Skip to main content
In the following steps, we explore how to sign Windows Authenticode artifacts using osslsigncode with the Infisical PKCS#11 module. osslsigncode is a cross-platform tool that lets you sign Windows binaries from Linux and macOS, making it ideal for CI/CD pipelines that don’t run on Windows.

Prerequisites

Step 1: Install osslsigncode and Dependencies

sudo apt-get update
sudo apt-get install -y osslsigncode opensc

Step 2: Identify Your Signer

Use pkcs11-tool to list available signers and note the token label: 
pkcs11-tool --module /usr/local/lib/libinfisical-pkcs11.so --list-slots

Available slots:
Slot 0 (0x0): release-signer
  token label        : release-signer
  token manufacturer : Infisical

Step 3: Sign a Windows Executable

Use osslsigncode with the PKCS#11 module to sign your binary: 
osslsigncode sign \
  -pkcs11module /usr/local/lib/libinfisical-pkcs11.so \
  -pkcs11cert "pkcs11:object=release-signer;type=cert" \
  -key "pkcs11:object=release-signer;type=private" \
  -h sha256 \
  -n "My Application" \
  -i "https://example.com" \
  -t http://timestamp.digicert.com \
  -in MyApp.exe \
  -out MyApp-signed.exe
  • -pkcs11module: Path to the Infisical PKCS#11 shared library.
  • -pkcs11cert and -key: PKCS#11 URI referencing your signer by name. Replace release-signer with your signer name.
  • -h sha256: Hash algorithm for the signature digest.
  • -n: Description embedded in the signature (shown in Windows UAC prompts).
  • -i: URL for more information about the publisher.
  • -t: Timestamp server URL. Timestamping ensures the signature remains valid after your certificate expires.

Supported File Types

osslsigncode can sign the following Windows artifact types:
TypeExtensions
Executables.exe, .dll, .sys, .ocx
Installers.msi, .msix, .appx
Cabinet files.cab
Scripts.ps1, .vbs
Catalogs.cat

Step 4: Verify the Signature

Verify the signed binary: 
osslsigncode verify MyApp-signed.exe
The output confirms the signature is valid: 
Signature verification: ok

CI/CD Integration

export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="${INFISICAL_CLIENT_ID}"
export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="${INFISICAL_CLIENT_SECRET}"
export INFISICAL_PKCS11_CONFIG="/path/to/pkcs11.conf"

osslsigncode sign \
  -pkcs11module /usr/local/lib/libinfisical-pkcs11.so \
  -pkcs11cert "pkcs11:object=release-signer;type=cert" \
  -key "pkcs11:object=release-signer;type=private" \
  -h sha256 \
  -n "My Application" \
  -t http://timestamp.digicert.com \
  -in MyApp.exe \
  -out MyApp-signed.exe

Troubleshooting

For any issue, enable debug logging in your config file ("log_level": "debug", "log_file": "/tmp/infisical-pkcs11.log") to get detailed output.
Verify the object name in the PKCS#11 URI matches your signer name exactly and that you have an active signing grant. You can list available signers with pkcs11-tool --module /path/to/lib --list-slots.
The -pkcs11cert URI must match your signer name exactly. Use pkcs11-tool --module /path/to/lib --list-objects --type cert to verify available certificate labels.