Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Signature verification failed, the private key doesn't match the certificate #203

Open
outrunthewolf opened this issue Feb 19, 2024 · 8 comments
Open

Signature verification failed, the private key doesn't match the certificate #203

outrunthewolf opened this issue Feb 19, 2024 · 8 comments

Comments

@outrunthewolf
Copy link

Hi, I'm consistently getting Signature verification failed, the private key doesn't match the certificate

I'm running JSign on Linux Ubunutu

I'm using GCP KMS and this is my command:

jsign --storetype GOOGLECLOUD --storepass $(gcloud auth print-access-token) \
--keystore projects/PROJECT/locations/us-east1/keyRings/KEYRING \
--alias KEYNAME --certfile chain.pem \
my.exe

What I know:

  • I'm convinced JSign is selecting the correct key from my keyring, omitting alias lists out the keys available correctly.
  • I'm convinced my private key and certificate do match. I've run openssl md5 on the certificate, and the public key and all match. I'm not sure how I can test the private key from GCP though.

My only other idea is my certfile is incorrectly formatted. In some cases I can see people using .pem (chained certs) and documentation mentions PKCS#7 or P7B format.

My certfile looks like:

-----BEGIN CERTIFICATE-----

... My cert

-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----

... Certificate Authority

-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----

... trusted root

-----END CERTIFICATE-----

Is there anyway you can give more information on the certfile formatting? Is there further way to run the JSign program in debug or verbose mode? Perhaps that could help me spot an issue.

Thanks.
@ebourg
Copy link
Owner

ebourg commented Feb 20, 2024
edited

How is configured your private key? Did you select PKCS#1 v1.5 padding?

@oleksii-tymofieiev
Copy link

Is there a plan to support RSA-PSS key in jsign?

@ebourg
Copy link
Owner

ebourg commented Mar 7, 2024

My understanding is that Authenticode doesn't support RSA-PSS, but I may be wrong.

@oleksii-tymofieiev
Copy link

Thank you for your answers @ebourg and for the great work you are doing.

@ebourg
Copy link
Owner

ebourg commented Mar 7, 2024

@oleksii-tymofieiev You're welcome. Do you think you could send your signing certificate with the RSA-PSS key to ebourg@apache.org? I'd like to do some tests and see if I can print a useful error message when such a key is used.

@apique13
Copy link

apique13 commented Mar 8, 2024

Hi,
I've got a similar issue with a YUBIKEY.
Signature Algorithm sha384ECDSA
Public key ECDSA_P384, ECC (384 bits)
I can't tell you more, I can't see the private key.
Thanks

@ebourg
Copy link
Owner

ebourg commented Mar 8, 2024

@apique13 What command line did you use?

@apique13
Copy link

apique13 commented Mar 8, 2024

Sorry, I think the problem is maybe the certificate on my yubikey. I tried with signtool too, there is no error, but the outpur file is not properly signed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ebourg @outrunthewolf @apique13 @oleksii-tymofieiev