Your message dated Fri, 9 Jan 2026 18:00:47 +0100
with message-id <[email protected]>
and subject line Re: Bug#1076785: osslsigncode: Version 2.5 unable to process
(some?) SafeNet tokens, online advice is to move to 2.4 or 2.6
has caused the Debian Bug report #1076785,
regarding osslsigncode: Version 2.5 unable to process (some?) SafeNet tokens,
online advice is to move to 2.4 or 2.6
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1076785: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1076785
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: osslsigncode
Version: 2.5-4
Severity: important
X-Debbugs-Cc: [email protected]
Dear Maintainer,
version 2.5 is apparently unable t process (some? - all my) SafeNet tokens,
with online advice being to either downgrade to 2.4 or upgrade to 2.6:
https://stackoverflow.com/a/78308879 .
Unfortunately it would seem that right now there are no other versions but 2.5
available for Bookworm and installing those available on SID transitively
requires several library versions themselves not (yet?) available on Bookworm.
Could you please provide a version 2.6+?
* What led up to the situation?
Switching to Debian 12 and
- osslsigncode 2.5-4
- openssl 3.0.13-1~deb12u1
- libp11-kit0 0.24.1-2
- libengine-pkcs11-openssl 0.4.12-0.1
from Debian 10 and
- osslsigncode 2.0+really2.5-4+deb10u1
- openssl 1.1.1n-0+deb10u6
- libp11-kit0 0.23.15-2+deb10u1
- libengine-pkcs11-openssl 0.4.9-4
* What exactly did you do (or not do) that was effective (or
ineffective)?
This invocation works on Debian 10:
osslsigncode sign -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so
\
-pkcs11module /usr/lib/libIDPrimePKCS11.so \
-pkcs11cert <certificate uri obtained from p11tool> \
-h sha2 \
-n <application name> \
-i <vendor url> \
-t <time server> \
-in <unsigned file> -out <signed file>
This invocation fails on Debian 12:
osslsigncode sign -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so \
-pkcs11module /usr/lib/libIDPrimePKCS11.so \
-pkcs11cert <certificate uri obtained from p11tool> \
-h sha2 \
-n <application name> \
-i <vendor url> \
-t <time server> \
-in <unsigned file> -out <signed file>
with error message
$ <invocation>
bad engine id
Failed to set 'dynamic' engine
40D912A3047F0000:error:1300006D:engine routines:dynamic_load:init
failed:../crypto/engine/eng_dyn.c:514:
Failed
To troubleshoot, I tried:
- read certificates via p11tool to ascertain lib11-kit0 is not responsible
(still works as in Debian 10)
- find https://mta.openssl.org/pipermail/openssl-users/2024-July/017278.html ,
downgrade to openssl 3.0.11 (no effect; reverted)
- downgrade to libengine-pkcs11-openssl 0.4.9-4, which had engine-1.1/pkcs.so,
that worked on Buster (failed: error was replaced with 'Failed to init crypto';
reverted)
- find https://stackoverflow.com/a/78308879
- add engine to openssl via
https://github.com/OpenSC/libp11#using-the-engine-from-the-command-line , test
it via https://github.com/OpenSC/libp11#testing-the-engine-operation (fixed
error "bad engine id")
- This step seems new - I checked /etc/ssl/openssl.cnf on Debian 10 and no
such lines exist there, nor are they necessary. Feels like a regression to me,
but nb.
- check for additional versions at
https://packages.debian.org/bookworm/osslsigncode (none available)
- check for additional versions using 'sudo apt list --all-versions
osslsigncode', including on bookworm-backports, bookworm-backports-sloppy (none
available)
- install osslsigncode_2.9-1_amd64.deb (failed: dependencies transitively
require newer packages than available on Bookworm, not ready to open this can
of... worms)
* What was the outcome of this action?
I managed to eliminate one line of error, but now I am stuck.
* What outcome did you expect instead?
It would be nice if some combination of Bookworm-available packages worked. I
hope that, as long as Bookworm is supported, newer already-released versions of
programs will keep arriving.
Another nb.: I would expect the necessary packages to be listed as / similar to
dependencies, e.g. evidently osslsigncode uses openssl and can fail from
openssl misconfiguration, but it has no mention of openssl and only by blind
internet search was I able to find whence the "bad engine id" came.
packages.debian.org has e.g. relations 'Depends', 'Recommends', 'Suggests' to
document soft dependencies like this. (Can I add to those myself? It is
presumably a thankless task to keep them up-to-date.)
Yours sincerely
Simon Beyer
-- System Information:
Debian Release: 12.6
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.1.0-23-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages osslsigncode depends on:
ii libc6 2.36-9+deb12u7
ii libcurl4 7.88.1-10+deb12u6
ii libssl3 3.0.13-1~deb12u1
osslsigncode recommends no packages.
osslsigncode suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Version: 2.8-1
Hi Adi,
On Fri, 9 Jan 2026 16:35:05 +0100, Adi Kriegisch <[email protected]> wrote:
> a recent security upgrade for bullseye (version 2.5-4~deb11u1) backported
> the issue to bullseye as well. All versions above 2.5 do have the issue
> fixed; I'm trying to tag the issue accordingly.
That’s unfortunate — Abhijith, the security update in bullseye broke the
package in a few important use-cases...
I see this bug was never closed, I’m closing it for version 2.8-1 and later.
Of course that doesn’t mean it shouldn’t be fixed for bullseye!
(Incidentally, buster had the same problem, see
https://tracker.debian.org/news/1489096/accepted-osslsigncode-20really25-4deb10u1-source-into-oldoldstable/.)
Regards,
Stephen
pgpJVua01ssMT.pgp
Description: OpenPGP digital signature
--- End Message ---
