Merge remote-tracking branch 'origin/master' into provide-cert-chain

Author: mattmoskwa

.github/FUNDING.yml

@@ -2,3 +2,4 @@
 
 custom: ['https://paypal.me/emmanuelbourg']
 github: ebourg
+buy_me_a_coffee: ebourg

.github/workflows/build.yml

@@ -59,6 +59,10 @@ jobs:
             !jsign-core/target/jsign-core-*-javadoc.jar
             !jsign-core/target/jsign-core-*-sources.jar
             !jsign-core/target/jsign-core-*-tests.jar
+            jsign-core/target/jsign-crypto-*.jar
+            !jsign-core/target/jsign-crypto-*-javadoc.jar
+            !jsign-core/target/jsign-crypto-*-sources.jar
+            !jsign-core/target/jsign-crypto-*-tests.jar
 
       - name: Coverage report
         if: ${{ matrix.java == '17' }}

README.md

@@ -1,22 +1,21 @@
-Jsign - Java implementation of Microsoft Authenticode
-=====================================================
+Jsign - Authenticode signing tool in Java
+=========================================
 
 [![Build Status](https://github.com/ebourg/jsign/actions/workflows/build.yml/badge.svg?branch=master&event=push)](https://github.com/ebourg/jsign/actions/workflows/build.yml)
 [![Coverage Status](https://coveralls.io/repos/github/ebourg/jsign/badge.svg?branch=master)](https://coveralls.io/github/ebourg/jsign?branch=master)
 [![License](https://img.shields.io/badge/license-Apache--2.0-blue.svg)](https://www.apache.org/licenses/LICENSE-2.0)
 [![Maven Central](https://img.shields.io/maven-central/v/net.jsign/jsign.svg)](https://search.maven.org/#search%7Cga%7C1%7Cg%3A%22net.jsign%22)
 
-Jsign is a Java implementation of Microsoft Authenticode that lets you sign
-and timestamp executable files for Windows, Microsoft Installers (MSI), Cabinet
-files (CAB), Catalog files (CAT), Windows packages (APPX/MSIX), Microsoft
-Dynamics 365 extension packages, NuGet packages and scripts. Jsign is platform
-independent and provides an alternative to native tools like signcode/signtool
-on Windows or the Mono development tools on Unix systems.
+Jsign is a versatile code signing tool that allows you to sign and timestamp Windows
+executable files, installer packages and scripts. Jsign is platform independent
+and provides an alternative to native tools like signtool on Windows or the Mono
+development tools on Unix systems. It's particularly well-suited for signing
+executable wrappers and installers generated by tools such as NSIS, msitools,
+install4j, exe4j or launch4j. It emphasizes on seamless integration with cloud key
+management systems and hardware tokens.
 
-Jsign comes as an easy-to-use task/plugin for the main build systems (Maven,
-Gradle, Ant). It's especially suitable for signing executable wrappers and
-installers generated by tools like NSIS, msitools, install4j, exe4j or launch4j.
-Jsign can also be used programmatically or standalone as a command line tool.
+Jsign is available as a command line tool for Linux, macOS and Windows, as a task/plugin
+for various build systems (Maven, Gradle, Ant, GitHub Actions), and as a Java library.
 
 Jsign is free to use and licensed under the [Apache License version 2.0](https://www.apache.org/licenses/LICENSE-2.0).
 
@@ -25,21 +24,25 @@ Jsign is free to use and licensed under the [Apache License version 2.0](https:/
 * Timestamping with retries and fallback on alternative servers (RFC 3161 and Authenticode protocols supported)
 * Supports multiple signatures per file, for all file types
 * Extracts and embeds detached signatures to support [reproducible builds](https://reproducible-builds.org/docs/embedded-signatures/)
+* Tags signed files with unsigned data (for user identification)
 * Hashing algorithms: MD5, SHA-1, SHA-256, SHA-384 and SHA-512
 * Keystores supported:
   * PKCS#12, JKS and JCEKS files
   * PKCS#11 hardware tokens ([YubiKey](https://www.yubico.com), [Nitrokey](https://www.nitrokey.com), [SafeNet eToken](https://cpl.thalesgroup.com/access-management/authenticators/pki-usb-authentication), etc)
   * Cloud key management systems:
     * [AWS KMS](https://aws.amazon.com/kms/)
     * [Azure Key Vault](https://azure.microsoft.com/services/key-vault/)
-    * [DigiCert ONE](https://one.digicert.com)
+    * [Azure Trusted Signing](https://learn.microsoft.com/en-us/azure/trusted-signing/)
+    * [DigiCert ONE](https://www.digicert.com/digicert-one) / [DigiCert KeyLocker](https://docs.digicert.com/en/digicert-keylocker.html)
+    * [GaraSign](https://garantir.io/garasign/)
     * [Google Cloud KMS](https://cloud.google.com/security-key-management)
     * [HashiCorp Vault](https://www.vaultproject.io/)
     * [Oracle Cloud KMS](https://www.oracle.com/security/cloud-security/key-management/)
     * [SSL.com eSigner](https://www.ssl.com/esigner/)
 * Private key formats: PVK and PEM (PKCS#1 and PKCS#8), encrypted or not
 * Certificates: PKCS#7 in PEM and DER format
-* Build tools integration (Maven, Gradle, Ant)
+* Automatic download of the intermediate certificates
+* Build tools integration (Maven, Gradle, Ant, GitHub Actions)
 * Command line signing tool
 * Authenticode signing API ([Javadoc](https://javadoc.io/doc/net.jsign/jsign-core))
 * JCA security provider to use the keystores supported by Jsign with other tools such as jarsigner or apksigner
@@ -49,19 +52,40 @@ See https://ebourg.github.io/jsign for more information.
 
 ## Changes
 
-#### Version 6.1 (in development)
+#### Version 7.0 (in development)
 
-* The Oracle Cloud signing service has been integrated
+* New signing services: HashiCorp Vault Transit (contributed by Eatay Mizrachi), Azure Trusted Signing, Oracle Cloud and GaraSign
 * Signing of NuGet packages has been implemented (contributed by Sebastian Stamm)
-* Jsign now checks if the certificate subject matches the app manifest publisher before signing APPX/MSIX packages
+* Commands have been added:
+  * `timestamp`: timestamps the signatures of a file
+  * `tag`: adds unsigned data (such as user identification data) to signed files
+  * `extract`: extracts the signature from a signed file, in DER or PEM format
+  * `remove`: removes the signature from a signed file
+* The intermediate certificates are downloaded if missing from the keystore or the certificate chain file
+* File list files prefixed with `@` are now supported with the command line tool to sign multiple files
+* Wildcard patterns are now accepted by the command line tool to scan directories for files to sign
+* Jsign now checks if the certificate subject matches the app manifest publisher before signing APPX/MSIX packages (with contributions from Scott Cooper)
+* The new `--debug`, `--verbose` and `--quiet` parameters control the verbosity of the output messages
 * The JCA provider now works with [apksigner](https://developer.android.com/tools/apksigner) for signing Android applications
+* RSA 4096 keys are supported with the `PIV` storetype (for Yubikeys with firmware version 5.7 or higher)
+* Certificates using an Ed25519 or Ed448 key are now supported (experimental)
 * The APPX/MSIX bundles are now signed with the correct Authenticode UUID
+* The signed APPX/MSIX files no longer contain a `[Content_Types].old` entry
 * The error message displayed when the password of a PKCS#12 keystore is missing has been fixed
 * The log4j configuration warning displayed when signing a MSI file has been fixed (contributed by Pascal Davoust)
 * The value of the `storetype` parameter is now case insensitive
+* The Azure Key Vault account no longer needs the permission to list the keys when signing with jarsigner
+* The DigiCert ONE host can now be specified with the `keystore` parameter
+* On Windows the YubiKey library path is automatically added to the PATH of the command line tool
+* Signing more than one file with the `YUBIKEY` storetype no longer triggers a `CKR_USER_NOT_LOGGED_IN` error
+* MS Cabinet files with a pre-allocated reserve are now supported
 * API changes:
+  * The keystore builder and the JCA provider are now in a separate `jsign-crypto` module
   * The PEFile class has been refactored to keep only the methods related to signing
-* Switched to BouncyCastle LTS 2.73.5
+  * The java.util.logging API is now used to log debug messages under the `net.jsign` logger
+  * `Signable` implementations are now discovered dynamically using the ServiceLoader mechanism
+  * `Signable.createContentInfo()` has been replaced with `Signable.createSignedContent()`
+* Switched to BouncyCastle LTS 2.73.6
 
 #### Version 6.0 (2024-01-17)
 

TODO.txt

@@ -3,5 +3,4 @@ TODO
 - Verify signed files
 - GUI
 - Support private keys exported with PKCS#8 
-- Support unauthenticated blobs
 - Support generating MsiDigitalSignatureEx entries when signing MSI files (requires access to the streams metadata in POI)