ebourg / jsign

Java implementation of Microsoft Authenticode for signing Windows executables, installers & scripts
https://ebourg.github.io/jsign
Apache License 2.0
264 stars 112 forks source link

Manifest file signing #118

Open cxn-sjuhasz opened 2 years ago

cxn-sjuhasz commented 2 years ago

https://docs.microsoft.com/en-us/windows/win32/sbscs/manifest-files-reference https://docs.microsoft.com/en-us/windows/win32/sbscs/application-manifests We are trying to sign such file, using jsign 4.0, with the above error. It is an application manifest.

ebourg commented 2 years ago

This file format isn't supported by Jsign. As I understand it's a different signing scheme, even signtool doesn't support it. These files are signed with the Manifest Generation and Editing Tool (mage.exe) from Visual Studio.

For the reference, I've played a bit with this tool and signed a manifest, it looks like this:

<?xml version="1.0" encoding="utf-8"?>
<asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0"
                xmlns:asmv1="urn:schemas-microsoft-com:asm.v1"
                xmlns="urn:schemas-microsoft-com:asm.v2"
                xmlns:asmv2="urn:schemas-microsoft-com:asm.v2"
                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                xmlns:co.v1="urn:schemas-microsoft-com:clickonce.v1"
                xmlns:asmv3="urn:schemas-microsoft-com:asm.v3"
                xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"
                xmlns:co.v2="urn:schemas-microsoft-com:clickonce.v2">
  <asmv1:assemblyIdentity name="Jsign.exe" version="1.0.0.0" publicKeyToken="ce7aed2aaa624904" language="neutral" processorArchitecture="msil" type="win32"/>
  <application/>
  <entryPoint>
    <co.v1:customHostSpecified/>
  </entryPoint>
  <trustInfo>
    <security>
      <applicationRequestMinimum>
        <PermissionSet Unrestricted="true" ID="Custom" SameSite="site"/>
        <defaultAssemblyRequest permissionSetReference="Custom"/>
      </applicationRequestMinimum>
      <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
        <requestedExecutionLevel level="asInvoker" uiAccess="false"/>
      </requestedPrivileges>
    </security>
  </trustInfo>
  <dependency>
    <dependentOS>
      <osVersionInfo>
        <os majorVersion="4" minorVersion="10" buildNumber="0" servicePackMajor="0"/>
      </osVersionInfo>
    </dependentOS>
  </dependency>
  <dependency>
    <dependentAssembly dependencyType="preRequisite" allowDelayedBinding="true">
      <assemblyIdentity name="Microsoft.Windows.CommonLanguageRuntime" version="4.0.30319.0"/>
    </dependentAssembly>
  </dependency>
  <publisherIdentity name="CN=Jsign Code Signing Test Certificate" issuerKeyHash="16a2067191a8d42844971f95e71a5f8c9bbe2be0"/>
  <Signature Id="StrongNameSignature" xmlns="http://www.w3.org/2000/09/xmldsig#">
    <SignedInfo>
      <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha256"/>
      <Reference URI="">
        <Transforms>
          <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
          <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        </Transforms>
        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha256"/>
        <DigestValue>H9NRNAUDPXi1szcvYmfffyK8pIr4nsqWXoDp89Byb4A=</DigestValue>
      </Reference>
    </SignedInfo>
    <SignatureValue>FOQH5N35leiWIUG3GVlkPzjjF5Q9Lb+9tM8VnSXst1kpognyTzIxlkjwb7ltA9AAXdf1sfGAFchGceufRjMFT83az+zGkGWynyv78ifGnXsF3YYX2KBwbihKHPD2VB4Oh7QJ3zCitmGLVXJAe2Azkc0QPmoF3852mOfKDdhgm+4=</SignatureValue>
    <KeyInfo Id="StrongNameKeyInfo">
      <KeyValue>
        <RSAKeyValue>
          <Modulus>mjCKCiuR5NMShaTaiQHz1N+1mCiydQORuqh2YmrOlG+lWBkm4GeSiyKavfv1OoZV4yRhAa1/WOWgf77G93JvzFfavRv4paKCBbBbOCafRCCRAASRxT0aaNYmd53wIT4i9RZQx6YXU5AJsDdQj85e6aMle6gId+de0zW4kY8jFu0=</Modulus>
          <Exponent>AQAB</Exponent>
        </RSAKeyValue>
      </KeyValue>
      <msrel:RelData xmlns:msrel="http://schemas.microsoft.com/windows/rel/2005/reldata">
        <r:license xmlns:r="urn:mpeg:mpeg21:2003:01-REL-R-NS" xmlns:as="http://schemas.microsoft.com/windows/pki/2005/Authenticode">
          <r:grant>
            <as:ManifestInformation Hash="806f72d0f3e9805e96ca9ef88aa4bc227fdf67622f37b3b5783d03053451d31f" Description="" Url="">
              <as:assemblyIdentity name="Jsign.exe" version="1.0.0.0" publicKeyToken="ce7aed2aaa624904" language="neutral" processorArchitecture="msil" type="win32"/>
            </as:ManifestInformation>
            <as:SignedBy/>
            <as:AuthenticodePublisher>
              <as:X509SubjectName>CN=Jsign Code Signing Test Certificate</as:X509SubjectName>
            </as:AuthenticodePublisher>
          </r:grant>
          <r:issuer>
            <Signature Id="AuthenticodeSignature" xmlns="http://www.w3.org/2000/09/xmldsig#">
              <SignedInfo>
                <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha256"/>
                <Reference URI="">
                  <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                  </Transforms>
                  <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha256"/>
                  <DigestValue>szXcFF+IuzECIWD73RG/khP29t3KDVdUh/vETVgtcl4=</DigestValue>
                </Reference>
              </SignedInfo>
              <SignatureValue>W00OX+6gm5Gsm+9+fzc6R4VbQB1WSBSQ4W5xNWA8/MFboPketco6RMt73U/URtV01OmgWKz+DqcvZL8VDw7RnYJ9tGyZ/or8lalJ5uhWrnlrqtoaEnShsWgl6W9pWk/vRuW0VA/NqQAqKdK1eTGOC2dYJj8PRmF9ml6Ug0JwxFE=</SignatureValue>
              <KeyInfo>
                <KeyValue>
                  <RSAKeyValue>
                    <Modulus>mjCKCiuR5NMShaTaiQHz1N+1mCiydQORuqh2YmrOlG+lWBkm4GeSiyKavfv1OoZV4yRhAa1/WOWgf77G93JvzFfavRv4paKCBbBbOCafRCCRAASRxT0aaNYmd53wIT4i9RZQx6YXU5AJsDdQj85e6aMle6gId+de0zW4kY8jFu0=</Modulus>
                    <Exponent>AQAB</Exponent>
                  </RSAKeyValue>
                </KeyValue>
                <X509Data>
                  <X509Certificate>MIICvDCCAaSgAwIBAgIJAP9OZxamrmcQMA0GCSqGSIb3DQEBCwUAMCAxHjAcBgNVBAMMFUpzaWduIENvZGUgU2lnbmluZyBDQTAeFw0xNzA2MTUxOTU1NTZaFw0zNzA2MTAxOTU1NTZaMC4xLDAqBgNVBAMMI0pzaWduIENvZGUgU2lnbmluZyBUZXN0IENlcnRpZmljYXRlMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCaMIoKK5Hk0xKFpNqJAfPU37WYKLJ1A5G6qHZias6Ub6VYGSbgZ5KLIpq9+/U6hlXjJGEBrX9Y5aB/vsb3cm/MV9q9G/ilooIFsFs4Jp9EIJEABJHFPRpo1iZ3nfAhPiL1FlDHphdTkAmwN1CPzl7poyV7qAh3517TNbiRjyMW7QIDAQABo28wbTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUKe9fHJxmCiML1BRgdczt0cV16R0wHwYDVR0jBBgwFoAUFqIGcZGo1ChElx+V5xpfjJu+K+AwDQYJKoZIhvcNAQELBQADggEBAIjNRVnxdn8QkUSwFONiIdEW+DvupbciSzMDbjvVUTeyKV92ibOpBOfqxuBYu2lyk7ZpAEV1aNaZG9C/2GPOHoUyz6JTHm3mZemaWgQ3lYJA5BIDwr5pqyxg82bpHw2FzcqDljWlmkerlj+orOpn7j/rq9wOXWNQbX2ajqspebyQnYyM/VxFyEdZ4XZswJNSYFTvRSwbxjXrR+icwJCJyBk3g+A+2TXWYIWnAscXTCvbewplUcL+va34nW3JwMWmdic/fkxTiv1eHleKMBPnUAjuL2U/gePbh6mRqb1FY7BHwOJDoyuXLXP54J7qHtJu/tfmB+6QzSEThgw7WwozARk=</X509Certificate>
                  <X509Certificate>MIIDQzCCAiugAwIBAgIJAJn0giloDEJZMA0GCSqGSIb3DQEBCwUAMCsxKTAnBgNVBAMMIEpzaWduIFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE3MDYxNTE5NTU1NloXDTM3MDYxMDE5NTU1NlowIDEeMBwGA1UEAwwVSnNpZ24gQ29kZSBTaWduaW5nIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt1aZaaj2zdGSa0VyaXfGISGQisn+O4kGxsvQCd5WnvGqEEtpyE56jE4vgWgxItwnqyj8aQam6vv5DpObm5oM/wyuHc/vJo5+1C5zrH0MnzoSphr4rrYUiATXL7IEL3iM8o/oISASienMTEDMFp5T9zPT9IpRwGsVimQpbaCZ+98hj8x2i02AnRyiOKmCAfEr5dgv5BHbz83KCw7nkrnZ4EdgK2hiHVWEq8R+Vs5CycMNgXqI9XIoe2D/anIO5071fQ320Tkax/yc6wAwN4+Y8N9HI8D6oxkVEGWzgfOHDp0EMiePOqAkYm2o9cJ0Zlmo/Bosb9sBm3xfcBQ8yb0dgQIDAQABo3UwczAPBgNVHRMECDAGAQH/AgEAMAsGA1UdDwQEAwIBBjATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUFqIGcZGo1ChElx+V5xpfjJu+K+AwHwYDVR0jBBgwFoAUZnvU8wtg+UqfBmLSQKbdkLTJ3eIwDQYJKoZIhvcNAQELBQADggEBAEZzTYMJKMpAy6roqLJ4pOW0OplgjbZuLosUWmLWsSA4FE34UlK9FV2loCuasSKDlMga8rcfNLR+TJY00J9+zIySWFgRbnz2MHM3epFgksxbkXFm9IX7Gc8eIRekDfAQwt4bhvYyDF0oe2eujYnrVhUo+6RHLCKQYMtqKiYsvzSHRqdSo3nAdJ7lSzoFH0N3T6KZyPox5A7kWNts8EyJcl+JNtGQS0Sja0TW+tdQMLbTQ81qyS5JcbNpO6OoQgWBPGeMyfvm8lMRnDVy91rk74ezbcOyesIQrAW85WYVDzyYH5TqIXTg5xDNr81AwAItQb5glWkTRgmoZGIYW/26CvE=</X509Certificate>
                </X509Data>
              </KeyInfo>
              <Object>
                <as:Timestamp>MIIRuAYJKoZIhvcNAQcCoIIRqTCCEaUCAQMxDzANBglghkgBZQMEAgEFADCBlAYLKoZIhvcNAQkQAQSggYQEgYEwfwIBAQYJYIZIAYb9bAcBMDEwDQYJYIZIAWUDBAIBBQAEIAA83xPbxTL3Q/Rs1vhtgB/tXp0M6yddRMBVMZMjixLtAhEAjo4nmOY3Q1SV8pDxysttlRgPMjAyMjA0MDMyMDA3MDBaAhiQLDSI2qPPOq0KrsK3uFTE+4ymMoafCR6ggg18MIIGxjCCBK6gAwIBAgIQCnpKiJ7JmUKQBmM4TYaXnTANBgkqhkiG9w0BAQsFADBjMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xOzA5BgNVBAMTMkRpZ2lDZXJ0IFRydXN0ZWQgRzQgUlNBNDA5NiBTSEEyNTYgVGltZVN0YW1waW5nIENBMB4XDTIyMDMyOTAwMDAwMFoXDTMzMDMxNDIzNTk1OVowTDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDkRpZ2lDZXJ0LCBJbmMuMSQwIgYDVQQDExtEaWdpQ2VydCBUaW1lc3RhbXAgMjAyMiAtIDIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC5KpYjply8X9ZJ8BWCGPQz7sxcbOPgJS7SMeQ8QK77q8TjeF1+XDbq9SWNQ6OB6zhj+TyIad480jBRDTEHukZu6aNLSOiJQX8Nstb5hPGYPgu/CoQScWyhYiYB087DbP2sO37cKhypvTDGFtjavOuy8YPRn80JxblBakVCI0Fa+GDTZSw+fl69lqfw/LH09CjPQnkfO8eTB2ho5UQ0Ul8PUN7UWSxEdMAyRxlb4pguj9DKP//GZ888k5VOhOl2GJiZERTFKwygM9tNJIXogpThLwPuf4UCyYbh1RgUtwRF8+A4vaK9enGY7BXn/S7s0psAiqwdjTuAaP7QWZgmzuDtrn8oLsKe4AtLyAjRMruD+iM82f/SjLv3QyPf58NaBWJ+cCzlK7I9Y+rIroEga0OJyH5fsBrdGb2fdEEKr7mOCdN0oS+wVHbBkE+U7IZh/9sRL5IDMM4wt4sPXUSzQx0jUM2R1y+d+/zNscGnxA7E70A+GToC1DGpaaBJ+XXhm+ho5GoMj+vksSF7hmdYfn8f6CvkFLIW1oGhytowkGvub3XAsDYmsgg7/72+f2wTGN/GbaR5Sa2Lf2GHBWj31HDjQpXonrubS7LitkE956+nGijJrWGwoEEYGU7tR5thle0+C2Fa6j56mJJRzT/JROeAiylCcvd5st2E6ifu/n16awIDAQABo4IBizCCAYcwDgYDVR0PAQH/BAQDAgeAMAwGA1UdEwEB/wQCMAAwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwgwIAYDVR0gBBkwFzAIBgZngQwBBAIwCwYJYIZIAYb9bAcBMB8GA1UdIwQYMBaAFLoW2W1NhS9zKXaaL3WMaiCPnshvMB0GA1UdDgQWBBSNZLeJIf5WWESEYafqbxw2j92vDTBaBgNVHR8EUzBRME+gTaBLhklodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRSU0E0MDk2U0hBMjU2VGltZVN0YW1waW5nQ0EuY3JsMIGQBggrBgEFBQcBAQSBgzCBgDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMFgGCCsGAQUFBzAChkxodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRSU0E0MDk2U0hBMjU2VGltZVN0YW1waW5nQ0EuY3J0MA0GCSqGSIb3DQEBCwUAA4ICAQANLSN0ptH1+OpLmT8B5PYM5K8WndmzjJeCKZxDbwEtqzi1cBG/hBmLP13lhk++kzreKjlaOU7YhFmlvBuYquhs79FIaRk4W8+JOR1wcNlO3yMibNXf9lnLocLqTHbKodyhK5a4m1WpGmt90fUCCU+C1qVziMSYgN/uSZW3s8zFp+4O4e8eOIqf7xHJMUpYtt84fMv6XPfkU79uCnx+196Y1SlliQ+inMBl9AEiZcfqXnSmWzWSUHz0F6aHZE8+RokWYyBry/J70DXjSnBIqbbnHWC9BCIVJXAGcqlEO2lHEdPu6cegPk8QuTA25POqaQmoi35komWUEftuMvH1uzitzcCTEdUyeEpLNypM81zctoXAu3AwVXjWmP5UbX9xqUgaeN1Gdy4besAzivhKKIwSqHPPLfnTI/KeGeANlCig69saUaCVgo4oa6TOnXbeqXOqSGpZQ65f6vgPBkKd3wZolv4qoHRbY2beayy4eKpNcG3wLPEHFX41tOa1DKKZpdcVazUOhdbgLMzgDCS4fFILHpl878jIxYxYaa+rPeHPzH0VrhS/inHfypex2EfqHIXgRU4SHBQpWMxv03/LvsEOSm8gnK7ZczJZCOctkqEaEf4ymKZdK5fgi9OczG21Da5HYzhHF1tvE9pqEG4fSbdEW7QICodaWQR2EaGndwITHDCCBq4wggSWoAMCAQICEAc2N7ckVHzYR6z9KGYqXlswDQYJKoZIhvcNAQELBQAwYjELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEhMB8GA1UEAxMYRGlnaUNlcnQgVHJ1c3RlZCBSb290IEc0MB4XDTIyMDMyMzAwMDAwMFoXDTM3MDMyMjIzNTk1OVowYzELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDkRpZ2lDZXJ0LCBJbmMuMTswOQYDVQQDEzJEaWdpQ2VydCBUcnVzdGVkIEc0IFJTQTQwOTYgU0hBMjU2IFRpbWVTdGFtcGluZyBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMaGNQZJs8E9cklRVcclA8TykTepl1Gh1tKD0Z5Mom2gsMyD+Vr2EaFEFUJfpIjzaPp985yJC3+dH54PMx9QEwsmc5Zt+FeoAn39Q7SE2hHxc7Gz7iuAhIoiGN/r2j3EF3+rGSs+QtxnjupRPfDWVtTnKC3r07G1decfBmWNlCnT2exp39mQh0YAe9tEQYncfGpXevA3eZ9drMvohGS0UvJ2R/dhgxndX7RUCyFobjchu0CsX7LeSn3O9TkSZ+8OpWNs5KbFHc02DVzV5huowWR0QKfAcsW6Th+xtVhNef7Xj3OTrCw54qVI1vCwMROpVymWJy71h6aPTnYVVSZwmCZ/oBpHIEPjQ2OAe3VuJyWQmDo4EbP29p7mO1vsgd4iFNmCKseSv6De4z6ic/rnH1pslPJSlRErWHRAKKtzQ87fSqEcazjFKfPKqpZzQmiftkaznTqj1QPgv/CiPMpC3BhIfxQ0z9JMq++bPf4OuGQq+nUoJEHtQr8FnGZJUlD0UfM2SU2LINIsVzV5K6jzRWC8I41Y99xh3pP+OcD5sjClTNfpmEpYPtMDiP6zj9NeS3YSUZPJjAw7W4oiqMEmCPkUEBIDfV8ju2TjY+Cm4T72wnSyPx4JduyrXUZ14mCjWAkBKAAOhFTuzuldyF4wEr1GnrXTdrnSDmuZDNIztM2xAgMBAAGjggFdMIIBWTASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBS6FtltTYUvcyl2mi91jGogj57IbzAfBgNVHSMEGDAWgBTs1+OC0nFdZEzfLmc/57qYrhwPTzAOBgNVHQ8BAf8EBAMCAYYwEwYDVR0lBAwwCgYIKwYBBQUHAwgwdwYIKwYBBQUHAQEEazBpMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wQQYIKwYBBQUHMAKGNWh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRSb290RzQuY3J0MEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRSb290RzQuY3JsMCAGA1UdIAQZMBcwCAYGZ4EMAQQCMAsGCWCGSAGG/WwHATANBgkqhkiG9w0BAQsFAAOCAgEAfVmOwJO2b5ipRCIBfmbW2CFC4bAYLhBNE88wU86/GPvHUF3iSyn7cIoNqilp/GnBzx0H6T5gyNgL5Vxb122H+oQgJTQxZ822EpZvxFBMYh0MCIKoFr2pVs8Vc40BIiXOlWk/R3f7cnQU1/+rT4osequFzUNf7WC2qk+RZp4snuCKrOX9jLxkJodskr2dfNBwCnzvqLx1T7pa96kQsl3p/yhUifDVinF2ZdrM8HKjI/rAJ4JErpknG6skHibBt94q6/aesXmZgaNWhqsKRcnfxI2g55j7+6adcq/Ex8HBanHZxhOACcS2n82HhyS7T6NJuXdmkfFynOlLAlKnN36TU6w7HQhJD5TNOXrd/yVjmScsPT9rp/Fmw0HNT7ZAmyEhQNC3EyTN3B14OuSereU0cZLXJmvkOHOrpgFPvT87eK1MrfvElXvtCl8zOYdBeHo46Zzh3SP9HSjTx/no8Zhf+yvYfvJGnXUsHicsJttvFXseGYs2uJPU5vIXmVnKcPA3v5gA3yAWTyf7YGcWoWa63VXAOimGsJigK+2VQbc61RWYMbRiCQ8KvYHZE/6/pNHzV9m8BPqC3jLfBInwAM1dwvnQI38AC+R2AibZ8GV2QqYphwlHK+Z/GqSFD/yYlvZVVCsfgPrA8g4r5db7qS9EFUrnEw4d2zc4GqEr9u3WfPwxggN2MIIDcgIBATB3MGMxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5EaWdpQ2VydCwgSW5jLjE7MDkGA1UEAxMyRGlnaUNlcnQgVHJ1c3RlZCBHNCBSU0E0MDk2IFNIQTI1NiBUaW1lU3RhbXBpbmcgQ0ECEAp6SoieyZlCkAZjOE2Gl50wDQYJYIZIAWUDBAIBBQCggdEwGgYJKoZIhvcNAQkDMQ0GCyqGSIb3DQEJEAEEMBwGCSqGSIb3DQEJBTEPFw0yMjA0MDMyMDA3MDBaMCsGCyqGSIb3DQEJEAIMMRwwGjAYMBYEFIUI84ZRXLPTB322tLfAfxtKXkHeMC8GCSqGSIb3DQEJBDEiBCDRbsL08JcYwlKBdfaSLqq7Xq+PNkm/KkX49YxlWt3xIzA3BgsqhkiG9w0BCRACLzEoMCYwJDAiBCCdppAVw0nGwYl4Rbo1gq1wyI+kKTvbar6cK9JTknnmOzANBgkqhkiG9w0BAQEFAASCAgAVi8Uv4nnGRO43//E5QVG80Jy2fAm6mgzhRt9kjxDr4b4ELpYyU/eQsZAQjPPgh34xKIXg4YU76foJ6yUztaIsmf1dvVSGBi9RlE1oulVXVhBpNAa+p36JdKG6giiblvZ7JmSuIoMpmoEAmIbWX8lMxql2xccHu7Z+fgcFyat36yk+Y0wxSEN5I3q23/6BOdGMuRVT5WFyeELtUgxlGZRqj03AKjq5cCvMdtR42nD8n46aeVIV4Vlg2XHyCy1249j1u7jDBdPU0i7iXJ6Lv0+TPWURW6CoRgsxyh2o2Nf4N7KppvqKTfxB5j6+TTWe0pytB3PG9QjemY3C/W5jAzNDE6kKwPitSlKmgFKhlSVoFuXu4umqye+CI+GOJ4L0lOSLeM6dpxo8d7B7TMjA1sdPTNqe70p83Rf8OVsIakm8Qm0TcowsfC9hD/MaQDkI+ykInhKeC4OBinrv/taV2DLgSKeL7p25R6RTCHdQs+1fWkIA4oKN3EOORtOGfT6Dw8/rQqc2O/F/Wsug3apZ7+KHdXe9ZBlRB2l64F+7t27Lj3NikqqVE6LjmhOvkIAjAcC2iWmVegNgeRy4SrOi+EN3X6glECmkDpdt3N0NdFgQgrwotHxY7K5VbL/jnD9QsumxEOWXC3qc2X+L4BHEzFww+qSqg7gm5XLmfkKLvRagOQ==</as:Timestamp>
              </Object>
            </Signature>
          </r:issuer>
        </r:license>
      </msrel:RelData>
    </KeyInfo>
  </Signature>
</asmv1:assembly>

Files with this signature don't have a Digital Signature tab in the file properties (at least on Windows 10).

This kind of signature isn't an Authenticode signature. Even if Jsign is focused on Authenticode I don't mind supporting this format as well. But I won't have the time to work on it. If someone is interested in implementing it, I'll be happy to review and integrate it.

ebourg commented 2 years ago

The generation of XML signatures in Java is documented here: https://docs.oracle.com/javase/8/docs/technotes/guides/security/xmldsig/XMLDigitalSignature.html

cxn-sjuhasz commented 2 years ago

Tried to reach out to you in email, but never heard back. The question was, what if we put money on the table? If interested, you have my address in my profile.

ebourg commented 9 months ago

I've played a bit with the XML signature API, the code snippet below is enough to sign a file but I don't think it makes a valid manifest signature yet:

KeyStore keystore = new KeyStoreBuilder().keystore("keystore.p12").storepass(password).build();
PrivateKey privateKey = (PrivateKey) keystore.getKey(alias, password.toCharArray());
Certificate[] chain = keystore.getCertificateChain(alias);
PublicKey publicKey = keystore.getCertificate(alias).getPublicKey();

DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
documentBuilderFactory.setNamespaceAware(true);
DocumentBuilder builder = documentBuilderFactory.newDocumentBuilder();
Document document = builder.parse(new FileInputStream("application.manifest"));

XMLSignatureFactory factory = XMLSignatureFactory.getInstance("DOM");

DigestMethod digestMethod = factory.newDigestMethod(DigestMethod.SHA256, null);
Transform transform = factory.newTransform(Transform.ENVELOPED, (TransformParameterSpec) null);
Reference ref = factory.newReference("", digestMethod, Collections.singletonList(transform), null ,null);

CanonicalizationMethod c14n = factory.newCanonicalizationMethod(CanonicalizationMethod.EXCLUSIVE, (C14NMethodParameterSpec) null);
SignatureMethod signatureMethod = factory.newSignatureMethod("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256", null);
SignedInfo signedInfo = factory.newSignedInfo(c14n, signatureMethod, Collections.singletonList(ref));

// key info
KeyInfoFactory keyInfoFactory = factory.getKeyInfoFactory();
KeyValue keyValue = keyInfoFactory.newKeyValue(publicKey);
X509Data x509Data = keyInfoFactory.newX509Data(Arrays.asList(chain));
KeyInfo keyInfo = keyInfoFactory.newKeyInfo(Arrays.asList(keyValue, x509Data));

XMLSignature signature = factory.newXMLSignature(signedInfo, keyInfo, null, "StrongNameSignature", null);
signature.sign(new DOMSignContext(privateKey, document.getDocumentElement()));

TransformerFactory.newInstance().newTransformer().transform(new DOMSource(document), new StreamResult(System.out));
macdanny commented 6 months ago

I'm trying to figure this out myself. My use case is signing ClickOnce installers. The msrel:RelData element is definitely going to be required for that use case because that is where the Authenticode signature is, and Authenticode is the reason to sign ClickOnce installers in the first place.

The manifest has two signatures, one strong name signature which is used for integrity checking and the other Authenticode signature which is used for authentication. I'm not an expert in this, this is just what I've figured out so far. I suppose they're both signed by the same key because they have equal publicKeyToken values.

ebourg commented 6 months ago

Thank you for the info, I didn't realize there were two signature schemes.

I've found some references about strong name signatures: https://learn.microsoft.com/en-us/archive/msdn-magazine/2006/july/clr-inside-out-using-strong-name-signatures https://learn.microsoft.com/en-us/dotnet/standard/assembly/create-use-strong-named

It's not clear to me if the strong name signature is expected to be created first with a different tool (sn.exe) and a specific key, and then Jsign would add the Authenticode signature, or if both signatures should be created by Jsign with the same key.

macdanny commented 6 months ago

That is not clear to me either. I'm not sure it needs to use the same key ... I'm not that familiar with dot net. In my previous reply I thought it did have to use the same key, because they have the same publicKeyToken, but I learned yesterday that the publicKeyToken is unrelated to the key you use for signing. It's a value that is taken from an XML attribute in the manifest of the assembly you're signing, at least for ClickOnce installers. If you have an existing DLL or EXE that is a dot net assembly, you can also get it by running sn -T <assembly>.

macdanny commented 6 months ago

I guess I just answered my own question. If you needed to use the same key, then the publicKeyToken value would change when you sign the ClickOnce installer, because you're signing it with your own key, not the vendor's key. But it doesn't. So the strong name signature I think is taken care of by the machinery of dot net and the important signature is the Authenticode signature.

ROGG437063 commented 5 months ago

I have been investigating a similar use-case and microsoft recommends to do strong naming with a self-signed key, so I don't see why that would also be used for authenticode signatures as you would want to have a key backed by a Certificate Authority there. I believe the dotnet sign cli (https://github.com/dotnet/sign) implements this signing when using a pfx or azure keyvault. Though it seems to still rely on mage.exe