ebourg
"No signature found"/"No signature was present in the subject" when signing exe
Hi,
Firstly - thanks for your amazing work on jsign. It's exactly what we need!
We're trying to sign a Windows exe using a SHA512 key stored in Google KMS and with an EV certificate from GlobalSign, but the digital signature on the exe has the "No signature was present in the subject" message, and verifying with SignTool reports "No signature found".
I'm running jsign from code, having cloned the repo a couple of days ago.
We created a key like this:
gcloud kms keys create focal-point-code-signing-key \
--keyring code-signing-ring \
--location europe-west2 \
--purpose asymmetric-signing \
--protection-level hsm \
--default-algorithm rsa-sign-pss-4096-sha512
gcloud kms keys versions \
get-public-key 1 \
--location europe-west2 \
--keyring code-signing-ring \
--key focal-point-code-signing-key \
--output-file ./focal-point-code-signing-key.pub
and a CSR using https://github.com/mattes/google-cloud-kms-csr, which we used to get our certificate from GlobalSign. The certificate itself has a signature algorithm of sha256WithRSAEncryption but my understanding is that this doesn't need to match the signature algorithm we use to sign the exe?
We're using the following parameters with jsign:
--storetype "GOOGLECLOUD" \
--storepass <token>
--keystore projects/waives-service/locations/europe-west2/keyRings/code-signing-ring
--alias projects/waives-service/locations/europe-west2/keyRings/code-signing-ring/cryptoKeys/focal-point-code-signing-key/cryptoKeyVersions/1
--tsaurl http://timestamp.globalsign.com/tsa/r6advanced1
--tsmode RFC3161
--alg SHA-512
--certfile /home/mark/code/code-signing/focal-point-code-signing-certificate.cer
<file-to-sign.exe>
Do you have any ideas about what could be going on, or suggestions about how we could investigate? We don't currently have a thread to pull on.
Really appreciate all your work, and any suggestions you might have!
Thanks,
Mark
Here's a screenshot of the exe properties.
I'm slightly suspicious of "No signature was present in the subject" also appearing in the certificate information for our certificate:
Thank you for the feedback. Would you be able to sign the wineyes.exe file from the Jsign test resources and send it to [email protected] please? I'll get a look.
I looked at the signed file but I fail to see what's wrong. Would you be able to sign it with signtool and see if there is the same error? If it works with signtool a side by side comparison of the two signatures will certainly unveil the cause of the issue. I suggest disabling the timestamping to simplify the comparison.
Hi Emmanuel. Thanks for looking. Yes, we'll try what you suggest. Are you able to point at any instructions for how to sign with SignTool when our private/public key is in Google KMS? We've failed to find any guide on how to do this!
Good question, I assume there is a PKCS#11 library somewhere for Google KMS but I haven't found one yet.
Maybe using this ? https://github.com/nextgens/authenticode-sign-action https://github.com/nextgens/CloudSignTool https://github.com/nextgens/CloudSignTool/releases/download/1.0.0/SignTool.exe
Thanks, yes I've tried CloudSignTool and am getting the same result. This suggests it isn't a JSign issue, but I'm at a loss to understand where the issue could be. I think I'll have to go back to GlobalSign and see if they have any suggestions.
There's propably an issue with the certificate then. Let me know if you find out the issue, that may help others in the future.
@markawightman75 did you ever get this resolved? I am getting the same error with a GlobalSign EV certificate. It seems related to the 4096 key size.
@markawightman75 I'm having exactly the same issue. Any updates on your side? Did you ever get this resolved?
@markawightman75 I'm having exactly the same issue. Any updates on your side? Did you ever get this resolved?
I resolved this problem by changing the sequence of certificates in the chain.
@maxpain In what order?
- your cert
- their cert (GlobalSign?)
I got all 3 certificates from GlobalSign.
Example:
jsign --storetype GOOGLECLOUD \
--storepass "$(gcloud auth print-access-token)" \
--keystore projects/codesigning/locations/europe-central2/keyRings/CodeSigning \
--alias ev4096 \
--certfile full-chain.pem \
--tsaurl http://timestamp.globalsign.com/tsa/r6advanced1 \
--tsmode RFC3161 \
example_app.exe
@maxpain Are all certs have 4096 bit length?
I don't know. How to check?
cat intermediate1.cer | openssl x509 -text -noout
Check the RSA Public-key (XXXX bit) part of the output.
And how did you generate the CSR which was signed by GlobalSign? I assume you're also using Cloud HSM (AWS or Google)
And how did you generate the CSR which was signed by GlobalSign? I assume you're also using Cloud HSM (AWS or Google)
I used this: https://github.com/mattes/google-cloud-kms-csr
And how did you generate the CSR which was signed by GlobalSign? I assume you're also using Cloud HSM (AWS or Google)
I used this: https://github.com/mattes/google-cloud-kms-csr
Sorry for the questions but one more last: What kind of keys do you have in HSM. What's the key type / algorithm? I suspect we're using a not properly supported version on Google Cloud KMS HSM
Perfect, and what's the algorithm inside if you click on the ev4096 key?
Mine looks like this:
@maxpain I can verify that it works with 4096 bit RSA key (PKCS#1 v1.5 padding - SHA256 Digest)
But it does not work with Google KMS HSM - 4096 bit RSA key (PSS Padding - SHA265 Digest). Maybe it's related to the original issue.
cc @ebourg @markawightman75