-
-
Notifications
You must be signed in to change notification settings - Fork 107
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to retrieve the certificate chain from Azure Trusted Signing (socket write error) #220
Comments
Thank you for reporting this issue. What version of Java do you use? Are you behind a proxy? |
I am not behind a proxy and I am using the java version that is bundled with the 6.0 chocolatey release. |
Do you get the same error if you run this command from another location (at home or at work) ? |
I actually had tested the command before without getting the error, on the same machine manually, whereas when getting the error it was using that machine as a build agent for azure devops. So I assume it is a race condition kind of thing, caused by starting multiple jsign processes at the same time. |
What's the execution context when it fails? A Docker container on a Windows server? The error messages "Software caused connection abort: socket write error" and "SSL peer shut down incorrectly" smell like a network issue typically caused by a firewall or antivirus software terminating the connection. |
It is running on a windows server in this context. |
As a sidenote, my approach goes against your advice to provide a filelist as the input for the command when using trusted signing. The reason for that is that we ran into the max lenght of the command line, which is most likely caused by the fact that the chocolatey bin uses a .cmd wrapper. Would you be open to using a powershell wrapper instead. |
How many files are you signing? I just noticed that your script invokes
Is it possible to have both? I'm not familiar with PowerShell, any help would be welcome. |
I am signing about 200 files when the error happened. I was assuming the same thing, I am just not very familiar with the kind of network resources used, and if you can over saturate those or maybe have them be locked by the other process. I am not sure if it is possible to have both a powershell wrapper and cmd wrapper at the same time. I assume it would be possible to make either an entirely separate powershell module for it, or to register the powershell wrapper as a different bin, maybe called jsignps, during the chocolatey installation. I am not sure if this kind of command line max length is also an issue on ohter platforms than windows. |
Alternatively, Jsign could be improved to support glob patterns and/or signing a whole directory tree recursively. Or accept a file containing a list of files to sign as input. |
Honestly, i'd like to see both, though the second is more powerful, and will probably help more people. I am not sure if globs on windows and linux are equivalent enough to add that without too much difficulty. |
I've implemented the file list in d668c2e. You just have to create a text file with the list of files to sign, one per line, and then specify this file with the @ prefix:
|
Sounds good, i'll test if it works for me. |
I also have some more or less working code for a very simple powershell module wrapper around jsign, though it probably needs more testing to become part of the main package. |
I've fixed the build error, you can get the artifacts here: https://github.com/ebourg/jsign/actions/runs/9113199977/artifacts/1509522053 |
I saw, and will test the feature on my side. |
I get below error when using it with the following list file
temp.txt |
Edit: I am probably wrong about this because the error outputs the filename correctly. I think the cause might be the substring(1) for the filename. |
|
Another iteration, supporting UTF-16 files and quoted file names: |
New build seems to be working well. |
Given that the filelist makes it unneccesary to solve this issue, that doesn't really seem to be a real bug, I think this issue can be closed. |
I've further refined the command line tool, it now supports wildcard patterns. For example:
The artifacts are here if you want to give it a try: The original issue wasn't a bug but it still led to interesting improvements. I think I'll cut the new release next month. |
Sounds good, wildcard pasterns are a great addition, especially as signtool and trusted singing powershell seem to omit these features, which makes signing multiple files a nightmare. |
Command used
Is it possible, running the process like this causes it to fight over the connection.
I am using jsign installed through chocolatey with the jar replaced by the in-dev version from https://github.com/ebourg/jsign/actions/runs/9038916734.
The text was updated successfully, but these errors were encountered: