search

indygreg / apple-platform-rs

Rust crates supporting Apple platform development
565 stars 39 forks source link

Remote signing error MissingOrMalformedExtensions #76

Open ofek opened 1 year ago

ofek commented 1 year ago

On GitHub Actions I'm running:

rcodesign sign --remote-signer --remote-public-key-pem-file app/macos/developer-id-application.pem "targets/Datadog QA.app" "targets/Datadog QA signed.app"

The app/macos/developer-id-application.pem file contains the public key as described here. Locally I am running:

rcodesign remote-sign -vvv --sjs-path s.txt --der-source developerID_application.cer --pem-source private.pem

The developerID_application.cer file is what I downloaded from Apple as described here and the private.pem file is the private key I created as described here.

I get the following error:

[2023-04-22T14:16:05Z WARN  apple_codesign::cli] reading PEM data from private.pem
[2023-04-22T14:16:05Z WARN  apple_codesign::cli] reading DER file developerID_application.cer
[2023-04-22T14:16:05Z WARN  apple_codesign::remote_signing] connecting to wss://ws.codesign.gregoryszorc.com/
[2023-04-22T14:16:05Z DEBUG tungstenite::client] Trying to contact wss://ws.codesign.gregoryszorc.com/ at 44.233.157.16:443...
Error: remote signing error: websocket error: TLS error: webpki error: MissingOrMalformedExtensions

The error appears to come from here. It seems like that crate is unmaintained and now (as of a month ago) there is a maintained fork here. Perhaps this feature would fix the situation?

I don't know why this would be happening seemingly to just me since others I assume are successfully using remote signing.

Here is the certificate:

❯ openssl x509 -in developerID_application.cer -inform DER -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            2a:6c:da:d2:77:08:e2:ed:97:54:7c:5b:66:93:11:58
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = Developer ID Certification Authority, OU = G2, O = Apple Inc., C = US
        Validity
            Not Before: Apr  4 14:34:10 2023 GMT
            Not After : Apr  4 14:34:09 2028 GMT
        Subject: UID = JKFCB4CN7C, CN = "Developer ID Application: Datadog, Inc. (JKFCB4CN7C)", OU = JKFCB4CN7C, O = "Datadog, Inc.", C = US
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:cb:cd:4c:fe:22:57:ec:1a:72:29:31:e9:dd:c9:
                    0d:e8:e8:bc:b1:5b:9f:05:b6:9f:25:21:a3:9b:6e:
                    53:d0:6c:5f:3a:02:1f:3c:a1:d0:f7:6c:fd:44:8c:
                    09:9d:6e:72:4e:9d:ff:b4:f7:d6:a3:42:7e:9b:09:
                    a5:bf:f1:01:1f:41:b8:ca:d6:da:d7:6f:70:8b:73:
                    e5:24:13:ff:bb:0a:77:a8:83:8d:31:4a:d7:4c:6c:
                    37:8d:9d:a6:8e:9a:69:a3:fb:de:0e:03:b3:84:d2:
                    2c:2a:f3:c6:16:bf:19:8c:70:b6:1a:cc:0d:42:30:
                    e7:fd:09:0f:98:b6:98:f6:4d:ab:91:f5:4e:0d:e2:
                    d6:d0:29:4d:ee:e5:c3:b4:a9:92:26:d0:f6:7c:1d:
                    f8:19:6b:f6:25:59:26:8a:b1:12:c9:67:30:91:67:
                    32:54:ce:c9:2d:d5:03:18:fa:b6:8b:4f:c7:4a:1a:
                    25:68:00:8d:57:74:b0:eb:88:b9:e5:57:aa:8b:ac:
                    d7:77:a7:88:f8:f7:e9:83:86:6b:03:01:ef:9b:7a:
                    1b:a7:b5:00:fd:97:74:ff:ef:24:84:32:98:40:2c:
                    32:b1:01:5b:0a:aa:0f:69:0d:ce:1a:10:0e:87:67:
                    a9:db:44:f0:cb:c7:3c:76:75:76:6c:12:e7:a4:59:
                    90:5b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Authority Key Identifier:
                keyid:F8:3A:0C:69:11:76:E0:ED:AC:D1:EB:A6:59:FA:37:D5:C4:55:B0:1E

            Authority Information Access:
                CA Issuers - URI:http://certs.apple.com/devidg2.der
                OCSP - URI:http://ocsp.apple.com/ocsp03-devidg201

            X509v3 Certificate Policies:
                Policy: 1.2.840.113635.100.5.1
                  User Notice:
                    Explicit Text: Reliance on this certificate by any party assumes acceptance of the then applicable standard terms and conditions of use, certificate policy and certification practice statements.
                  CPS: https://www.apple.com/certificateauthority/

            X509v3 Extended Key Usage: critical
                Code Signing
            X509v3 Subject Key Identifier:
                87:7F:B9:E7:0B:EB:60:62:C3:D8:2F:4F:04:41:BE:5F:F5:3D:AD:C6
            X509v3 Key Usage: critical
                Digital Signature
            1.2.840.113635.100.6.1.33:
                ..20150327000000Z
            1.2.840.113635.100.6.1.13: critical
                ..
    Signature Algorithm: sha256WithRSAEncryption
         4d:ad:d2:47:28:29:d0:cd:1a:d3:a1:6e:10:7f:7d:94:af:5e:
         3d:15:37:eb:4c:10:ea:e4:b9:35:ad:52:ef:ee:cf:91:20:b7:
         bf:2b:fd:50:a9:99:64:db:82:82:97:54:55:32:57:89:10:b4:
         16:29:14:bf:53:36:46:de:4c:00:b4:62:8e:fd:5f:a8:ae:f2:
         d7:cd:df:19:36:ff:12:3d:bc:f8:59:23:7b:b1:be:78:b9:fc:
         23:aa:66:41:f6:31:21:9f:3e:db:82:4e:b2:cf:d7:d0:0e:11:
         d0:66:cc:ea:c7:9c:3a:68:2b:b7:43:36:6b:a6:c1:24:5c:ec:
         a1:49:ea:49:9f:ae:f4:0f:e7:ad:a2:21:cc:1d:f8:92:15:dc:
         84:08:eb:51:ec:2d:1f:53:11:50:3a:61:00:9f:60:52:2d:f3:
         01:49:8f:5e:46:77:32:ef:28:05:80:17:f8:3c:58:3c:12:e9:
         95:29:20:d6:31:d5:29:54:f7:23:fb:e6:90:ad:60:3a:41:b4:
         7d:59:a4:d4:50:a2:ff:d4:de:c8:16:78:a3:b2:30:ab:b4:80:
         5c:30:c4:c5:2e:6c:6a:ac:22:10:f5:bf:fa:f9:7a:d4:ec:ac:
         93:9f:c1:29:e0:27:bb:f5:bf:b9:55:16:4b:64:20:0f:7a:9b:
         8d:e7:fb:08
indygreg commented 10 months ago

This is really weird. The error is coming from establishing the websocket connection to ws.codesign.gregoryszorc.com. That's not your developer ID signing certificate. Rather, it's an AWS issued certificate:

$ openssl s_client -connect ws.codesign.gregoryszorc.com:443
CONNECTED(00000006)
depth=2 C = US, O = Amazon, CN = Amazon Root CA 1
verify return:1
depth=1 C = US, O = Amazon, CN = Amazon RSA 2048 M01
verify return:1
depth=0 CN = *.execute-api.us-west-2.amazonaws.com
verify return:1
write W BLOCK
---
Certificate chain
 0 s:/CN=*.execute-api.us-west-2.amazonaws.com
   i:/C=US/O=Amazon/CN=Amazon RSA 2048 M01
 1 s:/C=US/O=Amazon/CN=Amazon RSA 2048 M01
   i:/C=US/O=Amazon/CN=Amazon Root CA 1
 2 s:/C=US/O=Amazon/CN=Amazon Root CA 1
   i:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Services Root Certificate Authority - G2
 3 s:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Services Root Certificate Authority - G2
   i:/C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIF9TCCBN2gAwIBAgIQDKl6Ovevhi/QfthJX77AJjANBgkqhkiG9w0BAQsFADA8
MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRwwGgYDVQQDExNBbWF6b24g
UlNBIDIwNDggTTAxMB4XDTIzMDYwMjAwMDAwMFoXDTI0MDYzMDIzNTk1OVowMDEu
MCwGA1UEAwwlKi5leGVjdXRlLWFwaS51cy13ZXN0LTIuYW1hem9uYXdzLmNvbTCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKXc4g4BPxWXeE1xPFRmNlW+
LDJFtINjQupm0AiIx+MCKa5op40VQfAwxLHp9Ko2bJULxY5VDRFvKi51CG4Qw0sq
z8X56rjsc7obZizHK9LoLegDDBKNWIKq9msG0X0lxR/B4ednHtOUnEywdvfjhYdn
F/4gPOz/l10Cv4NmX8ieArflDia6YvUyqJl5OBtzLtXb/4UmNPgMrhWgY5vTprIY
mwNRPcNqCPKuA+GzrbIPnTz23NL5d+uFgiMD4U6TQbyixwTOG2mVG8Vsxxnf4kFa
XrQ7iMA1hNXupnFGQbWYL1p4Z+enrjmFaQKCvjFiRtIotEU4GFoPiaosyn9uiLsC
AwEAAaOCAv0wggL5MB8GA1UdIwQYMBaAFIG4DmOKiRIY5fo7O1CVn+blkBOFMB0G
A1UdDgQWBBT4+T35zibaHEnRLYQEOo7FUbWWWjAwBgNVHREEKTAngiUqLmV4ZWN1
dGUtYXBpLnVzLXdlc3QtMi5hbWF6b25hd3MuY29tMA4GA1UdDwEB/wQEAwIFoDAd
BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwOwYDVR0fBDQwMjAwoC6gLIYq
aHR0cDovL2NybC5yMm0wMS5hbWF6b250cnVzdC5jb20vcjJtMDEuY3JsMBMGA1Ud
IAQMMAowCAYGZ4EMAQIBMHUGCCsGAQUFBwEBBGkwZzAtBggrBgEFBQcwAYYhaHR0
cDovL29jc3AucjJtMDEuYW1hem9udHJ1c3QuY29tMDYGCCsGAQUFBzAChipodHRw
Oi8vY3J0LnIybTAxLmFtYXpvbnRydXN0LmNvbS9yMm0wMS5jZXIwDAYDVR0TAQH/
BAIwADCCAX0GCisGAQQB1nkCBAIEggFtBIIBaQFnAHYA7s3QZNXbGs7FXLedtM0T
ojKHRny87N7DUUhZRnEftZsAAAGIecmWiAAABAMARzBFAiEAmSbuS88WYdRwtj9R
OAbWnN/tSFbSQaJkTLBR3Il9UxgCIGObn2iXsxytru8Y/mM0BWeEDYmPXq8wikT3
fdFLiQn3AHUASLDja9qmRzQP5WoC+p0w6xxSActW3SyB2bu/qznYhHMAAAGIecmW
xAAABAMARjBEAiBppsQ0pDPZK4toK4RijjS+xdJAw9xeMdTxLa/aTY35QQIgNt4v
t0CoOiQVkb4LJ/QV4l7H28kIdhcz6p/88w6iIFoAdgDatr9rP7W2Ip+bwrtca+hw
kXFsu1GEhTS9pD0wSNf7qwAAAYh5yZaaAAAEAwBHMEUCIBGbbOpGiWOYNK+KcZHb
BtZuE5wixfpjirDYKCWuMCLpAiEAvkVbLmO4Fptg+6oUkjxq8GNE0mU12PlDWWMp
XzP8a9IwDQYJKoZIhvcNAQELBQADggEBAKX4mIRqK6AHTiihSoLPa+gLd7d8bXId
i2+TYI/uQRwpA5caP4jgyKGjilV727jdIkz+CCVgt4h0IDJBPaRkRI18mzH/7Fqe
6KZDEEN1YefGSQg7BLH6ojgKzIWqC6x9S+9Ooe24bCyHI3zl6ChLYN4WddbG3m6U
DiG2GuHJ+rKFpaOkxH0kppEhRzhMH2ysFWp06DxPzo86cWXrEMxMcltgsyfYoxaN
G5WA+0chcFyUCyNWw8TzQd8dTvWEA3aU0kWEqaVr7cd0XjoIf3jpjAAMT3dAqzhf
en7UJKfTyq5VtmTbcejK63yTQ/Dyoo0wAWIocJBamLdu+mEx8M0gxgs=
-----END CERTIFICATE-----
subject=/CN=*.execute-api.us-west-2.amazonaws.com
issuer=/C=US/O=Amazon/CN=Amazon RSA 2048 M01
---
No client certificate CA names sent
Server Temp Key: ECDH, X25519, 253 bits
---
SSL handshake has read 5525 bytes and written 351 bytes
---
New, TLSv1/SSLv3, Cipher is AEAD-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : AEAD-AES128-GCM-SHA256
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Start Time: 1699498737
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)

I'm not sure why you are seeing this. I was able to remote sign the other day just fine. Can you try with a newer version of rcodesign perhaps?

ofek commented 10 months ago

I don't have time to test in the next few days but can you try on Windows? I use Windows so maybe that's the issue.