I'm trying to sign appx file, but have this error:
SignTool Error: An unexpected internal error has occurred.
Error information: "Error: SignerSign() failed." (-2146958839/0x80080209)
I found that the error means: The SIP_SUBJECTINFO structure used to sign the package didn't contain the required data
Any idea how to fix it?
The certificate is made using commands:
MakeCert /n "CN=..." /r /h 0 /eku 1.3.6.1.5.5.7.3.3 /pe /sv MyKey.pvk MyKey.cer
Pvk2Pfx /pvk MyKey.pvk /pi 123456 /spc MyKey.cer /pfx MyKey.pfx /po 123456
And used as:
signtool.exe sign -f MyKey.pfx -p "123456" -fd SHA256 -v my.appx
But result is as already mentioned:
The following certificate was selected:
Issued to: ...
Issued by: ...
Expires: Sun Jan 01 01:59:59 2040
SHA1 hash: 7D760C6DF55749803CF0E0DF0F9615F607822B12
Done Adding Additional Store
SignTool Error: An unexpected internal error has occurred.
Error information: "Error: SignerSign() failed." (-2146958839/0x80080209)
As a note I should add, that application is signed as an output from DesktopAppConverter.exe, but I need to repack it and the signing is not working even when I use the auto-generated pfx file used by the converter.
Ok... so I found that I was probably using some wrong signtool.exe. I found location of the tool which is used with the DesktopAppConverter in its log. In my case it is:
"C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x64\signtool.exe"
With this file the signing is successful.
Related
How can I get better timestamp server error messages when signing binaries?
SignTool Error: The specified timestamp server either could not be reached or
returned an invalid response.
SignTool Error: An error occurred while attempting to sign: ...
Let's start out with a short rant:
As far as error messages go, this is somewhere between but-they-tried,
stupid and plain insulting.
signtool.exe needs to talk to the timestamp server via HTTP, so WTF
are we not getting told what exactly failed? This is such a lazy error
message. "Could not be reached or returned an invalid response." - oh,
my.
Maybe I should be content that the tool at least tells me that the
error was with the timestamp server, but that does get us only so far.
/rant over
We will get temporary signing errors from http://timestamp.digicert.com from time to time. (Every odd month maybe.)
The thing is, our build scripts already try to circumnavigate this:
We sign our binaries in blocks of 100 files, that is each signtool.exe call will receive 100 files on the command line.
Before even starting to use signtool, I separately verify the HTTP connection to http://timestamp.digicert.com. (While that page will answer with a 404 for a simple GET request, that does indicate it is reachable.)
For all cases where we recorded this error, signtool will only record errors for some of the 100 passed files.
Our latest log looks something like this:
[2023-01-24 12:58:11.038] : (INFO ) Sign *all* 1337 binaries at <~redacted~>: This will be SLOW ...
...
[2023-01-24 12:58:11.334] : OK: HEAD request to 'http://timestamp.digicert.com' returned http status code NotFound/404 (any HTTP status code is fine).
[2023-01-24 12:58:11.335] : #100 ...
[2023-01-24 12:58:11.354] : Invoke-SignTool with 100 files ...
[2023-01-24 12:58:11.359] : Executing '&"C:\Program Files (x86)\Windows Kits\10\bin\10.0.18362.0\x64\signtool.exe" sign /v /sm /s My /n "~certname~" /fd SHA256 /tr http://timestamp.digicert.com /td SHA256 "..."' ...
The following certificate was selected:
Issued to: ~certname~
Issued by: DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Expires: ~...
SHA1 hash: ~...
Done Adding Additional Store
SignTool Error: The specified timestamp server either could not be reached or
returned an invalid response.
SignTool Error: An error occurred while attempting to sign: ...
x repeat
...
Successfully signed: .\~....dll
Successfully signed: .\~....dll
x repeat
...
Number of files successfully Signed: 50
Number of warnings: 0
Number of errors: 50
SignTornadoBinaries error: (ERROR) Exec (exit code <1>): NONZERO exit code
Waiting for 10 seconds...
Retrying...
[2023-01-24 13:00:13.022] : (INFO ) Sign *all* 1287 binaries at <~redacted~>: This will be SLOW ...
[2023-01-24 13:00:13.319] : OK: HEAD request to 'http://timestamp.digicert.com' returned http status code NotFound/404 (any HTTP status code is fine).
[2023-01-24 13:00:13.320] : #100 ...
[2023-01-24 13:00:13.338] : Invoke-SignTool with 100 files ...
[2023-01-24 13:00:13.343] : Executing '&"C:\Program Files (x86)\Windows Kits\10\bin\10.0.18362.0\x64\signtool.exe" sign /v /sm /s My /n "~certname~" /fd SHA256 /tr http://timestamp.digicert.com /td SHA256 ...
The following certificate was selected:
Issued to: ~certname~
....
SignTool Error: The specified timestamp server either could not be reached or
returned an invalid response.
SignTool Error: An error occurred while attempting to sign: .\x64-vc143\....dll
...
Number of files successfully Signed: 50
Number of warnings: 0
Number of errors: 50
SignTornadoBinaries error: (ERROR) Exec (exit code <1>): NONZERO exit code
Waiting for 10 seconds...
Retrying...
[2023-01-24 13:02:16.970] : (INFO ) Sign *all* 1237 binaries at <~redacted~>: This will be SLOW ...
[2023-01-24 13:02:17.283] : OK: HEAD request to 'http://timestamp.digicert.com' returned http status code NotFound/404 (any HTTP status code is fine).
[2023-01-24 13:02:17.284] : #100 ...
[2023-01-24 13:02:17.301] : Invoke-SignTool with 100 files ...
[2023-01-24 13:02:17.306] : Executing ...
Number of files successfully Signed: 50
Number of warnings: 0
Number of errors: 50
Note that this 100-files-at-once normally works multiple times a week, sometimes multiple times a day (depending on our build schedule -- only production builds are signed.)
As we also can see here, here, the error was reported for exactly the first 50 files, and the second 50 files are then signed. Our retry is 3x with 10 sec wait, so after that the build just aborts: As far as I am concerned, this 50/50 split is a "clear" indication that this is not about a flaky network or some load issue on the digicert server or whatever.
Do note however, that I've also seen logs with 99/1 or maybe 80/20.
So, to get back to an actual question:
Is there any way to get more detailed errors from signtool?
Barring that, is there an alternative toolchain (some powershell commandlets maybe?) that will let me sign my binaries and give me useful error messages?
Aside: If you happen to know if a different number of files to pass to signtool at once may result in a more stable setup, please let me know.
Case in point:
In my case above, the 50/50 failure ratio came from our misbehaving firewall. It would block every odd HTTP Timestamp Protocol request with a HTTP/403.
If signtool would log the HTTP response including the content body, because otherwise I wouldn't have known that the response came from the firewall instead of from the actual target server then analyzing the problem would have been instantaneous!
I have a leaf cert, intermediate cert, and a root cert.
client.crt contains all three, by way of cat leaf.crt intermediate.crt root.crt > client.crt
$ # Fails
$ openssl.exe verify client.crt
C = US, ...
error 20 at 0 depth lookup: unable to get local issuer certificate
error client.crt: verification failed
$ # Passes, as expected, since it has the whole chain
$ openssl.exe verify -CAfile client.crt client.crt
client.crt: OK
$ # Add intermediate and root to stores
$ certutil.exe -addstore -f "ROOT" .\root.crt
CertUtil: -addstore command completed successfully.
$ certutil.exe -addstore -f "CA" .\intermediate.crt
CertUtil: -addstore command completed successfully.
$ # Both client.crt and leaf.crt fail to verify
$ openssl.exe verify client.crt
C = US, ...
error 20 at 0 depth lookup: unable to get local issuer certificate
error client.crt: verification failed
$ openssl.exe verify leaf.crt
C = US, ...
error 20 at 0 depth lookup: unable to get local issuer certificate
error leaf.crt: verification failed
It appears as if openssl.exe is not picking up the certs I install. I've also gone through and installed these through the Windows certificate manager to no avail.
How do I get openssl to pick up this CA chain?
I signed a .dll file with the help of those doc, makecert, pvk2pfx, signtool.
And the step as follow:
C:\Windows\System32>Makecert -pe -eku 1.3.6.1.5.5.7.3.3 -sv test.pvk -r -n "CN=forTest" test.cer
Succeeded
C:\Windows\System32>Cert2spc test.cer test.spc
Succeeded
C:\Windows\System32>pvk2pfx -pvk test.pvk -pi qweasdzxc -spc test.spc -pfx test.pfx -f
C:\Windows\System32>signtool sign /fd sha1 /f test.pfx /p qweasdzxc
D:\testDotDLL.dll
Done Adding Additional Store
Successfully signed: D:\testDotDLL.dll
Each step return success. but when I do verify, I get the error as below. Noticed, as shown in the below figure, I have added this cert to Trusted Certification Authorities store.
C:\Windows\System32>signtool verify D:\testDotDLL.dll
Index Algorithm Timestamp
========================================
SignTool Error: A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.
Number of errors: 1
I use signtool.exe to codesign a Windows executable.
Which options of this tool can be used to define that a few bytes should be omitted from the hash calculation, and thus allowing that a digitally signed executable can have 8 or 16 bytes modified later?
This technique has been used by Mozilla (their .exe installer is different for each download, but has the same digital signature), see How can a .exe be modified and still keep a valid digital signature?.
The WinAPI function ImageGetDigestStream has an option DigestLevel to exclude resource information from the hash computation, but how to use this option when actually with signtool.exe or a similar tool?
This is explained by Didier Stevens in an article here: It's in the signature and he also provides a tool "disitool" to manipulate the signature.
Here are the steps to sign a file using Authenticode, and to append some data to it without breaking the signature:
A) Create a code siging certificate (you'll be required to enter passwords):
MakeCert /n "CN=MyOrg" /r /h 0 /eku "1.3.6.1.5.5.7.3.3,1.3.6.1.4.1.311.10.3.13" /sv MyOrg.pvk MyOrg.cer
note: 1.3.6.1.5.5.7.3.3 is szOID_PKIX_KP_CODE_SIGNING and 1.3.6.1.4.1.311.10.3.13 is szOID_KP_LIFETIME_SIGNING. This will create a private key file and a certificate file.
B) Add certificate to store (needs admin rights, could be a different store):
Certutil -addStore TrustedPeople MyOrg.cer
C) Create a Pfx file to sign:
Pvk2Pfx /pvk MyOrg.pvk /pi [Password goes here] /spc MyOrg.cer /pfx MyOrg.pfx
D) Sign your file:
SignTool.exe sign /fd SHA256 /v /a /f MyOrg.pfx /p [Password goes here] MyFile.exe
At this point MyFile.exe is signed using Authenticode:
E) Create some data.txt file. I've created one that just contains the "[Kilroy was here!]" text.
F) Now run disitool:
python.exe disitool.py inject --paddata MyFile.exe data.txt MyFile2.exe
And here is the result, MyFile2.exe is still valid without resigning the file:
While you can see data.txt's content added to its end:
From the original file's end:
When I try to sign my exe file using signtool from windows, I used this command in a command line:
C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x86>SignTool sign /debug /fd SHA1 /a /f certificate.crt xone.exe
But I got this:
The following certificates were considered:
Issued to: ***********
Issued by: ZeroSSL RSA Domain Secure Site CA
Expires: Sat May 28 01:59:59 2022
SHA1 hash: 71A05C21AC6C48EB5C253811D9E66D7E3D2443B2
After EKU filter, 0 certs were left.
After expiry filter, 0 certs were left.
After Private Key filter, 0 certs were left.
SignTool Error: No certificates were found that met all the given criteria.
I don't understand where the problem is.