How can I get better timestamp server error messages when signing binaries?
SignTool Error: The specified timestamp server either could not be reached or
returned an invalid response.
SignTool Error: An error occurred while attempting to sign: ...
Let's start out with a short rant:
As far as error messages go, this is somewhere between but-they-tried,
stupid and plain insulting.
signtool.exe needs to talk to the timestamp server via HTTP, so WTF
are we not getting told what exactly failed? This is such a lazy error
message. "Could not be reached or returned an invalid response." - oh,
my.
Maybe I should be content that the tool at least tells me that the
error was with the timestamp server, but that does get us only so far.
/rant over
We will get temporary signing errors from http://timestamp.digicert.com from time to time. (Every odd month maybe.)
The thing is, our build scripts already try to circumnavigate this:
We sign our binaries in blocks of 100 files, that is each signtool.exe call will receive 100 files on the command line.
Before even starting to use signtool, I separately verify the HTTP connection to http://timestamp.digicert.com. (While that page will answer with a 404 for a simple GET request, that does indicate it is reachable.)
For all cases where we recorded this error, signtool will only record errors for some of the 100 passed files.
Our latest log looks something like this:
[2023-01-24 12:58:11.038] : (INFO ) Sign *all* 1337 binaries at <~redacted~>: This will be SLOW ...
...
[2023-01-24 12:58:11.334] : OK: HEAD request to 'http://timestamp.digicert.com' returned http status code NotFound/404 (any HTTP status code is fine).
[2023-01-24 12:58:11.335] : #100 ...
[2023-01-24 12:58:11.354] : Invoke-SignTool with 100 files ...
[2023-01-24 12:58:11.359] : Executing '&"C:\Program Files (x86)\Windows Kits\10\bin\10.0.18362.0\x64\signtool.exe" sign /v /sm /s My /n "~certname~" /fd SHA256 /tr http://timestamp.digicert.com /td SHA256 "..."' ...
The following certificate was selected:
Issued to: ~certname~
Issued by: DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Expires: ~...
SHA1 hash: ~...
Done Adding Additional Store
SignTool Error: The specified timestamp server either could not be reached or
returned an invalid response.
SignTool Error: An error occurred while attempting to sign: ...
x repeat
...
Successfully signed: .\~....dll
Successfully signed: .\~....dll
x repeat
...
Number of files successfully Signed: 50
Number of warnings: 0
Number of errors: 50
SignTornadoBinaries error: (ERROR) Exec (exit code <1>): NONZERO exit code
Waiting for 10 seconds...
Retrying...
[2023-01-24 13:00:13.022] : (INFO ) Sign *all* 1287 binaries at <~redacted~>: This will be SLOW ...
[2023-01-24 13:00:13.319] : OK: HEAD request to 'http://timestamp.digicert.com' returned http status code NotFound/404 (any HTTP status code is fine).
[2023-01-24 13:00:13.320] : #100 ...
[2023-01-24 13:00:13.338] : Invoke-SignTool with 100 files ...
[2023-01-24 13:00:13.343] : Executing '&"C:\Program Files (x86)\Windows Kits\10\bin\10.0.18362.0\x64\signtool.exe" sign /v /sm /s My /n "~certname~" /fd SHA256 /tr http://timestamp.digicert.com /td SHA256 ...
The following certificate was selected:
Issued to: ~certname~
....
SignTool Error: The specified timestamp server either could not be reached or
returned an invalid response.
SignTool Error: An error occurred while attempting to sign: .\x64-vc143\....dll
...
Number of files successfully Signed: 50
Number of warnings: 0
Number of errors: 50
SignTornadoBinaries error: (ERROR) Exec (exit code <1>): NONZERO exit code
Waiting for 10 seconds...
Retrying...
[2023-01-24 13:02:16.970] : (INFO ) Sign *all* 1237 binaries at <~redacted~>: This will be SLOW ...
[2023-01-24 13:02:17.283] : OK: HEAD request to 'http://timestamp.digicert.com' returned http status code NotFound/404 (any HTTP status code is fine).
[2023-01-24 13:02:17.284] : #100 ...
[2023-01-24 13:02:17.301] : Invoke-SignTool with 100 files ...
[2023-01-24 13:02:17.306] : Executing ...
Number of files successfully Signed: 50
Number of warnings: 0
Number of errors: 50
Note that this 100-files-at-once normally works multiple times a week, sometimes multiple times a day (depending on our build schedule -- only production builds are signed.)
As we also can see here, here, the error was reported for exactly the first 50 files, and the second 50 files are then signed. Our retry is 3x with 10 sec wait, so after that the build just aborts: As far as I am concerned, this 50/50 split is a "clear" indication that this is not about a flaky network or some load issue on the digicert server or whatever.
Do note however, that I've also seen logs with 99/1 or maybe 80/20.
So, to get back to an actual question:
Is there any way to get more detailed errors from signtool?
Barring that, is there an alternative toolchain (some powershell commandlets maybe?) that will let me sign my binaries and give me useful error messages?
Aside: If you happen to know if a different number of files to pass to signtool at once may result in a more stable setup, please let me know.
Case in point:
In my case above, the 50/50 failure ratio came from our misbehaving firewall. It would block every odd HTTP Timestamp Protocol request with a HTTP/403.
If signtool would log the HTTP response including the content body, because otherwise I wouldn't have known that the response came from the firewall instead of from the actual target server then analyzing the problem would have been instantaneous!
Related
I'm trying to combine multiple html files into one pdf file by using wkhtmltopdf(ver 0.12.6) in a batch file, besides there are some options need to work with.
Since the number of html files that I need may changes before running my batch file, I move all of them in a folder. Therefore my goal is to load all the html files in the folder, add some options I need, and call wkhtmltopdf to generate the pdf file.
Here's what I've done:
#echo off
setlocal
set TARGET=Result
:: go to the folder with lots of html files and one css file
cd .\myfolder
:: convert to a pdf file
wkhtmltopdf ^
--enable-local-file-access ^
--user-style-sheet %TARGET%_Report.css ^
(FOR %%A IN ("*.html") DO %%A) ^
%TARGET%_Report.pdf
cd..
pause
Sadly it can not work. I think the problem is I can not use FOR loop in this way, but I'm not sure how to fix it.
Here's the error message. Please give me some advise, thank you!
Loading pages (1/6)
Error: Failed to load http:/, with network status code 3 and http status code 0 - Host not found
Error: Failed loading page http: (sometimes it will work just to ignore this error with --load-error-handling ignore)
Error: Failed to load http:/, with network status code 3 and http status code 0 - Host not found
Error: Failed loading page http: (sometimes it will work just to ignore this error with --load-error-handling ignore)
Error: Failed to load http:/, with network status code 3 and http status code 0 - Host not found
Error: Failed loading page http: (sometimes it will work just to ignore this error with --load-error-handling ignore)
Error: Failed to load http:/, with network status code 3 and http status code 0 - Host not found
Error: Failed loading page http: (sometimes it will work just to ignore this error with --load-error-handling ignore)
Error: Failed to load http://in/, with network status code 3 and http status code 0 - Host in not found
Error: Failed loading page http://in (sometimes it will work just to ignore this error with --load-error-handling ignore)
Error: Failed to load http://do/, with network status code 3 and http status code 0 - Host do not found
Error: Failed loading page http://do (sometimes it will work just to ignore this error with --load-error-handling ignore)
Exit with code 1 due to network error: HostNotFoundError
Please try my code
echo on
for /f "delims=" %%a in ('dir /b /s "D:\source folder*.html"') do "directorywkhtmltopdf\bin\wkhtmltopdf.exe" [-s A4] "%%a" "D:\OUTPUT DIRECTORY\pdf%%~na.pdf"
pause
echo off
I try this code and it works
But the result on result.pdf you must go to the last page of your pdf documents to see the result.
I still confused about the result :D
perhaps any helps more
I'm sending binary .gz files from Linux to z/OS via ftps. The file transfers seem to be fine, but when the mainframe folks pkunzip the file, they get a warning:
PEX013W Record(s) being truncated to lrecl= 996. Record# 1 is 1000 bytes.
Currently I’m sending the site commands:
SITE TRAIL
200 SITE command was accepted
SITE CYLINDERS PRIMARY=50 SECONDARY=50
200 SITE command was accepted
SITE RECFM=VB LRECL=1000 BLKSIZE=32000
200 SITE command was accepted
SITE CONDDISP=delete
200 SITE command was accepted
TYPE I
200 Representation type is Image
...
250 Transfer completed successfully.
QUIT
221 Quit command received. Goodbye.
They could read the file after the pkunzip, but having a warning is not a good thing.
Output from pkunzip:
SDSF OUTPUT DISPLAY RMD0063A JOB22093 DSID 103 LINE 25 COLUMNS 02- 81
COMMAND INPUT ===> SCROLL ===> CSR
PCM123I Authorized services are unavailable.
PAM030I INPUT Archive opened: TEST.FTP.SOA5021.GZ
PAM560I ARCHIVE FASTSEEK processing is disabled.
PDA000I DDNAME=SYS00001,DISP_STATUS=MOD,DISP_NORMAL=CATALOG,DISP_ABNORMAL=
PDA000I SPACE_TYPE=TRK,SPACE_TYPE=CYL,SPACE_TYPE=BLK
PDA000I SPACE_PRIMARY=4194304,SPACE_DIRBLKS=5767182,INFO_ALCFMT=00
PDA000I VOLUMES=DPPT71,INFO_CNTL=,INFO_STORCLASS=,INFO_MGMTCLASS=
PDA000I INFO_DATACLASS=,INFO_VSAMRECORG=00,INFO_VSAMKEYOFF=0
PDA000I INFO_COPYDD=,INFO_COPYMDL=,INFO_AVGRECU=00,INFO_DSTYPE=00
PEX013W Record(s) being truncated to lrecl= 996. Record# 1 is 1000 bytes.
PEX002I TEST.FTP.SOA5021
PEX003I Extracted to TEST.FTP.SOA5021I.TXT
PAM140I FILES: EXTRACTED EXCLUDED BYPASSED IN ERROR
PAM140I 1 0 0 0
PMT002I PKUNZIP processing complete. RC=00000004 4(Dec) Start: 12:59:48.86 End
Is there a better set of site commands to transfer a .gz file from Linux to z/OS to avoid this error?
**** Update ****
Using SaggingRufus's answer below, it turns out it doesn't much matter how you send the .gz file, as long as it's binary. His suggestion pointed us to the parameters sent to the pkunzip for the output file, which was VB and was truncating 4 bytes off the record.
Because it is a variable block file, there are 4 bytes allocated to the record attributes. Allocate the file with an LRECL of 1004 and it will be fine.
Rather than generating a .zip file, perhaps generate a .tar.gz file and transfer it to z/OS UNIX? Tar is shipped with z/OS by default, and Rocket Software provides a port of gzip that is optimized for z/OS.
I'm trying to sign appx file, but have this error:
SignTool Error: An unexpected internal error has occurred.
Error information: "Error: SignerSign() failed." (-2146958839/0x80080209)
I found that the error means: The SIP_SUBJECTINFO structure used to sign the package didn't contain the required data
Any idea how to fix it?
The certificate is made using commands:
MakeCert /n "CN=..." /r /h 0 /eku 1.3.6.1.5.5.7.3.3 /pe /sv MyKey.pvk MyKey.cer
Pvk2Pfx /pvk MyKey.pvk /pi 123456 /spc MyKey.cer /pfx MyKey.pfx /po 123456
And used as:
signtool.exe sign -f MyKey.pfx -p "123456" -fd SHA256 -v my.appx
But result is as already mentioned:
The following certificate was selected:
Issued to: ...
Issued by: ...
Expires: Sun Jan 01 01:59:59 2040
SHA1 hash: 7D760C6DF55749803CF0E0DF0F9615F607822B12
Done Adding Additional Store
SignTool Error: An unexpected internal error has occurred.
Error information: "Error: SignerSign() failed." (-2146958839/0x80080209)
As a note I should add, that application is signed as an output from DesktopAppConverter.exe, but I need to repack it and the signing is not working even when I use the auto-generated pfx file used by the converter.
Ok... so I found that I was probably using some wrong signtool.exe. I found location of the tool which is used with the DesktopAppConverter in its log. In my case it is:
"C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x64\signtool.exe"
With this file the signing is successful.
Pentaho's get file from FTP step fails randomly. Sometimes it properly downloads the file, sometimes it doesn't returning error:
Error getting files from FTP : Read timed out
The timeout is set to 100 seconds and the read actually fails after less than one seconds.
Contrary to what the Get a file from FTP documentation says about the timeout, it is not in seconds, but in milliseconds.
Change it to any reasonable value like 60000 (1 minute in ms) and your import will work.
I was having a little trouble with reading files using the FTP adapter. Several warnings and errors were found in the application log, and it basically boiled down to this message:
A stream read or write operation failed because the stream is in an error state.
Upon inspecting the log, I was surprised to find:
< 125 List started.
< BEBI 827693 24/09/14 15:53:51 *STMF mes9_ corrigido2.csv
< 250 List completed.
> TYPE I
< 200 Representation type is binary IMAGE.
> PORT 192,168,205,82,213,48
< 200 PORT subcommand request successful.
> RETR corrigido2.csv
so, there is just a single file with name mes9_ corrigido2.csv (notice the space) and BizTalk tries to retrieve a file corrigido2.csv. Is this normal behaviour?