Windows executables (PE files) can be signed on Kali using osslsigncode.
osslsigncode needs to be installed:
apt install osslsigncode
Then you need a certificate. For this demo, I’m using a self-signed cert.
The command to sign file demo-x64.exe with the demo certificate using SHA1 and timestamping, is:
osslsigncode sign -certs cert-20180729-110705.crt -key key-20180729-110705.pem -t http://timestamp.globalsign.com/scripts/timestamp.dll -in demo-x64.exe -out demo-x64-signed.exe
The signed file is demo-x64-signed.exe
To dual sign this executable (add SHA256 signature), use this command:
osslsigncode sign -certs cert-20180729-110705.crt -key key-20180729-110705.pem -t http://timestamp.globalsign.com/?signature=sha2 -h sha256 -nest -in demo-x64-signed.exe -out demo-x64-dual-signed.exe
The signed file is demo-x64-dual-signed.exe
Of course, Windows reports the signatures as invalid, because we used a self-signed certificate. For a valid signature, you can add your certificate to the trusted root certificates store, buy a code-signing certificate, …
For single SHA256 signing, use the second osslsigncode command without option -nest.
Didier Stevens 