-
-
Notifications
You must be signed in to change notification settings - Fork 113
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
"No signature found"/"No signature was present in the subject" when signing exe #93
Comments
Thank you for the feedback. Would you be able to sign the |
Thanks Emmanuel, much appreciated - I've emailed it to you. |
I looked at the signed file but I fail to see what's wrong. Would you be able to sign it with signtool and see if there is the same error? If it works with signtool a side by side comparison of the two signatures will certainly unveil the cause of the issue. I suggest disabling the timestamping to simplify the comparison. |
Hi Emmanuel. Thanks for looking. Yes, we'll try what you suggest. Are you able to point at any instructions for how to sign with SignTool when our private/public key is in Google KMS? We've failed to find any guide on how to do this! |
Good question, I assume there is a PKCS#11 library somewhere for Google KMS but I haven't found one yet. |
Thanks, yes I've tried CloudSignTool and am getting the same result. This suggests it isn't a JSign issue, but I'm at a loss to understand where the issue could be. I think I'll have to go back to GlobalSign and see if they have any suggestions. |
There's propably an issue with the certificate then. Let me know if you find out the issue, that may help others in the future. |
Thanks Emmanuel, yes I will. |
@markawightman75 did you ever get this resolved? I am getting the same error with a GlobalSign EV certificate. It seems related to the 4096 key size. |
@markawightman75 How did you resolve this problem? |
@markawightman75 I'm having exactly the same issue. Any updates on your side? Did you ever get this resolved? |
I resolved this problem by changing the sequence of certificates in the chain. |
@maxpain In what order?
|
I got all 3 certificates from GlobalSign. |
Example:
|
@maxpain Are all certs have 4096 bit length? |
I don't know. How to check? |
Check the |
I used this: https://github.com/mattes/google-cloud-kms-csr |
Sorry for the questions but one more last: What kind of keys do you have in HSM. What's the key type / algorithm? I suspect we're using a not properly supported version on Google Cloud KMS HSM |
@maxpain I can verify that it works with But it does not work with Google KMS HSM - |
The signing certificate should come first in the chain file, but there might be a problem with PSS padding too, I'm not sure. My Google Gloud trial is over so I can't test. Could anyone confirm that the error "No signature was present in the subject" is only triggered by a misordered chain file, regardless of the padding? |
I still do have the same problem. Here is a complete step by step what i did maybe this will shed some light: Notes:
The version 1 is the key with PSS Padding. Which resulted in the same error
Still the same problem so for me neither of the Algorithms nor creating a fullchain-pem worked. Unfortunately. @ebourg If you need anything please let me know. |
Hey @MTSym The PSS will never work as it's not supported by Windows. The only key that confirmed and works is the:
Do you get any error from jsign when signing or when creating the CSR? |
@woohgit It did not get any errors from I am also not sure if it does make a difference when when I use one to generate the certificate and the other for signing. Did you use the |
If you're using RSASA-PKCS1 v1_5 HSM key, you need to use GlobalSign and generally the CSRs should be CSR. Don't use neither of these:
|
@woohgit I hope it does not offend you but consider yourself hugged a million times. I am not the most experienced one with crypto algorithms and that change for the CSR was the missing piece for everything. Thank you very much for providing the solution. |
@MTSym Glad that I could help :) |
In my case, the message "No signature was present in the subject" was triggered by a mismatch (my bad) between the private key (stored in AWS KMS, but I think it is not relevant here) and the signing certificate. Maybe we should try to detect that situation where the key is wrong or the certificate is not the correct one? For RSA, one can compare the modulus of the key/certificate; if the key is not accessible directly, maybe a public key can be derived (that is the case for AWS KMS), and then compared to the certificate? |
@vmal-altium With b2b47a9 an error is displayed if the public key and the private key don't match |
I am facing a similar issue, specifically, I am getting the error "Signature verification failed, the private key doesn't match the certificate". After reading this thread I have not seen a pattern to solve the original issue. I am using the same key type as @maxpain What I have done is:
I would really appreciate if someone can give me a hint or point me out in the right direction. Thank you in advance and regards |
@javierguzman Check the order of the certificates in the pem file, your signing certificate should come first |
Thanks @ebourg, indeed I have tried with my certificate first, second by intermediate and then root. I have tried other orders without success. However, I have realized that my key on GCP has a public key which is the same used on CSR. But the certificates I have got from Digicert has another public key...I believe all of them should have the same public key, right? Meaning is Digicert giving me wrong certificates?? |
That's correct, the public key on the certificate and the CSR should be the same. The certificate is simply your public key combined with metadata, all signed by the CA. |
I can confirm I have managed to solve it. I contacted Digicert support and indeed my order was generating the certs using an old CSR. Thanks to support I got the certs using the right CSR and it is working. So for everybody in future, check your GCP key, your CSR and your certs, all have the same public key. Thanks @ebourg again for your help, now I can start setting this up on CI. |
Thank you for sharing your experience, happy signing :) |
Hi,
Firstly - thanks for your amazing work on jsign. It's exactly what we need!
We're trying to sign a Windows exe using a SHA512 key stored in Google KMS and with an EV certificate from GlobalSign, but the digital signature on the exe has the "No signature was present in the subject" message, and verifying with SignTool reports "No signature found".
I'm running jsign from code, having cloned the repo a couple of days ago.
We created a key like this:
and a CSR using https://github.com/mattes/google-cloud-kms-csr, which we used to get our certificate from GlobalSign. The certificate itself has a signature algorithm of
sha256WithRSAEncryption
but my understanding is that this doesn't need to match the signature algorithm we use to sign the exe?We're using the following parameters with jsign:
Do you have any ideas about what could be going on, or suggestions about how we could investigate? We don't currently have a thread to pull on.
Really appreciate all your work, and any suggestions you might have!
Thanks,
Mark
The text was updated successfully, but these errors were encountered: