-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to use signtool /ds option with the CNG provider #20
Comments
Hello, I am not familiar with this flow, but per the CNG spec, the I guess the parameter description leaves some room for interpretation because it says Just to confirm, are you trying to use this with an ECDSA key or an RSA-PKCS1 / RSA-PSS key? See the limitations section. If you are indeed using an ECDSA key, I'll tweak the provider logging when I have some time and try to go through the same flow to understand what it's trying to set it to. Thanks for bringing this up! |
Indeed, I found some time to reproduce this with my own EC-P256 key and I also ran into the same error. Played with it for a bit and tweaked our logging to check what is being passed to the provider: it looks like SignTool is trying to use the We should investigate further, unclear if this is our bug or a weird behavior of SignTool, but will keep this issue open as a bug for now. |
Is there any plan to address this bug? Really need either this one addressed or #18 |
@obones @ysichrisdag as I was going through the open issues of the repo, I figured I'd try out this flow again now that RSA4096-PKCS1 support has been merged (#29). I haven't tried ECDSA, I assume the bug is still present and I don't think we can do much about that, but I believe I was able to sign something successfully using Is ECDSA a requirement? If not, it would be great if you could test this out with RSA |
Well, this issue is here just because I tried a workaround issue #18 but if that other issue was to be addressed, then this one could go way down in the priority list.
Yes, it is because it comes from my signing key provider as I require a signing key backed by the PKI recognized by the Windows operating system. |
FWIW, I tried with signtool from SDK 10.0.26100.0 but this did not change the situation |
Hello,
Because of the absence of an x86 version of the provider (See #18), I'm trying a workaround by using the following steps:
get the file digest by using the
/dg
optionSign the generated digest with the CNG provider and the
/ds
optionIntegrate the signed digest with the
/di
optionTimestamp the generated signature
When using a certificate whose private key is stored on a physical usb token (Yubikey), this works fine.
But when I use the CNG provider, I get the following error:
Looking at bridge.cc:421 the error seems to be created on purpose but I'm not sure what to make of this.
I would simply remove the test as it seems
pPaddingInfo
is not used at all in that function, but this must be a very naive approach.Any help would be most welcome.
The text was updated successfully, but these errors were encountered: