# Install osslsigncode with Homebrew, apt, dnf, MacPorts, Nix, scoop, winget, zypper

OpenSSL based Authenticode signing for PE/MSI/Java CAB files. Version 2.13 via Homebrew; verified from local package data.

## Install

```sh
sudo av install brew:osslsigncode
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install osslsigncode
```

  Evidence: local Homebrew formula metadata

- MacPorts (94%):

```sh
sudo port install osslsigncode
```

  Evidence: MacPorts ports tree: devel/osslsigncode/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1

### Linux

- Debian apt (92%):

```sh
sudo apt install osslsigncode
```

  Evidence: Debian stable package indexes: osslsigncode from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz

- dnf (92%):

```sh
sudo dnf install osslsigncode
```

  Evidence: Fedora Rawhide package metadata: osslsigncode from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst

- Nix (92%):

```sh
nix profile install nixpkgs#osslsigncode
```

  Evidence: nixpkgs package indexes: pkgs/by-name/os/osslsigncode/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

- zypper (92%):

```sh
sudo zypper install osslsigncode
```

  Evidence: openSUSE Tumbleweed package metadata: osslsigncode from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst

### Windows

- Scoop (92%):

```sh
scoop install main/osslsigncode
```

  Evidence: Scoop official bucket manifest trees: bucket/osslsigncode.json from https://api.github.com/repos/ScoopInstaller/Main/git/trees/master?recursive=1

- winget (92%):

```sh
winget install --id MichalTrojnara.osslsigncode -e
```

  Evidence: Windows Package Manager source index: MichalTrojnara.osslsigncode from https://cdn.winget.microsoft.com/cache/source.msix

## Package facts

- **Package key:** brew:osslsigncode
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/osslsigncode>
- **Version:** 2.13
- **Source summary:** OpenSSL based Authenticode signing for PE/MSI/Java CAB files
- **Homepage:** <https://github.com/mtrojnar/osslsigncode>
- **Repository:** <https://github.com/mtrojnar/osslsigncode>
- **Upstream docs:** <https://github.com/mtrojnar/osslsigncode#readme>
- **License:** GPL-3.0-or-later
- **Source archive:** <https://github.com/mtrojnar/osslsigncode/archive/refs/tags/2.13.tar.gz>
- **Generated:** 2026-07-08T18:08:21+00:00

## Executables

- osslsigncode (cli)
- osslsigncode (alias)

## Dependencies

- openssl@3

## Build dependencies

- cmake

## Uses from macOS

- curl
- python

## Install behavior

- Post-install hook: not defined
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 2.13
- Local data: ok
- Upstream repository: https://github.com/mtrojnar/osslsigncode
- Upstream latest detected: 2.13 (current)
- info: No package-manager update timestamp was available.
## Project history and usage

osslsigncode is an OpenSSL- and cURL-based command-line implementation of Authenticode signing, timestamping, verification, removal, and extraction for Windows-oriented file formats such as PE, CAB, CAT, MSI, APPX, and selected script files.

### Project history

The project was created to avoid depending on Microsoft's `signtool.exe` and Windows CryptoAPI when signing Windows binaries from Unix-like build environments. Its README explains the origin plainly: binaries could be built with Wine on Linux, but signing with signtool failed because the necessary Windows APIs were not fully implemented there.

The codebase records a longer authorship chain than the GitHub namespace suggests. The main C source includes copyright attribution for Per Allansson for 2005-2015 and Michal Trojnara for 2018-2023, while the maintained GitHub repository is under mtrojnar and uses CMake-based builds.

### Adoption history

osslsigncode filled a practical gap for cross-platform release engineering: sign Windows installers and executables from Linux or macOS CI systems using OpenSSL-compatible key material. Its packaging across Homebrew, Debian/Ubuntu, Fedora, MacPorts, Nix, Scoop, winget, and openSUSE reflects that it is used by build and security pipelines rather than by end-user desktop workflows.

Vendor documentation from DigiCert includes osslsigncode in third-party signing-tool instructions for PKCS#11 workflows, showing that certificate authorities and signing services treat it as a supported path for Authenticode operations outside Microsoft tooling.

### How it is used

A typical use signs a PE or MSI file with a certificate and private key, optionally adds an Authenticode or RFC 3161 timestamp, and verifies the resulting signature. The README also documents PKCS#12 containers, PKCS#11 engines and providers, Windows CNG engine use, CAB Java signing compatibility, and operations for extracting or removing signatures.

The tool is especially useful in CI/CD systems that build Windows artifacts on non-Windows hosts or store signing keys in HSM, token, PKCS#11, or provider-backed systems.

### Why package nerds care

osslsigncode is significant because it packages a Windows trust-format workflow in portable Unix-style form. It sits at the awkward intersection of OpenSSL, Windows Authenticode, timestamp authorities, hardware-backed keys, and reproducible release automation.

### Related projects

- Microsoft signtool.exe is the proprietary reference tool that osslsigncode partially replaces. OpenSSL, cURL, PKCS#11 engines/providers, and certificate-authority timestamp services are its operational dependencies and ecosystem neighbors.

### Sources

- <https://docs.digicert.com/en/software-trust-manager/code-signing/sign-with-third-party-signing-tools/windows-applications/sign-authenticode-files-with-osslsigncode-using-openssl-pkcs11-engine.html>
- <https://formulae.brew.sh/formula/osslsigncode>
- <https://github.com/mtrojnar/osslsigncode>
- <https://github.com/mtrojnar/osslsigncode/blob/master/osslsigncode.c>
- <https://github.com/mtrojnar/osslsigncode/blob/master/osslsigncode.md>


## Security Notes

narrow executable package without higher-risk signals.

- **Geiger risk:** green / low
- narrow executable package without higher-risk signals

## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** osslsigncode
- **Version Scheme:** 0
- **Revision:** 0
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** stable

## Other Package-Manager Records

- Debian apt - osslsigncode - 2.9-2: normalized package name match | Debian stable package indexes: osslsigncode from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | Authenticode signing tool | https://github.com/mtrojnar/osslsigncode
- Nix - osslsigncode: normalized package name match | nixpkgs package indexes: pkgs/by-name/os/osslsigncode/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
- Ubuntu apt - osslsigncode - 2.8-2: normalized package name match | Ubuntu 24.04 LTS package indexes: osslsigncode from https://archive.ubuntu.com/ubuntu/dists/noble/universe/binary-amd64/Packages.gz | Authenticode signing tool | https://github.com/mtrojnar/osslsigncode
- dnf - osslsigncode - 2.13-1.fc45: normalized package name match | Fedora Rawhide package metadata: osslsigncode from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst | OpenSSL-based Authenticode signing for PE, CAB, CAT, MSI, APPX | https://github.com/mtrojnar/osslsigncode
- zypper - osslsigncode - 2.13-1.2: normalized package name match | openSUSE Tumbleweed package metadata: osslsigncode from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst | Platform-independent tool for Authenticode signing of EXE/CAB files | https://github.com/mtrojnar/osslsigncode
- MacPorts - osslsigncode: normalized package name match | MacPorts ports tree: devel/osslsigncode/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1
- Scoop - main/osslsigncode: normalized package name match | Scoop official bucket manifest trees: bucket/osslsigncode.json from https://api.github.com/repos/ScoopInstaller/Main/git/trees/master?recursive=1
- winget - MichalTrojnara.osslsigncode: normalized package name match | Windows Package Manager source index: MichalTrojnara.osslsigncode from https://cdn.winget.microsoft.com/cache/source.msix


## Related links

- [Source-control packages](https://www.automicvault.com/pkg/source-control-tools/) - Belongs to a source-control command family.
- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Language runtime packages](https://www.automicvault.com/pkg/language-runtime-packages/) - Matched language runtime, compiler, or interpreter metadata.
- [Networking and protocol packages](https://www.automicvault.com/pkg/networking-protocol-tools/) - Matched network, protocol, or remote-service metadata.
- [openssl@3](https://www.automicvault.com/pkg/brew/openssl-3/) - Runtime dependency declared by Homebrew.
- [cmake](https://www.automicvault.com/pkg/brew/cmake/) - Build dependency declared by Homebrew.
- [jsign](https://www.automicvault.com/pkg/brew/jsign/) - Shares av.db curated category or tags: authenticode, cli, code-signing, security, windows.
- [zsign](https://www.automicvault.com/pkg/brew/zsign/) - Shares av.db curated category or tags: cli, code-signing, security.
- [easy-rsa](https://www.automicvault.com/pkg/brew/easy-rsa/) - Shares av.db curated category or tags: cli, openssl, security.
- [aide](https://www.automicvault.com/pkg/brew/aide/) - Shares av.db curated category or tags: cli, security.
- [aircrack-ng](https://www.automicvault.com/pkg/brew/aircrack-ng/) - Shares av.db curated category or tags: cli, security.
- [amass](https://www.automicvault.com/pkg/brew/amass/) - Shares av.db curated category or tags: cli, security.
- [anubis](https://www.automicvault.com/pkg/brew/anubis/) - Shares av.db curated category or tags: cli, security.
- [authoscope](https://www.automicvault.com/pkg/brew/authoscope/) - Shares av.db curated category or tags: cli, security.
- [retdec](https://www.automicvault.com/pkg/brew/retdec/) - Security-sensitive metadata or terminology overlaps. Shared terms: based, cli, code, openssl, openssl-3.

## Combined YAML source

View the package source record on GitHub. [combined/osslsigncode.yml](https://github.com/automic-vault/db/blob/main/combined/osslsigncode.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
