Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Azure Trusted Signing - unable to retrieve certificate chain #266

Open
vadi2 opened this issue Dec 5, 2024 · 5 comments
Open

Azure Trusted Signing - unable to retrieve certificate chain #266

vadi2 opened this issue Dec 5, 2024 · 5 comments

Comments

@vadi2
Copy link

vadi2 commented Dec 5, 2024

Hi!

I successfully used this jsign to sign a Windows executable 3 days ago:

$ jsign --storetype TRUSTEDSIGNING \
      --keystore eus.codesigning.azure.net \
      --storepass PAT HERE \
      --alias Mudlet/Mudlet \
      Mudlet.exe
Adding Authenticode signature to Mudlet.exe

But when I try to use exactly the same command today, I get this:

jsign: Unable to retrieve the certificate chain 'Mudlet/Mudlet'
java.security.KeyStoreException: Unable to retrieve the certificate chain 'Mudlet/Mudlet'
	at net.jsign.jca.AzureTrustedSigningService.getCertificateChain(AzureTrustedSigningService.java:109)
	at net.jsign.jca.SigningServiceKeyStore.engineGetCertificateChain(SigningServiceKeyStore.java:43)
	at java.base/java.security.KeyStore.getCertificateChain(KeyStore.java:1100)
	at net.jsign.SignerHelper.build(SignerHelper.java:354)
	at net.jsign.SignerHelper.sign(SignerHelper.java:450)
	at net.jsign.SignerHelper.execute(SignerHelper.java:305)
	at net.jsign.JsignCLI.execute(JsignCLI.java:213)
	at net.jsign.JsignCLI.main(JsignCLI.java:57)
Caused by: java.io.IOException: InternalError - ClaimsPrincipal TenantId is null.
	at net.jsign.jca.RESTClient.query(RESTClient.java:159)
	at net.jsign.jca.RESTClient.post(RESTClient.java:73)
	at net.jsign.jca.AzureTrustedSigningService.sign(AzureTrustedSigningService.java:147)
	at net.jsign.jca.AzureTrustedSigningService.getCertificateChain(AzureTrustedSigningService.java:106)
	... 7 more
Try `jsign --help' for more information.

The command is exactly the same. What could be going wrong?

The only external factor I noticed that changed is that Trusted Signing certificates only last 72h, so a new one got created today:

image

@ebourg
Copy link
Owner

ebourg commented Dec 5, 2024

Are you sure the token used the second time is valid?

@vadi2
Copy link
Author

vadi2 commented Dec 6, 2024

You're right, it's a very short-lived token.

Would you have any ideas how is this meant to work in a CI environment then? I've looked around but it's not immediately obvious.

@ebourg
Copy link
Owner

ebourg commented Dec 6, 2024

Typically the token is retrieved during the build by calling:

az account get-access-token --resource https://codesigning.azure.net

So you need the Azure CLI in your build environment and the credentials required to generate the token.

@vadi2
Copy link
Author

vadi2 commented Dec 7, 2024

@vadi2 vadi2 closed this as completed Dec 7, 2024
@ebourg
Copy link
Owner

ebourg commented Dec 7, 2024

Nice, I'm reopening the issue because the error reported could be improved. Jsign could hint about the expired token when receiving the "ClaimsPrincipal TenantId is null" error from Azure.

@ebourg ebourg reopened this Dec 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants