I'm trying to sign my app in VS2012 but I'm receiving "Cannot find the certificate and private key for decryption" error.
What I do:
I received my certificate by Comodo CA Limited in Google Chrome.
Exported the certificate to a file with "Include all certificates" and "Export private key" options.
In VS2012, Signing tab I browse to the certificate file and fill in the password. The "Cannot find..." error appear.
I also tried all steps in this tutorial: Visual Studio error 'Cannot find... in Comodo Knowledge Base, but no success.
The same key works fine when signing with the Comodo kSign tool and also when using signtool.exe
....
The most common problem arises when using a .pfx file that contains
chaining information. You can remove chaining information from the key
file by running the Certificate Manager snap-in (Certmgr.msc),
importing the pfx file into the personal certificate store, and then
exporting it without including the certificate chain information.
Importing the certificate in MMC and exporting again doesn't help
...
I tried it on other machine, but the same problem.
Any ideas?
https://msdn.microsoft.com/en-us/library/aa730868%28vs.80%29.aspx#rsvssign_topic3
The .pfx file cannot include certificate chaining information. (If the .pfx file does include this information, the following import error will occur: "Cannot find the certificate and private key for decryption.")
Just do not set "Include all certificates" while exporting the *.pfx file
Related
After signing my Application using Test certificate (pfx) with signtool when I try to verify using signtool verify I am getting below error code
SignTool Error: WinVerifyTrust returned error: 0x80096019
A certificate's basic constraint extension has not been observed.
I have Tried to other exe with the same cert still the same Issue?
I have tried different certificates with the same exe still the same Issue?
I have searched on the Internet I couldn't find a source or Link. Any Help would be much appreciated?
You maybe use a CA certificate to sign. A CA certificate should issue a Code Signing certificate so you need a second certificate to sign your executable (Basic Constraints = LIMITED to 0 or false) that is then used to sign the executable.
This second code signing certificate is signed with the CA certificates private key.
I brought a code signing certificate from GoDaddy generated a .pfx file from it. But when I use this file to code sign the clickonce manifest of my outlook vsto application I get this error in visual studio
An error occurred while signing: Invalid provider type specified.
What could be the problem here?
Thanks.
The signing identity stored in the .pfx container are most likely older "Cryptographic Service Providers" (CSP) style. The environment you are using to sign your package looks like required "Cryptography API: Next Generation" (CNG) provider type. The solution would be to convert your existing container to use CNG Storage Provider. This should be done by the following steps ...
Import the PFX into your personal store
Export the public key from the store by going through export wizard
Export the private key using OpenSSL into .pem format
openssl.exe pkcs12 -in <original pfx file>.pfx -nocerts -out <pem file location>.pem
Convert to PVK
pvk.exe -in <pem file location>.pem -topvk -strong -out <pvk file location>.pvk
Merge the Public and Private keys
pvk2pfx.exe -pvk <pvk file location>.pvk -pi <pvk password> -spc <pvk file location>.cer -pfx <new pfx file location>.pfx -po <pfx password>
Now you can import the newly created pfx file into the Certificate Manager. Make sure you remove the old certificate first from the Certificate Manager. Once the certificate is in place you can use certutil again to validate if the certificate is now correct.
If it now shows the provider as "Microsoft Strong Cryptographic Provider" you know the operation has been successful.
The credits goes to Remy's Blog, where you may find the full explanation on the issue with examples and verification steps... Converting Certificate to use CSP Storage Provider in stead of CNG Storage Provider.
OK - so this is really odd. I have a TFS build that signs a file and I'm getting the message above. If I look at the log from the build it says that it successfully signed and timestamped my file, (there's a .proj file that manually calls signtool) but below that in a different step (not sure where exactly) - I assume that its in the ClickOnce signing I get the error.
I'm able to sign the file myself using Signtool using the same parameters as the build uses so I thought perhaps I needed to import he cert, so I opened mmc, added the certificates snap-in, went through the Import Wizard using Local Machine to install it (the TFS build runs under a different account than mine and I don't know the password for that account so I figured that installing it at a machine level would work). I browsed for the file and imported it successfully in the Trusted Root Certification Authorities (see below):
and still I get the error when I build. The signtool is called from a .proj file called in the TFS build, but then again by the build during ClickOnce. After importing the cert through the VS screen I now see this:
And get this error:
C:\Program Files (x86)\MSBuild\12.0\bin\Microsoft.Common.CurrentVersion.targets (2718): Unable to find code signing certificate in the current user’s Windows certificate store. To correct this, either disable signing of the ClickOnce manifest or install the certificate into the certificate store.
C:\Program Files (x86)\MSBuild\12.0\bin\Microsoft.Common.CurrentVersion.targets (2718): Cannot import the following key file: . The key file may be password protected. To correct this, try to import the certificate again or import the certificate manually into the current user’s personal certificate store.
C:\Program Files (x86)\MSBuild\12.0\bin\Microsoft.Common.CurrentVersion.targets (2718): Importing key file "les.pfx" was canceled.
The cert is in the same folder as the .csproj as well as being imported into the store.
Here's the cert info and the Thumbprint matches what's in the .csproj file:
Any ideas what I could be missing here?
According to the error message, you have to import the certificate into agent machine's personal store. When you reference the certificate from the personal store, it will not ask for the password, and thus you can access your code signing certificate.
If multiple projects being built with ClickOnce, then you have to import the certificate into each of the projects.
Please try to use the Visual Studio Command Prompt to import the certificate in your build agent machine:
Click Start → All Programs → Microsoft Visual Studio → Visual Studio
Tools → Visual Studio Command Prompt.
Type the following command sample:
sn -i "c:\Pathtofile\.pfx" VS_KEY_C1D3ACB8FBF1AGK4
Note: The sn.exe with the -i parameter, installs a key pair from into a key container named.
Re-import the pfx file into Visual Studio.
You can also try to create a PowerShell script and run pre-build scripts in your build definition to import the certificate.
The PowerShell script sample for your reference:
$pfxpath = 'pathtoees.pfx'
$password = 'password'
Add-Type -AssemblyName System.Security
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$cert.Import($pfxpath, $password, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]"PersistKeySet")
$store = new-object system.security.cryptography.X509Certificates.X509Store -argumentlist "MY", CurrentUser
$store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]"ReadWrite")
$store.Add($cert)
$store.Close()
Reference these threads:
Visual studio team services deploymen/buildt certificate error
Cannot import the keyfile 'blah.pfx' - error 'The keyfile may be password protected'
Build and Publish a ClickOnce App using Team Build/VSO. (The last section about using a certificate from store)
I have a p12 file, 'test.p12,' that has a certificate, the CA cert (self-signed), and private key for the certificate. The p12 file is generated using the BouncyCastle's C# API.
When trying to import the certificate by using 'CertUtil', i.e., 'CertUtil -f -p password -importpfx test.p12,' CertUtil generates the following error:
CertUtil: -importPFX command FAILED: 0x80090016 (-2146893802 NTE_BAD_KEYSET)
CertUtil: Keyset does not exist
Any clues as to what may be wrong? (I'm using Windows 10)
Using openssl, I can see that 'test.p12' does include the certificate, CA cert, and private key. The certificate is using an EC keypair, but I doubt that's a problem since I have a reference p12 file that uses the same algorithm and is imported by CertUtil without problem. Unfortunately, I have no detail on how the reference file is generated.
In my google searches, many seem to suggest that this may be a permission problem, but I doubt that's the case as I'm running the CertUtil as the Administrator.
When importing the same file using 'MMC' with the certificate snap-ins, the certificate is "successfully" imported if I force the MMC to store it in a specific store, e.g., Personal; otherwise, it prompts to select a Smart Card for the certificate. Could this be a related problem?
Thanks,
--Hyong
I have run into a similar problem to the on encountered here:
How to sign code (.EXE file) with a .SPC or .PEM file from GoDaddy (using Ubuntu)?
I have used both the MONO signcode tool (https://developer.mozilla.org/en-US/docs/Signing_an_executable_with_Authenticode) and osslsigncode (http://sourceforge.net/projects/osslsigncode/files/osslsigncode/) and the executables show a digital certificate present signed with "Go Daddy Class 2 Certification Authority". When I view the certificate details it says "No signature was present in the subject" I have tried with the timestamp server and without the timestamp server and there is no difference. I am running the code on Ubuntu Precise and testing on Windows 7.
Suggestions?
I'm experiencing this same issue with a renewed GoDaddy cert.
I'm on Debian v8 / signing a windows EXE. It's a part of a deploy/publish step.
Using the SPC file from last year, it worked well. With both osslsigncode and Mono's signcode.
Now I get security warnings w/ the "No signature was present in the subject"
To FIX
I re-submitted my original CSR, and after receiving the re-re-issued cert I was able to successfully sign using osslsigncode.
Tested with osslsigncode verify <exe-name>
I ended up getting this to work by using the -pkcs12 <pkcs12 file> argument instead of the -cert <certificate file> and -key <key file> arguments. The .pfx file I used was generated from the exact same .spc and .pvk files I was supplying to osslsigncode, but for whatever reason, it worked while they didn't.
The error message "No signature was present in the subject" can be caused by a mismatch between the private key used for signing and the public key in the certificate.