Description:
This update for osslsigncode fixes the following issues:
- Update to 2.13 (boo#1260680, CVE-2025-70888):
* fixed integer overflows when processing APPX compressed data
streams
* fixed double-free vulnerabilities in APPX file processing
* fixed multiple memory corruption issues in PE page hash
computation
- Changes from 2.12:
* fixed a buffer overflow while extracting message digests
- Changes from 2.11:
* added keyUsage validation for signer certificate
* added printing CRL details during signature verification
* implemented a workaround for CRL servers returning the
HTTP Content-Type header other than application/pkix-crl
* fixed HTTP keep-alive handling
* fixed macOS compiler and linker flags
* fixed undefined BIO_get_fp() behavior with
BIO_FLAGS_UPLINK_INTERNAL
- update to 2.10:
* added JavaScript signing
* added PKCS#11 provider support (requires OpenSSL 3.0+)
* added support for providers without specifying
"-pkcs11module" option
* (OpenSSL 3.0+, e.g., for the upcoming CNG provider)
* added compatibility with the CNG engine version 1.1 or later
* added the "-engineCtrl" option to control hardware and CNG
engines
* added the '-blobFile' option to specify a file containing the
blob content
* improved unauthenticated blob support (thanks to Asger Hautop
Drewsen)
* improved UTF-8 handling for certificate subjects and issuers
* fixed support for multiple signerInfo contentType OIDs (CTL
and Authenticode)
* fixed tests for python-cryptography >= 43.0.0
- update to version 2.9:
* added a 64 bit long pseudo-random NONCE in the TSA request
* missing NID_pkcs9_signingTime is no longer an error
* added support for PEM-encoded CRLs
* fixed the APPX central directory sorting order
* added a special "-" file name to read the passphrase from
stdin
* used native HTTP client with OpenSSL 3.x, removing libcurl
dependency
* added '-login' option to force a login to PKCS11 engines
* added the "-ignore-crl" option to disable fetching and
verifying CRL Distribution Points
* changed error output to stderr instead of stdout
* various testing framework improvements
* various memory corruption fixes
- update to version 2.8:
* Microsoft PowerShell signing sponsored by Cisco Systems, Inc.
* fixed setting unauthenticated attributes (Countersignature,
Unauthenticated
* Data Blob) in a nested signature
* added the "-index" option to verify a specific signature or
modify its unauthenticated attributes
* added CAT file verification
* added listing the contents of a CAT file with the "-verbose"
option
* added the new "extract-data" command to extract a PKCS#7 data
content to be signed with "sign" and attached with "attach-signature"
* added PKCS9_SEQUENCE_NUMBER authenticated attribute support
* added the "-ignore-cdp" option to disable CRL Distribution
Points (CDP) online verification
* unsuccessful CRL retrieval and verification changed into a
critical error the "-p" option modified to also use to
configured proxy to connect CRL Distribution Points
* added implicit allowlisting of the Microsoft Root Authority
serial number 00C1008B3C3C8811D13EF663ECDF40
* added listing of certificate chain retrieved from the
signature in case of verification failure
- update to 2.7.0
* fixed signing CAB files (by Michael Brown)
* fixed handling of unsupported commands (by Maxim Bagryantsev)
* fixed writing DIFAT sectors
* added APPX support (by Maciej Panek and Małgorzata Olszówka)
* added a built-in TSA response generation (-TSA-certs, -TSA-key
and -TSA-time options)
* added verification of CRLs specified in the signing certificate
* added MSI DIFAT sectors support (by Max Bagryantsev)
* added the "-h" option to set the cryptographic hash function for the
"attach -signature" and "add" commands
* set the default hash function to "sha256"
* added the "attach-signature" option to compute and compare the leaf
certificate hash for the "add" command
* renamed the "-st" option "-time"
* updated the "-time" option to also set explicit verification time
* added the "-ignore-timestamp" option
* removed the "-timestamp-expiration" option
* numerous bugfixes
* documentation updates