Necessary Code Signing

Projects Using This Service

Divvun

Request Access

Fill out this form to apply for an API token. Applications are reviewed manually and access is granted to qualifying open source projects.

Terms of Use

By using this service, you agree to the following terms:

Eligibility

This service is exclusively for open source software projects
Your project must have publicly accessible source code
You must be authorized to sign software on behalf of your project

Prohibited Use

Signing malware, adware, spyware, or any malicious software
Signing software that violates applicable laws
Sharing your API token with unauthorized parties
Publicly leaking your signing token
Misrepresenting your identity or project

Service Terms

We reserve the right to revoke access at any time without notice
We may review signed binaries for compliance
This service is provided as-is with no warranty
We are not liable for any damages arising from use of this service

Contact

For questions or abuse reports, contact the service administrator.

How to Sign a Binary

Signing requires three steps using osslsigncode on your local machine:

Step 1: Extract the data to be signed

osslsigncode extract-data -in myapp.exe -out tosign.bin

Step 2: Send to signing service

curl -X POST \
  -H "Authorization: Bearer YOUR_TOKEN_HERE" \
  --data-binary @tosign.bin \
  https://sign.necessary.nu/windows/sign \
  -o signed.bin

Step 3: Attach signature to your binary

osslsigncode attach-signature -sigin signed.bin -in myapp.exe -out myapp-signed.exe

API Reference

Endpoint: POST /windows/sign

Authentication: Bearer token in the Authorization header

Request: Binary data from osslsigncode extract-data

Response: Signed data to use with osslsigncode attach-signature

Health Check

Endpoint: GET /health

Returns JSON with HSM and certificate availability status.

CI Integration

Never commit your signing token to version control. Use your CI platform's secrets management.

GitHub Actions

- name: Sign binary
  run: |
    osslsigncode extract-data -in build/myapp.exe -out tosign.bin
    curl -X POST \
      -H "Authorization: Bearer ${ secrets.SIGNING_TOKEN }" \
      --data-binary @tosign.bin \
      https://sign.necessary.nu/windows/sign -o signed.bin
    osslsigncode attach-signature -sigin signed.bin -in build/myapp.exe -out build/myapp-signed.exe

GitLab CI

sign:
  script:
    - osslsigncode extract-data -in build/myapp.exe -out tosign.bin
    - curl -X POST -H "Authorization: Bearer $SIGNING_TOKEN" --data-binary @tosign.bin https://sign.necessary.nu/windows/sign -o signed.bin
    - osslsigncode attach-signature -sigin signed.bin -in build/myapp.exe -out build/myapp-signed.exe

Woodpecker CI

steps:
  - name: sign
    image: debian
    commands:
      - osslsigncode extract-data -in build/myapp.exe -out tosign.bin
      - curl -X POST -H "Authorization: Bearer $SIGNING_TOKEN" --data-binary @tosign.bin https://sign.necessary.nu/windows/sign -o signed.bin
      - osslsigncode attach-signature -sigin signed.bin -in build/myapp.exe -out build/myapp-signed.exe
    secrets: [signing_token]