jsign icon indicating copy to clipboard operation
jsign copied to clipboard
verified publisher icon ebourg

Azure Trusted Signing - unable to retrieve certificate chain

Open vadi2 opened this issue 1 year ago • 6 comments

Hi!

I successfully used this jsign to sign a Windows executable 3 days ago:

$ jsign --storetype TRUSTEDSIGNING \
      --keystore eus.codesigning.azure.net \
      --storepass PAT HERE \
      --alias Mudlet/Mudlet \
      Mudlet.exe
Adding Authenticode signature to Mudlet.exe

But when I try to use exactly the same command today, I get this:

jsign: Unable to retrieve the certificate chain 'Mudlet/Mudlet'
java.security.KeyStoreException: Unable to retrieve the certificate chain 'Mudlet/Mudlet'
	at net.jsign.jca.AzureTrustedSigningService.getCertificateChain(AzureTrustedSigningService.java:109)
	at net.jsign.jca.SigningServiceKeyStore.engineGetCertificateChain(SigningServiceKeyStore.java:43)
	at java.base/java.security.KeyStore.getCertificateChain(KeyStore.java:1100)
	at net.jsign.SignerHelper.build(SignerHelper.java:354)
	at net.jsign.SignerHelper.sign(SignerHelper.java:450)
	at net.jsign.SignerHelper.execute(SignerHelper.java:305)
	at net.jsign.JsignCLI.execute(JsignCLI.java:213)
	at net.jsign.JsignCLI.main(JsignCLI.java:57)
Caused by: java.io.IOException: InternalError - ClaimsPrincipal TenantId is null.
	at net.jsign.jca.RESTClient.query(RESTClient.java:159)
	at net.jsign.jca.RESTClient.post(RESTClient.java:73)
	at net.jsign.jca.AzureTrustedSigningService.sign(AzureTrustedSigningService.java:147)
	at net.jsign.jca.AzureTrustedSigningService.getCertificateChain(AzureTrustedSigningService.java:106)
	... 7 more
Try `jsign --help' for more information.

The command is exactly the same. What could be going wrong?

The only external factor I noticed that changed is that Trusted Signing certificates only last 72h, so a new one got created today:

image

vadi2 avatar Dec 05 '24 17:12 vadi2

Are you sure the token used the second time is valid?

ebourg avatar Dec 05 '24 22:12 ebourg

You're right, it's a very short-lived token.

Would you have any ideas how is this meant to work in a CI environment then? I've looked around but it's not immediately obvious.

vadi2 avatar Dec 06 '24 17:12 vadi2

Typically the token is retrieved during the build by calling:

az account get-access-token --resource https://codesigning.azure.net

So you need the Azure CLI in your build environment and the credentials required to generate the token.

ebourg avatar Dec 06 '24 17:12 ebourg

Got it working, thanks. A combination of https://melatonin.dev/blog/code-signing-on-windows-with-azure-trusted-signing plus https://github.com/marketplace/actions/azure-login did the trick.

vadi2 avatar Dec 07 '24 10:12 vadi2

Nice, I'm reopening the issue because the error reported could be improved. Jsign could hint about the expired token when receiving the "ClaimsPrincipal TenantId is null" error from Azure.

ebourg avatar Dec 07 '24 10:12 ebourg

I tried calling the Trusted Signing API with an expired token but I got an "HTTP Error 401 - Unauthorized" error instead. But my Azure subscription has expired, so that may explain the difference.

ebourg avatar Jan 15 '25 18:01 ebourg