Skip to content

Introduce binary signing

WXbet requested to merge binary-signing into master

Build process

  • new build option WITH_SIGNING supported by make and cmake
  • create CA certificate (config.sh --create-cert) or use own pre-built certificate (config.sh --add-cert)
  • embed certificate as config_cert variable to config.c (config.sh --make-config.mak)
  • sign SHA1 hash of binary with private key after build
  • append signature to binary (upx binaries are supported as well)
  • build process uses the new options in config.sh (--create-cert, --add-cert, --cert-file, --cert-info, --sign-marker)

Runtime signature verification

  • extract public key from built-in certificate
  • read signature from running binary
  • verify SHA1 hash of running binary with extracted public key against signature
  • stop running oscam if the verification process fails

Runtime certificate/signature information

  • oscam startlog informs about signature verification status and certificate validity
  • oscam.version shows signature and certificate details

Merge request reports