Unexpected 1.3.6.1.4.1.311.10.1 contentType Attribute in Multi-Step Code Signing Process

[vm2mv]

Hello,

I'm using osslsigncode in a multi-step process to sign PE executables (EXE/DLL) in our CI/CD pipeline:

1. osslsigncode extract-data -h sha256 -in <file> -out <digest>
2. osslsigncode sign -pkcs11engine ... -pkcs11module ... -pkcs11cert ... -ac ... -h sha256 -in <digest> -out <signed_digest> -nolegacy -verbose
3. osslsigncode attach-signature -sigin <signed_digest> -CAfile <ca_chain.pem> -h sha256 -in <file> -out <file_signed>

The resulting signed file includes a contentType attribute with OID 1.3.6.1.4.1.311.10.1 (certTrustList) rather than the expected OID 1.3.6.1.4.1.311.2.1.4 (SPC_INDIRECT_DATA_OBJID) normally used for standard Authenticode signatures.

Why This Matters:

• Some antivirus vendors (e.g., Dr.Web) and security tools treat the presence of the certTrustList OID as suspicious or non-standard for PE signatures.
• It deviates from the typical Authenticode format produced by SignTool and what most users expect.

When Using a Single-Step Sign:

If I use osslsigncode sign -certs ... -key ... -in <file> -out <file_signed> directly on the PE file, the signature is formed correctly with SPC_INDIRECT_DATA_OBJID.

However, in the multi-step approach (extracting data, then signing digest, then attaching signature), the resulting signature sets contentType to 1.3.6.1.4.1.311.10.1.

Request:

Please consider enhancing osslsigncode so that multi-step signing produces a standard Authenticode signature with the correct contentType OID for PE files. Perhaps add an option or automatic detection ensuring SPC_INDIRECT_DATA_OBJID is used in multi-step scenarios as well.

How to Reproduce:

1. osslsigncode extract-data -in unsigned.exe -h sha256 -out digest.bin
2. osslsigncode sign -h sha256 -in digest.bin -pkcs11... -out signed_digest.p7
3. osslsigncode attach-signature -in unsigned.exe -sigin signed_digest.p7 -out signed.exe -h sha256
4. Examine signed.exe using openssl asn1parse or a similar tool, and note the contentType attribute OID.

Expected Behavior:

• A code signature with SPC_INDIRECT_DATA_OBJID (1.3.6.1.4.1.311.2.1.4), aligning with standard Authenticode.

Actual Behavior:

• contentType is set to 1.3.6.1.4.1.311.10.1 (certTrustList).

Thank you for considering this request!

[vm2mv]

I rebuilt osslsigncode from current master (includes fix #418), but the issue remains: after the three‑step workflow the signature still contains 1.3.6.1.4.1.311.10.1.

Steps to reproduce are exactly the same as described earlier in this thread.

So far, the patch in PR #418 hasn’t resolved the problem for me.

[olszomal]

@vm2mv I’m unable to reproduce the signing process according to your steps using osslsigncode in a way that results in a signature containing 1.3.6.1.4.1.311.10.1. Below I’ll include the steps I followed and the results I obtained.

1. osslsigncode extract-data -h sha256 -in unsigned.exe -out digest.bin

$ openssl asn1parse -inform der -i -in Testing/files/digest.bin 
    0:d=0  hl=3 l= 147 cons: SEQUENCE          
    3:d=1  hl=2 l=   9 prim:  OBJECT            :pkcs7-signedData
   14:d=1  hl=3 l= 133 cons:  cont [ 0 ]        
   17:d=2  hl=3 l= 130 cons:   SEQUENCE          
   20:d=3  hl=2 l=   1 prim:    INTEGER           :01
   23:d=3  hl=2 l=   0 cons:    SET               
   25:d=3  hl=2 l= 121 cons:    SEQUENCE          
   27:d=4  hl=2 l=  10 prim:     OBJECT            :1.3.6.1.4.1.311.2.1.4 /* SPC_INDIRECT_DATA_OBJID */
   39:d=4  hl=2 l= 107 cons:     cont [ 0 ]        
   41:d=5  hl=2 l= 105 cons:      SEQUENCE          
   43:d=6  hl=2 l=  52 cons:       SEQUENCE          
   45:d=7  hl=2 l=  10 prim:        OBJECT            :1.3.6.1.4.1.311.2.1.15 /* SPC_PE_IMAGE_DATA_OBJID */
   57:d=7  hl=2 l=  38 cons:        SEQUENCE          
   59:d=8  hl=2 l=   2 prim:         BIT STRING        
   63:d=8  hl=2 l=  32 cons:         cont [ 0 ]        
   65:d=9  hl=2 l=  30 cons:          cont [ 2 ]        
   67:d=10 hl=2 l=  28 prim:           cont [ 0 ]        
   97:d=6  hl=2 l=  49 cons:       SEQUENCE          
   99:d=7  hl=2 l=  13 cons:        SEQUENCE          
  101:d=8  hl=2 l=   9 prim:         OBJECT            :sha256
  112:d=8  hl=2 l=   0 prim:         NULL              
  114:d=7  hl=2 l=  32 prim:        OCTET STRING      [HEX DUMP]:2D2C7B382C8163A419B9FF214A7B651C33F9EA43335907F11377290C5158A7A4
  148:d=3  hl=2 l=   0 cons:    SET 

2. osslsigncode sign -certs cert.pem -key key.pem -h sha256 -in digest.bin -out signed_digest.p7

openssl asn1parse -inform der -i -in Testing/files/signed_digest.p7 -offset 2462
    0:d=0  hl=3 l= 136 cons: cont [ 0 ]        
    3:d=1  hl=2 l=  25 cons:  SEQUENCE          
    5:d=2  hl=2 l=   9 prim:   OBJECT            :contentType
   16:d=2  hl=2 l=  12 cons:   SET               
   18:d=3  hl=2 l=  10 prim:    OBJECT            :1.3.6.1.4.1.311.2.1.4 /* SPC_INDIRECT_DATA_OBJID */
   30:d=1  hl=2 l=  28 cons:  SEQUENCE          
   32:d=2  hl=2 l=   9 prim:   OBJECT            :signingTime
   43:d=2  hl=2 l=  15 cons:   SET               
   45:d=3  hl=2 l=  13 prim:    UTCTIME           :250422071517Z
   60:d=1  hl=2 l=  28 cons:  SEQUENCE          
   62:d=2  hl=2 l=  10 prim:   OBJECT            :1.3.6.1.4.1.311.2.1.11 /* SPC_STATEMENT_TYPE_OBJID */
   74:d=2  hl=2 l=  14 cons:   SET               
   76:d=3  hl=2 l=  12 cons:    SEQUENCE          
   78:d=4  hl=2 l=  10 prim:     OBJECT            :Microsoft Individual Code Signing
   90:d=1  hl=2 l=  47 cons:  SEQUENCE          
   92:d=2  hl=2 l=   9 prim:   OBJECT            :messageDigest
  103:d=2  hl=2 l=  34 cons:   SET               
  105:d=3  hl=2 l=  32 prim:    OCTET STRING      [HEX DUMP]:ED2CF03C79C03BCB691002A2E8314493D97302AC6C90D8A472CB1D24B5AB364B
  139:d=0  hl=2 l=  13 cons: SEQUENCE          
  141:d=1  hl=2 l=   9 prim:  OBJECT            :rsaEncryption
  152:d=1  hl=2 l=   0 prim:  NULL              
  154:d=0  hl=4 l= 256 prim: OCTET STRING      [HEX DUMP]:588AA058FF2FA5986EC7F1F1506506F73658CCD29DF9992B14134208140B3026682B44F6D9AE65BE326BC368DF47D1D995AC03A090CEFFB6131B330AEACD1162E65E1DCDF3EA36C53F9479A177B8EE0E984C76196828D07D68F41F3A1C75D3C67925199E42E49C571BBEAE195C98C8C963D80A7CCDD76223BB78C9BDDD438397A28A0022EE97AA166DB873543A362ACA848BD39F3281D356253CB61CD3B80626DEF5AA1B1C757A1F500DB7BD1A8FF14D0AD7D59AF3D61D4B23AC3FE0F29DB5C3B7D5CC0DEADEA2296A1C9E1E427130B90E7C452A57D47AD27C24DE56DB7383145129191282B894668404E2E5A68160BE997C52887A62F42A6B79329096758373

3. osslsigncode attach-signature -in unsigned.exe -sigin signed_digest.p7 -out signed.exe

openssl asn1parse -inform der -i -in Testing/files/signed.exe -offset 98622
    0:d=0  hl=3 l= 136 cons: cont [ 0 ]        
    3:d=1  hl=2 l=  25 cons:  SEQUENCE          
    5:d=2  hl=2 l=   9 prim:   OBJECT            :contentType
   16:d=2  hl=2 l=  12 cons:   SET               
   18:d=3  hl=2 l=  10 prim:    OBJECT            :1.3.6.1.4.1.311.2.1.4 /* SPC_INDIRECT_DATA_OBJID */
   30:d=1  hl=2 l=  28 cons:  SEQUENCE          
   32:d=2  hl=2 l=   9 prim:   OBJECT            :signingTime
   43:d=2  hl=2 l=  15 cons:   SET               
   45:d=3  hl=2 l=  13 prim:    UTCTIME           :250422071517Z
   60:d=1  hl=2 l=  28 cons:  SEQUENCE          
   62:d=2  hl=2 l=  10 prim:   OBJECT            :1.3.6.1.4.1.311.2.1.11 /* SPC_STATEMENT_TYPE_OBJID */
   74:d=2  hl=2 l=  14 cons:   SET               
   76:d=3  hl=2 l=  12 cons:    SEQUENCE          
   78:d=4  hl=2 l=  10 prim:     OBJECT            :Microsoft Individual Code Signing
   90:d=1  hl=2 l=  47 cons:  SEQUENCE          
   92:d=2  hl=2 l=   9 prim:   OBJECT            :messageDigest
  103:d=2  hl=2 l=  34 cons:   SET               
  105:d=3  hl=2 l=  32 prim:    OCTET STRING      [HEX DUMP]:ED2CF03C79C03BCB691002A2E8314493D97302AC6C90D8A472CB1D24B5AB364B
  139:d=0  hl=2 l=  13 cons: SEQUENCE          
  141:d=1  hl=2 l=   9 prim:  OBJECT            :rsaEncryption
  152:d=1  hl=2 l=   0 prim:  NULL              
  154:d=0  hl=4 l= 256 prim: OCTET STRING      [HEX DUMP]:588AA058FF2FA5986EC7F1F1506506F73658CCD29DF9992B14134208140B3026682B44F6D9AE65BE326BC368DF47D1D995AC03A090CEFFB6131B330AEACD1162E65E1DCDF3EA36C53F9479A177B8EE0E984C76196828D07D68F41F3A1C75D3C67925199E42E49C571BBEAE195C98C8C963D80A7CCDD76223BB78C9BDDD438397A28A0022EE97AA166DB873543A362ACA848BD39F3281D356253CB61CD3B80626DEF5AA1B1C757A1F500DB7BD1A8FF14D0AD7D59AF3D61D4B23AC3FE0F29DB5C3B7D5CC0DEADEA2296A1C9E1E427130B90E7C452A57D47AD27C24DE56DB7383145129191282B894668404E2E5A68160BE997C52887A62F42A6B79329096758373
  414:d=0  hl=2 l=   0 prim: EOC  

Would you mind reviewing your workflow again? There might be a subtle difference we’re missing.

[vm2mv]

I double‑checked today. Yesterday I was inadvertently running an older 2.9 build; this time I invoked the new binary built from master via its absolute path and the problem does not reproduce.

Apologies for the confusion — the issue is resolved.
Thank you!