search

ebourg / jsign

Java implementation of Microsoft Authenticode for signing Windows executables, installers & scripts
https://ebourg.github.io/jsign
Apache License 2.0
259 stars 108 forks source link

Unable to sign with Google Cloud #136

Closed michaelst closed 1 year ago

michaelst commented 1 year ago

Most likely I think this is an issue on my part with how I uploaded to Google as I got this working if I use the pfx directly as the keystore.

Here is how I uploaded to Google

openssl pkcs12 -in key.pfx -nocerts -out key.pem -nodes
openssl pkcs8 -topk8 -nocrypt -inform PEM -outform DER -in key.pem -out key.der

gcloud kms import-jobs create import-3 \
  --location us-central1 \
  --keyring keyring \
  --import-method rsa-oaep-3072-sha1-aes-256 \
  --protection-level software

gcloud kms keys versions import \
    --import-job import-3 \
    --location us-central1 \
    --keyring keyring \
    --key code-signing \
    --algorithm rsa-sign-pss-3072-sha256 \
    --target-key-file key.der

# to generate full-chain.pem for --certfile (this is maybe where the issue is)
openssl pkcs12 -in key.pfx -cacerts -nokeys -chain -out full-chain.pem

This is how I'm running jsign 

jsign --storetype GOOGLECLOUD --storepass $TOKEN \
       --keystore projects/<project-id>/locations/us-central1/keyRings/keyring \
       --alias code-signing/cryptoKeyVersions/12:RSA --certfile full-chain.pem file.exe

This is the error I'm getting

net.jsign.bouncycastle.operator.RuntimeOperatorException: exception obtaining signature: Signature length not correct: got 384 but was expecting 512
        at net.jsign.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder$SigVerifier.verify(Unknown Source)
        at net.jsign.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder$RawSigVerifier.verify(Unknown Source)
        at net.jsign.bouncycastle.cms.SignerInformation.doVerify(Unknown Source)
        at net.jsign.bouncycastle.cms.SignerInformation.verify(Unknown Source)
        at net.jsign.AuthenticodeSigner.createSignedData(AuthenticodeSigner.java:368)
        at net.jsign.AuthenticodeSigner.sign(AuthenticodeSigner.java:338)
        at net.jsign.SignerHelper.sign(SignerHelper.java:550)
        at net.jsign.JsignCLI.execute(JsignCLI.java:117)
        at net.jsign.JsignCLI.main(JsignCLI.java:40)
Caused by: java.security.SignatureException: Signature length not correct: got 384 but was expecting 512
        at java.base/sun.security.rsa.RSASignature.engineVerify(RSASignature.java:212)
        at java.base/java.security.Signature$Delegate.engineVerify(Signature.java:1416)
        at java.base/java.security.Signature.verify(Signature.java:790)
michaelst commented 1 year ago

I fixed that error by changing the full-chain.pem export to this 

openssl pkcs12 -in key.pfx -nokeys -chain -out full-chain.pem

but now the resulting file says "No signature was present in the subject"

michaelst commented 1 year ago

looks like that is addressed here: https://github.com/ebourg/jsign/issues/93

ebourg commented 1 year ago

Did you fix the issue? This was caused by the PSS padding?

michaelst commented 1 year ago

Yes it was the PSS padding