd probably use the ant task, if that matters.

Thanks!

[ebourg]

Glad to hear you are putting Jsign to good use :) The verification feature I'm planning will return a structured validation report and not just a boolean. The report will contain the various elements checked (files hashes, certificates, CRL, timestamps) and you'll be able to pick what matters to you. The intermediate certificates will be downloaded automatically if possible, and Jsign will ship with the same database of root certificate as Windows, so everything needed to validate the chain will be provided.

[MushyMiddle]

Sounds good. Looking forward to it.