Closed vatral closed 1 year ago
Are you sure the code signing certificate is in the "X.509 Certificate for PIV Authentication" slot ? Usually it's in the "X.509 Certificate for Digital Signature" slot. You can try this instead:
jsign --storetype YUBIKEY --storepass $PASS --tsaurl http://ts.ssl.com --tsmode RFC3161 nxproxy.exe
Hello! I've got the same issue as @vatral Did you solve it somehow?
@ebourg yes, I definitely sure that my certificate in the "X.509 Certificate for PIV Authentication" slot
Even an upgrade to bouncycastle v1.70 did not helped
Getting the same error with Google Cloud and SSL.com EV cert. My command is
> java -jar jsign\jsign\target\jsign-4.1-SNAPSHOT.jar --storetype GOOGLECLOUD --storepass $env:JSIGN_STOREPASS --keystore $env:JSIGN_KEYSTORE --alias $env:JSIGN_ALIAS --certfile ./cert-bundle.pem --tsmode RFC3161 --tsaurl "http://ts.ssl.com" .\sign-test.exe
Adding Authenticode signature to .\sign-test.exe
jsign: Couldn't sign .\sign-test.exe
net.jsign.bouncycastle.cms.CMSException: can't create content verifier: exception on setup: java.security.InvalidKeyException: No installed provider supports this key: sun.security.rsa.RSAPublicKeyImpl
at net.jsign.bouncycastle.cms.SignerInformation.doVerify(Unknown Source)
at net.jsign.bouncycastle.cms.SignerInformation.verify(Unknown Source)
at net.jsign.AuthenticodeSigner.createSignedData(AuthenticodeSigner.java:376)
at net.jsign.AuthenticodeSigner.sign(AuthenticodeSigner.java:342)
at net.jsign.SignerHelper.sign(SignerHelper.java:523)
at net.jsign.JsignCLI.execute(JsignCLI.java:116)
at net.jsign.JsignCLI.main(JsignCLI.java:40)
Caused by: net.jsign.bouncycastle.operator.OperatorCreationException: exception on setup: java.security.InvalidKeyException: No installed provider supports this key: sun.security.rsa.RSAPublicKeyImpl
at net.jsign.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder.createSignature(Unknown Source)
at net.jsign.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder.access$300(Unknown Source)
at net.jsign.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder$2.get(Unknown Source)
at net.jsign.bouncycastle.cms.SignerInformationVerifier.getContentVerifier(Unknown Source)
... 7 more
Caused by: java.security.InvalidKeyException: No installed provider supports this key: sun.security.rsa.RSAPublicKeyImpl
at java.security.Signature$Delegate.chooseProvider(Signature.java:1138)
at java.security.Signature$Delegate.engineInitVerify(Signature.java:1170)
at java.security.Signature.initVerify(Signature.java:460)
... 11 more
Try `java -jar jsign.jar --help' for more information.
Versions
Java(TM) SE Runtime Environment (build 1.8.0_211-b12)
Really appreciate the work on jsign and any suggestions you might have!
Following https://github.com/ebourg/jsign/issues/93#issuecomment-872050100 from another jsign issue, I was able to successfully sign the file with CodeSignTool, but do see the same problem reported in that issue ("No signature was present in the subject"). Happy to help test any jsign changes as the cross-platform multi-service support would be ideal
@devsibwarra What's the order of the certificates in cert-bundle.pem?
@devsibwarra What's the order of the certificates in cert-bundle.pem?
The bundle order is
Certificate[1]: company-cert
Certificate[2]: SSL.com EV Code Signing Intermediate CA RSA R3
Certificate[3]: SSL.com EV Root Certification Authority RSA R2
Certificate[4]: Certum Trusted Network CA
finally fixed by resetting yubikey and reimporting certificates from scratch
@ebourg Turns out I was using the wrong certificate bundle for Google Cloud HSM.
If it helps add error handling, when I was trying to use the bad cert with osslsigncode, I was getting
Failed to checking the consistency of a private key: pkcs11:object=key
with a public key in any X509 certificate: .\cert.pem
Creating a new signature failed
7088:error:0909006C:PEM routines:get_name:no start line:../openssl-1.1.1m/crypto/pem/pem_lib.c:745:Expecting: CERTIFICATE
7088:error:0909006C:PEM routines:get_name:no start line:../openssl-1.1.1m/crypto/pem/pem_lib.c:745:Expecting: CERTIFICATE
7088:error:0B080073:x509 certificate routines:X509_check_private_key:key type mismatch:../openssl-1.1.1m/crypto/x509/x509_cmp.c:306:
Failed
Using the correct cert bundle with jsign + google cloud hsm gives me a valid signed file 🥂
Good to hear it works. I'll try to add more checks.
Hi, I am running into this issue when using google cloud and ssl.com @devsibwarra can you go into more detail about what fixed it for you? I don't understand what you mean by the correct cert bundle.
I've checked the behavior of Jsign when the private key and the public key don't match:
There are two issues here:
Jsign now displays an explicit error message when the private key and the certificate don't match
Hello!
I'm using an EV certificate from SSL.com. The latest code after the fix for #105 made some progress, but still goes wrong somewhere. The Yubikey blinks briefly, but then jsign fails with this:
Some research suggests one of these might be related:
https://bugs.java.com/bugdatabase/view_bug.do?bug_id=4953555 https://stackoverflow.com/questions/41534827/java-signature-object-no-installed-provider-supports-this-key-sun-security-rs