Skip to main content
This guide assumes your Product Admin has already created a Signer and assigned you to it. If the signer has an approval policy, you’ll also need active access before signing.
Sign Windows Authenticode artifacts using osslsigncode with the Infisical PKCS#11 module. osslsigncode is a cross-platform tool that lets you sign Windows binaries from Linux and macOS, making it ideal for CI/CD pipelines that don’t run on Windows.

Prerequisites

Step 1: Set Up Authentication

Configure the Infisical PKCS#11 module with your machine identity credentials. Without this, the signing commands below fail with an auth error. Create /etc/infisical/pkcs11.conf (or set INFISICAL_CONFIG to point elsewhere):
You can also pass the credentials via environment variables:
Environment variables override values from the config file.
For the full set of options, see the PKCS#11 module configuration reference.

Step 2: Install osslsigncode and Dependencies

Step 3: Identify Your Signer

Use pkcs11-tool to list available signers and note the token label:

Step 4: Sign a Windows Executable

Use osslsigncode with the PKCS#11 module to sign your binary:
  • -pkcs11module: Path to the Infisical PKCS#11 shared library.
  • -pkcs11cert and -key: PKCS#11 URI referencing your signer by name. Replace release-signer with your signer name.
  • -h sha256: Hash algorithm for the signature digest.
  • -n: Description embedded in the signature (shown in Windows UAC prompts).
  • -i: URL for more information about the publisher.
  • -t: Timestamp server URL. Timestamping ensures the signature remains valid after your certificate expires.

Supported File Types

osslsigncode can sign the following Windows artifact types:

Step 5: Verify the Signature

Verify the signed binary:
The output confirms the signature is valid:

CI/CD Integration

Troubleshooting

For any issue, enable debug logging in your config file ("log_level": "debug", "log_file": "/tmp/infisical-pkcs11.log") to get detailed output.
Verify the object name in the PKCS#11 URI matches your signer name exactly and that you have active signing access. You can list available signers with pkcs11-tool --module /path/to/lib --list-slots.
The -pkcs11cert URI must match your signer name exactly. Use pkcs11-tool --module /path/to/lib --list-objects --type cert to verify available certificate labels.

What’s Next?

Sign with OpenSSL

General-purpose signing with OpenSSL

Sign Android APKs

Sign Android applications with apksigner