apple-platform-rs icon indicating copy to clipboard operation
apple-platform-rs copied to clipboard
verified publisher icon indygreg

Remote signing error MissingOrMalformedExtensions

Open ofek opened this issue 2 years ago • 2 comments

On GitHub Actions I'm running:

rcodesign sign --remote-signer --remote-public-key-pem-file app/macos/developer-id-application.pem "targets/Datadog QA.app" "targets/Datadog QA signed.app"

The app/macos/developer-id-application.pem file contains the public key as described here. Locally I am running:

rcodesign remote-sign -vvv --sjs-path s.txt --der-source developerID_application.cer --pem-source private.pem

The developerID_application.cer file is what I downloaded from Apple as described here and the private.pem file is the private key I created as described here.

I get the following error:

[2023-04-22T14:16:05Z WARN  apple_codesign::cli] reading PEM data from private.pem
[2023-04-22T14:16:05Z WARN  apple_codesign::cli] reading DER file developerID_application.cer
[2023-04-22T14:16:05Z WARN  apple_codesign::remote_signing] connecting to wss://ws.codesign.gregoryszorc.com/
[2023-04-22T14:16:05Z DEBUG tungstenite::client] Trying to contact wss://ws.codesign.gregoryszorc.com/ at 44.233.157.16:443...
Error: remote signing error: websocket error: TLS error: webpki error: MissingOrMalformedExtensions

The error appears to come from here. It seems like that crate is unmaintained and now (as of a month ago) there is a maintained fork here. Perhaps this feature would fix the situation?

I don't know why this would be happening seemingly to just me since others I assume are successfully using remote signing.

Here is the certificate:

❯ openssl x509 -in developerID_application.cer -inform DER -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            2a:6c:da:d2:77:08:e2:ed:97:54:7c:5b:66:93:11:58
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = Developer ID Certification Authority, OU = G2, O = Apple Inc., C = US
        Validity
            Not Before: Apr  4 14:34:10 2023 GMT
            Not After : Apr  4 14:34:09 2028 GMT
        Subject: UID = JKFCB4CN7C, CN = "Developer ID Application: Datadog, Inc. (JKFCB4CN7C)", OU = JKFCB4CN7C, O = "Datadog, Inc.", C = US
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:cb:cd:4c:fe:22:57:ec:1a:72:29:31:e9:dd:c9:
                    0d:e8:e8:bc:b1:5b:9f:05:b6:9f:25:21:a3:9b:6e:
                    53:d0:6c:5f:3a:02:1f:3c:a1:d0:f7:6c:fd:44:8c:
                    09:9d:6e:72:4e:9d:ff:b4:f7:d6:a3:42:7e:9b:09:
                    a5:bf:f1:01:1f:41:b8:ca:d6:da:d7:6f:70:8b:73:
                    e5:24:13:ff:bb:0a:77:a8:83:8d:31:4a:d7:4c:6c:
                    37:8d:9d:a6:8e:9a:69:a3:fb:de:0e:03:b3:84:d2:
                    2c:2a:f3:c6:16:bf:19:8c:70:b6:1a:cc:0d:42:30:
                    e7:fd:09:0f:98:b6:98:f6:4d:ab:91:f5:4e:0d:e2:
                    d6:d0:29:4d:ee:e5:c3:b4:a9:92:26:d0:f6:7c:1d:
                    f8:19:6b:f6:25:59:26:8a:b1:12:c9:67:30:91:67:
                    32:54:ce:c9:2d:d5:03:18:fa:b6:8b:4f:c7:4a:1a:
                    25:68:00:8d:57:74:b0:eb:88:b9:e5:57:aa:8b:ac:
                    d7:77:a7:88:f8:f7:e9:83:86:6b:03:01:ef:9b:7a:
                    1b:a7:b5:00:fd:97:74:ff:ef:24:84:32:98:40:2c:
                    32:b1:01:5b:0a:aa:0f:69:0d:ce:1a:10:0e:87:67:
                    a9:db:44:f0:cb:c7:3c:76:75:76:6c:12:e7:a4:59:
                    90:5b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Authority Key Identifier:
                keyid:F8:3A:0C:69:11:76:E0:ED:AC:D1:EB:A6:59:FA:37:D5:C4:55:B0:1E

            Authority Information Access:
                CA Issuers - URI:http://certs.apple.com/devidg2.der
                OCSP - URI:http://ocsp.apple.com/ocsp03-devidg201

            X509v3 Certificate Policies:
                Policy: 1.2.840.113635.100.5.1
                  User Notice:
                    Explicit Text: Reliance on this certificate by any party assumes acceptance of the then applicable standard terms and conditions of use, certificate policy and certification practice statements.
                  CPS: https://www.apple.com/certificateauthority/

            X509v3 Extended Key Usage: critical
                Code Signing
            X509v3 Subject Key Identifier:
                87:7F:B9:E7:0B:EB:60:62:C3:D8:2F:4F:04:41:BE:5F:F5:3D:AD:C6
            X509v3 Key Usage: critical
                Digital Signature
            1.2.840.113635.100.6.1.33:
                ..20150327000000Z
            1.2.840.113635.100.6.1.13: critical
                ..
    Signature Algorithm: sha256WithRSAEncryption
         4d:ad:d2:47:28:29:d0:cd:1a:d3:a1:6e:10:7f:7d:94:af:5e:
         3d:15:37:eb:4c:10:ea:e4:b9:35:ad:52:ef:ee:cf:91:20:b7:
         bf:2b:fd:50:a9:99:64:db:82:82:97:54:55:32:57:89:10:b4:
         16:29:14:bf:53:36:46:de:4c:00:b4:62:8e:fd:5f:a8:ae:f2:
         d7:cd:df:19:36:ff:12:3d:bc:f8:59:23:7b:b1:be:78:b9:fc:
         23:aa:66:41:f6:31:21:9f:3e:db:82:4e:b2:cf:d7:d0:0e:11:
         d0:66:cc:ea:c7:9c:3a:68:2b:b7:43:36:6b:a6:c1:24:5c:ec:
         a1:49:ea:49:9f:ae:f4:0f:e7:ad:a2:21:cc:1d:f8:92:15:dc:
         84:08:eb:51:ec:2d:1f:53:11:50:3a:61:00:9f:60:52:2d:f3:
         01:49:8f:5e:46:77:32:ef:28:05:80:17:f8:3c:58:3c:12:e9:
         95:29:20:d6:31:d5:29:54:f7:23:fb:e6:90:ad:60:3a:41:b4:
         7d:59:a4:d4:50:a2:ff:d4:de:c8:16:78:a3:b2:30:ab:b4:80:
         5c:30:c4:c5:2e:6c:6a:ac:22:10:f5:bf:fa:f9:7a:d4:ec:ac:
         93:9f:c1:29:e0:27:bb:f5:bf:b9:55:16:4b:64:20:0f:7a:9b:
         8d:e7:fb:08

ofek avatar Apr 22 '23 15:04 ofek

This is really weird. The error is coming from establishing the websocket connection to ws.codesign.gregoryszorc.com. That's not your developer ID signing certificate. Rather, it's an AWS issued certificate:

$ openssl s_client -connect ws.codesign.gregoryszorc.com:443
CONNECTED(00000006)
depth=2 C = US, O = Amazon, CN = Amazon Root CA 1
verify return:1
depth=1 C = US, O = Amazon, CN = Amazon RSA 2048 M01
verify return:1
depth=0 CN = *.execute-api.us-west-2.amazonaws.com
verify return:1
write W BLOCK
---
Certificate chain
 0 s:/CN=*.execute-api.us-west-2.amazonaws.com
   i:/C=US/O=Amazon/CN=Amazon RSA 2048 M01
 1 s:/C=US/O=Amazon/CN=Amazon RSA 2048 M01
   i:/C=US/O=Amazon/CN=Amazon Root CA 1
 2 s:/C=US/O=Amazon/CN=Amazon Root CA 1
   i:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Services Root Certificate Authority - G2
 3 s:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Services Root Certificate Authority - G2
   i:/C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIF9TCCBN2gAwIBAgIQDKl6Ovevhi/QfthJX77AJjANBgkqhkiG9w0BAQsFADA8
MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRwwGgYDVQQDExNBbWF6b24g
UlNBIDIwNDggTTAxMB4XDTIzMDYwMjAwMDAwMFoXDTI0MDYzMDIzNTk1OVowMDEu
MCwGA1UEAwwlKi5leGVjdXRlLWFwaS51cy13ZXN0LTIuYW1hem9uYXdzLmNvbTCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKXc4g4BPxWXeE1xPFRmNlW+
LDJFtINjQupm0AiIx+MCKa5op40VQfAwxLHp9Ko2bJULxY5VDRFvKi51CG4Qw0sq
z8X56rjsc7obZizHK9LoLegDDBKNWIKq9msG0X0lxR/B4ednHtOUnEywdvfjhYdn
F/4gPOz/l10Cv4NmX8ieArflDia6YvUyqJl5OBtzLtXb/4UmNPgMrhWgY5vTprIY
mwNRPcNqCPKuA+GzrbIPnTz23NL5d+uFgiMD4U6TQbyixwTOG2mVG8Vsxxnf4kFa
XrQ7iMA1hNXupnFGQbWYL1p4Z+enrjmFaQKCvjFiRtIotEU4GFoPiaosyn9uiLsC
AwEAAaOCAv0wggL5MB8GA1UdIwQYMBaAFIG4DmOKiRIY5fo7O1CVn+blkBOFMB0G
A1UdDgQWBBT4+T35zibaHEnRLYQEOo7FUbWWWjAwBgNVHREEKTAngiUqLmV4ZWN1
dGUtYXBpLnVzLXdlc3QtMi5hbWF6b25hd3MuY29tMA4GA1UdDwEB/wQEAwIFoDAd
BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwOwYDVR0fBDQwMjAwoC6gLIYq
aHR0cDovL2NybC5yMm0wMS5hbWF6b250cnVzdC5jb20vcjJtMDEuY3JsMBMGA1Ud
IAQMMAowCAYGZ4EMAQIBMHUGCCsGAQUFBwEBBGkwZzAtBggrBgEFBQcwAYYhaHR0
cDovL29jc3AucjJtMDEuYW1hem9udHJ1c3QuY29tMDYGCCsGAQUFBzAChipodHRw
Oi8vY3J0LnIybTAxLmFtYXpvbnRydXN0LmNvbS9yMm0wMS5jZXIwDAYDVR0TAQH/
BAIwADCCAX0GCisGAQQB1nkCBAIEggFtBIIBaQFnAHYA7s3QZNXbGs7FXLedtM0T
ojKHRny87N7DUUhZRnEftZsAAAGIecmWiAAABAMARzBFAiEAmSbuS88WYdRwtj9R
OAbWnN/tSFbSQaJkTLBR3Il9UxgCIGObn2iXsxytru8Y/mM0BWeEDYmPXq8wikT3
fdFLiQn3AHUASLDja9qmRzQP5WoC+p0w6xxSActW3SyB2bu/qznYhHMAAAGIecmW
xAAABAMARjBEAiBppsQ0pDPZK4toK4RijjS+xdJAw9xeMdTxLa/aTY35QQIgNt4v
t0CoOiQVkb4LJ/QV4l7H28kIdhcz6p/88w6iIFoAdgDatr9rP7W2Ip+bwrtca+hw
kXFsu1GEhTS9pD0wSNf7qwAAAYh5yZaaAAAEAwBHMEUCIBGbbOpGiWOYNK+KcZHb
BtZuE5wixfpjirDYKCWuMCLpAiEAvkVbLmO4Fptg+6oUkjxq8GNE0mU12PlDWWMp
XzP8a9IwDQYJKoZIhvcNAQELBQADggEBAKX4mIRqK6AHTiihSoLPa+gLd7d8bXId
i2+TYI/uQRwpA5caP4jgyKGjilV727jdIkz+CCVgt4h0IDJBPaRkRI18mzH/7Fqe
6KZDEEN1YefGSQg7BLH6ojgKzIWqC6x9S+9Ooe24bCyHI3zl6ChLYN4WddbG3m6U
DiG2GuHJ+rKFpaOkxH0kppEhRzhMH2ysFWp06DxPzo86cWXrEMxMcltgsyfYoxaN
G5WA+0chcFyUCyNWw8TzQd8dTvWEA3aU0kWEqaVr7cd0XjoIf3jpjAAMT3dAqzhf
en7UJKfTyq5VtmTbcejK63yTQ/Dyoo0wAWIocJBamLdu+mEx8M0gxgs=
-----END CERTIFICATE-----
subject=/CN=*.execute-api.us-west-2.amazonaws.com
issuer=/C=US/O=Amazon/CN=Amazon RSA 2048 M01
---
No client certificate CA names sent
Server Temp Key: ECDH, X25519, 253 bits
---
SSL handshake has read 5525 bytes and written 351 bytes
---
New, TLSv1/SSLv3, Cipher is AEAD-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : AEAD-AES128-GCM-SHA256
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Start Time: 1699498737
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)

I'm not sure why you are seeing this. I was able to remote sign the other day just fine. Can you try with a newer version of rcodesign perhaps?

indygreg avatar Nov 09 '23 03:11 indygreg

I don't have time to test in the next few days but can you try on Windows? I use Windows so maybe that's the issue.

ofek avatar Nov 09 '23 03:11 ofek