Feature request: certtool --p7-sign support GNUTLS_PKCS7_INCLUDE_CERT
openssl pkcs7 -inform DER -in ca.mobileconfig -print_certs
if this ca.mobileconfig is signed by
/opt/gnutls/bin/certtool --p7-sign --load-privkey '/Users/sskaje/Documents/CA/SSKAJE CA/sskaje_ca.key' --load-certificate '/Users/sskaje/Documents/CA/SSKAJE CA/sskaje_ca.pem' --infile sskaje-ca.mobileconfig --outder --outfile ca.mobileconfig
no certs can be found. and this signed mobileconfig is not compatible with iOS
but if it is signed by
openssl smime -sign -signer ~/Documents/CA/SSKAJE\ CA/sskaje_ca.pem -inkey ~/Documents/CA/SSKAJE\ CA/sskaje_ca.key -outform DER -in sskaje-ca.mobileconfig -out ca.mobileconfig.signed -nodetach
certs displays, and compatible with iOS.
I tried to add
flags |= GNUTLS_PKCS7_INCLUDE_CERT;
to src/certtool.c
void pkcs7_sign(common_info_st * cinfo, unsigned embed)
{
...
if (embed)
flags |= GNUTLS_PKCS7_EMBED_DATA;
flags |= GNUTLS_PKCS7_INCLUDE_CERT;
newly signed file works well with iOS.
I suggest there can be a parameter like '--p7-include-cert' in certtool.