Open phil-blain opened 2 years ago
Similarly, trying to actually sign the package with the certificate previously created does not work under key-based auth:
S C:\Users\IEUser> signtool sign /fd sha256 /sha1 BBF121A014A73C5B404C40684641E1287810AE88 .\CascadiaPackage_0.0.1.0_x64_Debug.msix
SignTool Error: No certificates were found that met all the given criteria.
even if the certificate is there:
S C:\Users\IEUser> ls cert:currentuser\my
PSParentPath: Microsoft.PowerShell.Security\Certificate::currentuser\my
Thumbprint Subject
---------- -------
BBF121A014A73C5B404C40684641E1287810AE88 CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
When connecting with a password, I can sign suceessfully:
S C:\Users\IEUser> signtool sign /fd sha256 /sha1 BBF121A014A73C5B404C40684641E1287810AE88 .\CascadiaPackage_0.0.1.0_x64_Debug.msix
Done Adding Additional Store
Successfully signed: .\CascadiaPackage_0.0.1.0_x64_Debug.msix
Accessing the private key store requires interaction with DPAPI which is not possible under an ssh key auth logon. This is due to what you've read online where the logon session does not know the user's password to unlock and store and decrypt it's contents. Unfortunately there's not much you can do about that natively, you essentially need to create your process with your explicit credentials and run signtool under that. The simplest way to do this is to use something like psexec, or a scheduled task with saved credentials.
I think this could be made clearer in the docs then... (and it's not even mentioned in the official docs at docs.microsoft.com...)
Please answer the following
"OpenSSH for Windows" version
((Get-Item (Get-Command sshd).Source).VersionInfo.FileVersion)
7.7.2.2
Server OperatingSystem
((Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows nt\CurrentVersion\" -Name ProductName).ProductName)
Windows 10 Enterprise Evaluation
Client OperatingSystem Ubuntu 20.04.1 LTS
What is failing
I'm trying to self-sign an Appx package. I'm following these steps.
New-SelfSignedCertificate
does not work when logging in with a SSH key:It works if I log in with a password (same steps as above, expect
ssh -o PubkeyAuthentication=no msedge
).Expected output None, and certificate created successfully.
Actual output
New-SelfSignedCertificate : CertEnroll::CX509Enrollment::_CreateRequest: Access denied. 0x80090010 (-2146893808 NTE_PERM)
, as shown above.I'm not sure if this is normal / expected behaviour. I did see https://github.com/PowerShell/Win32-OpenSSH/wiki/SSH-remote-sessions-on-Windows where it says
but I'm not 100% sure this is the issue. I found a post on Server Fault that might be relevant. I looked at the four pages under "OpenSSH in Windows" in the official docs but could not find any mention of such a limitation.