Closed vatral closed 2 years ago
Thank you for the report, could you paste the public key please ? (or send it to ebourg@apache.org)
Public key:
Public-Key: (384 bit)
pub:
04:d1:93:3a:7b:4f:9c:3c:a3:b0:f2:52:e0:d3:d6:
94:d4:72:ef:75:99:7d:99:01:32:80:81:3e:bd:76:
41:7c:cd:a2:a2:7f:ce:56:0d:cc:79:b3:65:33:9e:
02:d7:16:83:05:87:5a:3f:76:72:d2:db:4f:b6:59:
51:ca:9a:e1:36:7d:d0:44:7d:1d:87:61:f7:ff:ae:
92:eb:18:74:a4:e3:95:c8:d9:e1:ff:df:0b:b2:92:
f0:55:49:c0:81:02:f3
ASN1 OID: secp384r1
NIST CURVE: P-384
writing EC key
-----BEGIN PUBLIC KEY-----
MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE0ZM6e0+cPKOw8lLg09aU1HLvdZl9mQEy
gIE+vXZBfM2ion/OVg3MebNlM54C1xaDBYdaP3Zy0ttPtllRyprhNn3QRH0dh2H3
/66S6xh0pOOVyNnh/98LspLwVUnAgQLz
-----END PUBLIC KEY-----
I have been able to reproduce the issue. It looks like Jsign doesn't set the signature algorithm properly, it should be SHA256withECDSA
instead of SHA256withEC
.
@vatral This should be fixed now, could you give it a try please?
Hello! Thanks for the help!
I tried building it, but something isn't quite working for me: https://pastebin.com/raw/KHx9CxWu
Unfortunately I'm not much of a Java dev, so I'm not sure what going wrong there. I'm skipping tests because I get a failure in PESignerTest.testSigningWithYubikey:161 » KeyStore Unable to load the keystore...
which I'm guessing may require some particular Yubikey setup.
You can skip the tests with:
mvn package -DskipTests
Okay, got it to build, thanks. Now I get this:
jsign: Couldn't sign nxproxy.exe
net.jsign.bouncycastle.cms.CMSException: can't create content verifier: exception on setup: java.security.InvalidKeyException: No installed provider supports this key: sun.security.rsa.RSAPublicKeyImpl
at net.jsign.bouncycastle.cms.SignerInformation.doVerify(Unknown Source)
at net.jsign.bouncycastle.cms.SignerInformation.verify(Unknown Source)
at net.jsign.AuthenticodeSigner.createSignedData(AuthenticodeSigner.java:376)
at net.jsign.AuthenticodeSigner.sign(AuthenticodeSigner.java:342)
at net.jsign.SignerHelper.sign(SignerHelper.java:506)
at net.jsign.JsignCLI.execute(JsignCLI.java:116)
at net.jsign.JsignCLI.main(JsignCLI.java:40)
Caused by: net.jsign.bouncycastle.operator.OperatorCreationException: exception on setup: java.security.InvalidKeyException: No installed provider supports this key: sun.security.rsa.RSAPublicKeyImpl
at net.jsign.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder.createSignature(Unknown Source)
at net.jsign.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder.access$300(Unknown Source)
at net.jsign.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder$2.get(Unknown Source)
at net.jsign.bouncycastle.cms.SignerInformationVerifier.getContentVerifier(Unknown Source)
... 7 more
Caused by: java.security.InvalidKeyException: No installed provider supports this key: sun.security.rsa.RSAPublicKeyImpl
at java.base/java.security.Signature$Delegate.chooseProvider(Signature.java:1303)
at java.base/java.security.Signature$Delegate.engineInitVerify(Signature.java:1349)
at java.base/java.security.Signature.initVerify(Signature.java:506)
... 11 more
Try `java -jar jsign.jar --help' for more information.
Hello!
We obtained an EV certificate from ssl.com. Being mostly Linux based I thought it may be a good option to do signing from Linux if possible, but so far it's not working right. I have a Yubikey FIPS and followed SSL.com's certificate installation procedures.
I followed these instructions: https://www.ssl.com/how-to/microsoft-authenticode-code-signing-in-linux-with-jsign/
Here's what happens when I try to sign a test file:
Experimentation suggests the "WITHEC" gets added somewhere and is unexpected down the chain. For instance trying to use
-d "SHA1"
results in a "SHA1WITHEC" in the reported error.I'm running on Fedora 34, and experimented with Java 8, 11 and 17 with no difference in behavior.