vcsjones / AzureSignTool

SignTool Library and Azure Key Vault Support
MIT License
283 stars 88 forks source link

Error while signing a file: SignerSignEx3 returns code 0x800B010A #185

Open Youkko opened 1 year ago

Youkko commented 1 year ago

I'm trying to sign a file with a certificate stored on azure vault. I signed that some time ago and it worked, but now I'm trying to sign again with the same command and am getting errors.

The parameters I used:

sign -du "https://mycompanywebsite.com" -fd sha384 -kvu https://mycompanyvault.vault.azure.net/ -kva "{bigtokenstringhere}" -kvc code-sign -tr http://timestamp.digicert.com -td sha384 -v C:\MyProject\MyProgram.exe

Of course, I changed the real urls with fake ones, but this command always worked. Also, note that the certificate file and token I used are valid.

Here's the output from my debug session:

trce: AzureSignTool.SignCommand[0]
      Retrieving certificate code-sign.
trce: AzureSignTool.SignCommand[0]
      Retrieved certificate code-sign.
trce: AzureSignTool.SignCommand[0]
      Creating context
info: AzureSignTool.SignCommand[0]
      => File: C:\MyProject\MyProgram.exe
      Signing file.
trce: AzureSignTool.SignCommand[0]
      => File: C:\MyProject\MyProgram.exe
      Getting SIP Data
trce: AzureSignTool.SignCommand[0]
      => File: C:\MyProject\MyProgram.exe
      Calling SignerSignEx3
fail: AzureSignTool.SignCommand[0]
      => File: C:\MyProject\MyProgram.exe
      Signing failed with error 800B010A.
info: AzureSignTool.SignCommand[0]
      => File: C:\MyProject\MyProgram.exe
      Stopping file signing.
info: AzureSignTool.SignCommand[0]
      Successful operations: 0
info: AzureSignTool.SignCommand[0]
      Failed operations: 1

While debugging, I found out that the problem happens on AzureSign.Core/AuthenticodeKeyVaultSigner.cs:171 call, which returns code -2146762486 as result (which translates to 0x800B010A). This doesn't match any handled return codes, and I have no idea what this code means.

The closest explanation for this code I got was this one, but this doesn't make much sense, since I'm trying to sign a file using a certificate stored on azure keyvault (and not trying to install a certificate), which I suppose doesn't require any certificates to exist on my current environment. Besides, this was working some time ago, and suddenly stopped.

Since I don't have a deep knowledge about how the file signing process works/is done, and this one seems to be the only tool able to sign files using a certificate stored on azure vault, I'm asking for help with this.

Thank you so much in advance.

Youkko commented 1 year ago

Oh, and I should've mentioned that I'm running it on Windows 11 Pro v22H2 build 22621.675, with Microsoft Visual Studio Community 2022 (64-bit) v17.3.6

Youkko commented 1 year ago

Ok, after 5 days researching, I found out that this error is windows telling you that you're trying to sign your application with a void certificate, so it can't be validated. I suggest that you add this to the list of handled return codes.

shermanericts commented 6 months ago

Ok, after 5 days researching, I found out that this error is windows telling you that you're trying to sign your application with a void certificate, so it can't be validated. I suggest that you add this to the list of handled return codes.

thank you for saving me the time! This was exactly what happened to me today.

Youkko commented 6 months ago

Ok, after 5 days researching, I found out that this error is windows telling you that you're trying to sign your application with a void certificate, so it can't be validated. I suggest that you add this to the list of handled return codes.

thank you for saving me the time! This was exactly what happened to me today.

Glad to help!

vcsjones commented 6 months ago

Re-opening to handle this error better.