I am trying to sign my application using the -n option on Squirrel.exe from Octopus deploy.ps1 script I keep getting the following error:
System.AggregateException: One or more errors occurred. ---> System.Exception: Failed to sign, command invoked was: 'C:\OctopusTentacle\Applications\Test\Tridoo.Client\1.5.0-automate-deploym0024\tools\Squirrel\signtool.exe sign /a /f PersonalCodeSigningCertificate.pfx /p ******** /fd sha256 /tr http://timestamp.digicert.com /td sha256
If i run the exact call the signing works with no problem :-/
Any Idea what that could be?
I found the problem to be that the Octopus Tentacle was running under SYSTEM which would not let me use the signtool.exe
Related
I have a .NET application I am trying to sign with a Comodo cert. I am using the following to sign my program.
"C:\Program Files (x86)\kSign\signtool.exe" sign /f "E:\repos\NGS Code Signing Cert 2015.pfx" /p XXXXXX /fd sha1 /t http://timestamp.comodoca.com /d "test program" /du "http://www.mywebsitesoftware.com" "E:\repos\i2x.net\MSI Setups\i2xInstaller\bin\Release\test.exe"
"C:\Program Files (x86)\Windows Kits\10\bin\x64\signtool.exe" sign /f "E:\repos\NGS Code Signing Cert 2015.pfx" /p XXXXXX /fd sha256 /tr http://timestamp.comodoca.com/?td=sha256 /td sha256 /d "test program" /du "http://www.mywebsitesoftware.com" "E:\repos\i2x.net\MSI Setups\i2xInstaller\bin\Release\test.exe"
This works fine and dual signs the EXE. This can be verified by check the program properties and you can see the digital signatures. The problem is that Windows 7 x64 shows the digital signatures but when running as admin shows 'Unknown publisher' (I have tested this on 3 different machines that are fully up to date)
It DOES works fine in Windows Server 2008, 2012, 2016 and Windows 8.1 and 10.
Has anyone else seen this before?
Thanks
The problem was incomplete Windows updates of my both test VM's and on my bosses test machine. Once the machines where FULLY updated (and that took 6 or 7 times of forcing Windows to update and it did not matter if the Microsoft KB3033929 that included the SHA256 support was installed) the things started working.
I keep getting a
`COMPILE OUTPUT
CertUtil: -importPFX command FAILED: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)
CertUtil: The system cannot find the file specified.
My "Personal"
CertUtil: -delstore command completed successfully.
When i try to build my app for windows on phonegap build.
Any Ideas what i'm doing wrong?`
While using signtool for code signing on our buildserver jenkins shows the following error message:
Done Adding Additional Store
Error information: "Error: SignerSign() failed." (-2147023673/0x800704c7)
SignTool Error: An unexpected internal error has occurred.
We use an EV code sign certificate on a USB token. All tools are the latest ones available actually.
Any ideas?
It is not a problem at all using the same build task and running it manually on the same machine (as the user mentioned below) that jenkins is running on, and the same environment / directory.
The Jenkins service runs on a Windows 10 pro VM as a simple user with admin rights (not as Local System).
For more details see this excerpt from the Jenkins log:
Signiere FlinkySchule.FormularEditor.exe:
Verbindung zu Token auf- bzw. abbauen
***** code signing *****
Aktueller Pfad des signtool:
c:\JW\FS\Production\Deployment\Tools\signtool\kits
Zu signierende Datei:
c:\JW\FS\Production\Application\Assemblies\FlinkySchule.FormularEditor\bin\Release\\FlinkySchule.FormularEditor.exe
The following certificate was selected:
Issued to: Dirk W.
Issued by: GlobalSign CodeSigning CA - SHA256 - G3
Expires: Fri Apr 03 15:58:51 2020
SHA1 hash: 4187Cxyxyxyxyxyxyxyxyxyxyx7978C4
Done Adding Additional Store
EXEC : error information: "Error: SignerSign() failed." (2147023673/0x800704c7) [c:\JW\FS\Production\Application\Assemblies\FlinkySchule.FormularEditor\FlinkySchule.FormularEditor.csproj]
EXEC : SignTool error : An unexpected internal error has occurred. [c:\JW\FS\Production\Application\Assemblies\FlinkySchule.FormularEditor\FlinkySchule.FormularEditor.csproj]
One issue was the over all path length:
Even in the year 2017 you will run into the 260 characters path length restriction. Annoying! But we solved this and the error still occurs sometimes.
EV codesign with Jenkins using an eToken
Found a solution using jsign
java -jar jsign-2.0.jar --keystore .\eToken.cfg --alias %yourCertAlias% --storetype PKCS11 --tsaurl http://rfc3161timestamp.globalsign.com/advanced --tsmode RFC3161 --storepass %tokenPassword% %file2sign%
eToken.cfg:
name=eToken
library=c:\WINDOWS\system32\eTPKCS11.dll
Get the certificates alias using java keytool
keytool -list -keystore NONE -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerArg eToken.cfg
This should output something like
Keystore-Typ: PKCS11
Keystore-Provider: SunPKCS11-eToken
Keystore enthält 1 Eintrag
te-318f471f-9a0e-4101-bf45-96a656cc2306, PrivateKeyEntry,
Zertifikat-Fingerprint (SHA1):
41:87:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:X:XX:XX:XX:XX:79:78:C4
Maybe there are some more entries in the store. To find the right have look at your certifcate's fingerprint. The alias you need for jsign's alias parameter is the string in the example that starts with "te-318f4...."
Need more detailed help about this part? Please have a look at Trustzone.
Please let me know if you are interested in knowing how we do an automated build process on a separate build machine using only one eToken USB device.
I ran into this problem as well. I was able to duplicate error outside of Jenkins by running Signtool.exe, but when the prompt appeared for the token password, click cancel. You'll get the same error.
I have a C program which watches for the Symantec prompt and automatically enters the toke password. But Jenkins clearly wasn't running Signtool.exe in the same context as my password helper program. So I then edited my program which runs Signtool.exe to run the password helper program as well. It was still no good. Then I realized that maybe the problem how Jenkins is being run on the node. I had the Jenkins node running a service. Once I stopped the service, and connected by running the java command directly on the command line, it worked!
So now I know, if I'm going to run signtool on a Windows node, make sure the node is connected by running on the command line (via scheduled task), not a service. This changes the context Jenkins is run under which allows SignTool and the Token Prompt to play nice.
I had the same issue and solved it by installing the latest Windows 10 SDK, i.e. 10.0.15063.0
I omitted the countersignature :
/tr http://tsa.starfieldtech.com
I had to specify which certificate should be used for signing
/n "My Certificate Name"
Edit: Sorry my error code was different but google brought me here, so still might be helpful.
(-2146435071/0x80100001)
I'm trying to use SignTool.exe to code sign an executable with a certificate installed into the Windows certificate store. I'm able to get it to work by installing the cert into the Local Machine/Personal section and then running as an administrator, but I can't seem to work out the right place where the certificate needs to be installed to run as the current user.
I've installed the cert into Current User/Personal and when I do:
Get-ChildItem -Path Cert:\CurrentUser\My
the certificate is in the list. But when I try sign with:
& "C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Bin\signtool.exe"
sign /v /n "West Wind Technologies"
/s MY
/tr "http://timestamp.digicert.com" /td SHA256 /fd SHA256
".\Builds\CurrentRelease\MarkdownMonsterSetup.exe"
running as a non-admin user it doesn't work. I get:
SignTool Error: No certificates were found that met all the given criteria.
If I add the /sm flag and run run as an administrator and have it in the personal store - it works.
Where do I have to put the certificate in the cert store to get it to run without administrator rights?
For the current user you can use Certmgr to import it to the Personal folder.
I use the signtool /n option.
A bit more difficult is when you use signtool in a automated environment as (if your security is setup correctly) the build agent is running under limited service account. An option could be to use a file then.
I am trying to sign a windows kernel driver with a SHA-256 certificate. I've been back and forth with MS support with no change in status. I've tried SignTool.exe from both the 32- and 64- bit directories of 3 different WDKs (7600, 8.0, 8.1).
My private key lives in a Luna CSP. I have the local cert and the cross-signing cert, and I can sign a SHA-1 signature to the driver in question, but any time I try to sign a SHA-256 cert, I get an error:
SignTool Error: An unexpected internal error has occurred. Error
information: "Error: SignerSign() failed." (-2146893795/0x8009001d)
I've searched for this error, but it seems to be unique to me. Since certs are private, I've redacted some information here. Please let me know if there is more I can provide to help solve the issue.
This works, and signs with a SHA-1 signature:
signtool.exe sign /ac "<path>\MSCV-VSClass3.cer" /f "<cert>.cer" /csp "Luna Cryptographic Services for Microsoft Windows" /kc <keystore> /t http://timestamp.verisign.com/scripts/timstamp.dll $file
These give me the above error:
signtool.exe sign /ac "<path>\MSCV-VSClass3.cer" /f "<cert>.cer" /csp "Luna Cryptographic Services for Microsoft Windows" /kc <keystore> /fd sha256 /sha1 <cert thumbprint> /tr http://timestamp.verisign.com/scripts/timstamp.dll /td sha256 $file
signtool.exe sign /ac "<path>\MSCV-VSClass3.cer" /f "<cert>.cer" /csp "Luna Cryptographic Services for Microsoft Windows" /kc <keystore> /fd sha256 /sha1 <cert thumbprint> /t http://timestamp.verisign.com/scripts/timstamp.dll $file
signtool.exe sign /ac "<path>\MSCV-VSClass3.cer" /f "<cert>.cer" /csp "Luna Cryptographic Services for Microsoft Windows" /kc <keystore> /fd sha256 /sha1 <cert thumbprint> /as /tr http://timestamp.verisign.com/scripts/timstamp.dll /td sha256 $file
Adding /v /debug to the command line provides additional output, but has not offered any help with the error.
I'm signing this on a Win7 x64 machine that I have confirmed has access to the Luna server.