Automic VaultAutomic Vault

brew

Install osslsigncode with Homebrew, apt, dnf, MacPorts, Nix, scoop, winget, zypper

OpenSSL based Authenticode signing for PE/MSI/Java CAB files. Version 2.13 via Homebrew; verified from local package data.

install

Additional install commands

macOS

Homebrewverified · 100%
brew install osslsigncode

local Homebrew formula metadata

MacPortsverified · 94%
sudo port install osslsigncode

MacPorts ports tree · devel/osslsigncode/Portfile · source: api.github.com

Linux

Debian aptverified · 92%
sudo apt install osslsigncode

Debian stable package indexes · osslsigncode · source: deb.debian.org

Fedora dnfverified · 92%
sudo dnf install osslsigncode

Fedora Rawhide package metadata · osslsigncode · source: dl.fedoraproject.org

Nixverified · 92%
nix profile install nixpkgs#osslsigncode

nixpkgs package indexes · pkgs/by-name/os/osslsigncode/package.nix · source: api.github.com

openSUSE zypperverified · 92%
sudo zypper install osslsigncode

openSUSE Tumbleweed package metadata · osslsigncode · source: download.opensuse.org

Windows

Scoopverified · 92%
scoop install main/osslsigncode

Scoop official bucket manifest trees · bucket/osslsigncode.json · source: api.github.com

Windows Package Managerverified · 92%
winget install --id MichalTrojnara.osslsigncode -e

Windows Package Manager source index · MichalTrojnara.osslsigncode · source: cdn.winget.microsoft.com

overview

Package summary

OpenSSL based Authenticode signing for PE/MSI/Java CAB files

Commands and aliases

  • osslsigncode

history

Project history and usage

osslsigncode is an OpenSSL- and cURL-based command-line implementation of Authenticode signing, timestamping, verification, removal, and extraction for Windows-oriented file formats such as PE, CAB, CAT, MSI, APPX, and selected script files.

Project history

The project was created to avoid depending on Microsoft's `signtool.exe` and Windows CryptoAPI when signing Windows binaries from Unix-like build environments. Its README explains the origin plainly: binaries could be built with Wine on Linux, but signing with signtool failed because the necessary Windows APIs were not fully implemented there.

The codebase records a longer authorship chain than the GitHub namespace suggests. The main C source includes copyright attribution for Per Allansson for 2005-2015 and Michal Trojnara for 2018-2023, while the maintained GitHub repository is under mtrojnar and uses CMake-based builds.

Adoption history

osslsigncode filled a practical gap for cross-platform release engineering: sign Windows installers and executables from Linux or macOS CI systems using OpenSSL-compatible key material. Its packaging across Homebrew, Debian/Ubuntu, Fedora, MacPorts, Nix, Scoop, winget, and openSUSE reflects that it is used by build and security pipelines rather than by end-user desktop workflows.

Vendor documentation from DigiCert includes osslsigncode in third-party signing-tool instructions for PKCS#11 workflows, showing that certificate authorities and signing services treat it as a supported path for Authenticode operations outside Microsoft tooling.

How it is used

A typical use signs a PE or MSI file with a certificate and private key, optionally adds an Authenticode or RFC 3161 timestamp, and verifies the resulting signature. The README also documents PKCS#12 containers, PKCS#11 engines and providers, Windows CNG engine use, CAB Java signing compatibility, and operations for extracting or removing signatures.

The tool is especially useful in CI/CD systems that build Windows artifacts on non-Windows hosts or store signing keys in HSM, token, PKCS#11, or provider-backed systems.

Why package nerds care

osslsigncode is significant because it packages a Windows trust-format workflow in portable Unix-style form. It sits at the awkward intersection of OpenSSL, Windows Authenticode, timestamp authorities, hardware-backed keys, and reproducible release automation.

Related projects

  • Microsoft signtool.exe is the proprietary reference tool that osslsigncode partially replaces. OpenSSL, cURL, PKCS#11 engines/providers, and certificate-authority timestamp services are its operational dependencies and ecosystem neighbors.

security posture

Risk level: green

narrow executable package without higher-risk signals.

Risk classifier

green risk · low confidence · appliance

Why

  • narrow executable package without higher-risk signals

Signals

  • metadata:no-higher-risk-signals

Install behavior

  • No Homebrew post-install hook is recorded in formula metadata.
  • Homebrew bottle metadata is available for 6 platform targets.
  • Installs with 1 runtime dependencies.
  • Build metadata lists 1 build dependencies.

Recommended review

Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.

executables

Installed executables

CommandKindExposureNote
osslsigncodecliglobal executable

freshness

Version and freshness

These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.

page generated2026-07-08
manager version2.13
manager updated
local dataok
upstreamcurrent
latest detected2.13

https://github.com/mtrojnar/osslsigncode

  • infoNo package-manager update timestamp was available.low confidence

install metadata

Package metadata

Package keybrew:osslsigncode
Version2.13
Package managerHomebrew
Package manager pagehttps://formulae.brew.sh/formula/osslsigncode
Homepagehttps://github.com/mtrojnar/osslsigncode
Repositoryhttps://github.com/mtrojnar/osslsigncode
Upstream docshttps://github.com/mtrojnar/osslsigncode#readme
LicenseGPL-3.0-or-later
Source archivehttps://github.com/mtrojnar/osslsigncode/archive/refs/tags/2.13.tar.gz
Dependenciesopenssl@3
Build dependenciescmake
Uses from macOScurl, python
Bottleavailable (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux)
Homebrew post-installnot defined
Servicenone declared

registry facts

Source database details

Source DatabaseHomebrew formula API
Taphomebrew/core
Full Nameosslsigncode
Version Scheme0
Revision0
Bottle Stable Root URLhttps://ghcr.io/v2/homebrew/core
Deprecatedno
Disabledno
Keg Onlyno
URL Keys
  • stable

source database matches

Other package-manager records

Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.

Debian apt95%

osslsigncode 2.9-2

Authenticode signing tool

https://github.com/mtrojnar/osslsigncode

sudo apt install osslsigncode
  • Section: otherosfs
  • Architecture: amd64
  • 3 dependencies
  • normalized package name match
  • Matched by: Osslsigncode
Debian stable package indexes · deb.debian.org · Debian stable package indexes: osslsigncode from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz
Nix95%

osslsigncode

nix profile install nixpkgs#osslsigncode
  • normalized package name match
  • Matched by: Osslsigncode
nixpkgs package indexes · api.github.com · nixpkgs package indexes: pkgs/by-name/os/osslsigncode/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
Ubuntu apt95%

osslsigncode 2.8-2

Authenticode signing tool

https://github.com/mtrojnar/osslsigncode

sudo apt install osslsigncode
  • Section: universe/otherosfs
  • Architecture: amd64
  • 4 dependencies
  • normalized package name match
  • Matched by: Osslsigncode
Ubuntu 24.04 LTS package indexes · archive.ubuntu.com · Ubuntu 24.04 LTS package indexes: osslsigncode from https://archive.ubuntu.com/ubuntu/dists/noble/universe/binary-amd64/Packages.gz
dnf95%

osslsigncode 2.13-1.fc45

OpenSSL-based Authenticode signing for PE, CAB, CAT, MSI, APPX

https://github.com/mtrojnar/osslsigncode

sudo dnf install osslsigncode
  • License: GPL-3.0-or-later
  • Category: Unspecified
  • Architecture: x86_64
  • Source Package: osslsigncode
  • 5 dependencies
  • 1 provides
  • normalized package name match
  • Matched by: Osslsigncode
Fedora Rawhide package metadata · dl.fedoraproject.org · Fedora Rawhide package metadata: osslsigncode from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst
zypper95%

osslsigncode 2.13-1.2

Platform-independent tool for Authenticode signing of EXE/CAB files

https://github.com/mtrojnar/osslsigncode

sudo zypper install osslsigncode
  • License: GPL-3.0-only
  • Category: Productivity/Security
  • Architecture: x86_64
  • Source Package: osslsigncode
  • 4 dependencies
  • 1 provides
  • normalized package name match
  • Matched by: Osslsigncode
openSUSE Tumbleweed package metadata · download.opensuse.org · openSUSE Tumbleweed package metadata: osslsigncode from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst
MacPorts95%

osslsigncode

sudo port install osslsigncode
  • normalized package name match
  • Matched by: Osslsigncode
MacPorts ports tree · api.github.com · MacPorts ports tree: devel/osslsigncode/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1
Scoop95%

main/osslsigncode

scoop install main/osslsigncode
  • normalized package name match
  • Matched by: Osslsigncode
Scoop official bucket manifest trees · api.github.com · Scoop official bucket manifest trees: bucket/osslsigncode.json from https://api.github.com/repos/ScoopInstaller/Main/git/trees/master?recursive=1
winget95%

MichalTrojnara.osslsigncode

winget install --id MichalTrojnara.osslsigncode -e
  • normalized package name match
  • Matched by: Osslsigncode
Windows Package Manager source index · cdn.winget.microsoft.com · Windows Package Manager source index: MichalTrojnara.osslsigncode from https://cdn.winget.microsoft.com/cache/source.msix

source trail

Generated from repository data

This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.

Used sources

  • Geiger risk classifier
  • Nucleus package database
  • av.db category and tag curation
  • cross-ecosystem install command graph
  • curated package history
  • external package-manager database matches
  • package relationship graph
  • package version freshness
  • package-page enrichment