search

ebourg / jsign

Java implementation of Microsoft Authenticode for signing Windows executables, installers & scripts
https://ebourg.github.io/jsign
Apache License 2.0
259 stars 108 forks source link

Failed to load the keystore when running in CI/CD Pipeline #132

Closed mrshorten closed 1 year ago

mrshorten commented 2 years ago

I am attempting to automate Code signing from our bamboo server. Everything seems to work well when remotely logged into the machine using this command:

java -jar C:\Users\USER\jsign-4.1.jar --keystore C:\Users\USER\eToken.cfg --alias "ALIAS" --storetype PKCS11 --storepass PASSWORD --alg SHA-256 --tsaurl http://timestamp.digicert.com --tsmode RFC3161 FILE_TO_SIGN

However when running that same command as part of a build task i get the following error. The bamboo service is running as the same user that i remotely logged into. Any thoughts would be greatly appreciated. 

jsign: Failed to load the keystore C:\Users\USER\eToken.cfg
--
 java.security.KeyStoreException: keystore type 'PKCS11' is not supported
at net.jsign.KeyStoreUtils.load(KeyStoreUtils.java:77)
at net.jsign.SignerHelper.build(SignerHelper.java:388)
at net.jsign.SignerHelper.sign(SignerHelper.java:562)
at net.jsign.JsignCLI.execute(JsignCLI.java:117)
at net.jsign.JsignCLI.main(JsignCLI.java:40)
Caused by: java.security.KeyStoreException: PKCS11 not found
at java.security.KeyStore.getInstance(KeyStore.java:940)
at net.jsign.KeyStoreUtils.load(KeyStoreUtils.java:72)
 ... 4 more
Caused by: java.security.NoSuchAlgorithmException: no such algorithm: PKCS11 for provider SunPKCS11-eToken
at sun.security.jca.GetInstance.getService(GetInstance.java:101)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:218)
at java.security.Security.getImpl(Security.java:724)
at java.security.KeyStore.getInstance(KeyStore.java:937)
 ... 5 more
ebourg commented 2 years ago

It looks like Jsign can't access the hardware token. Are you sure the build is run in the same environment and not inside a container lacking access to the token?

tresf commented 1 year ago

What Java version? It might be an upstream bug. https://github.com/corretto/corretto-8/issues/306

ebourg commented 1 year ago

I don't think it'is related to this issue, this looks more like a bad SunPKCS11 configuration.

@mrshorten could you try again with the -Djava.security.debug=sunpkcs11 parameter?