jsign icon indicating copy to clipboard operation
jsign copied to clipboard
verified publisher icon ebourg

Signature verification failed, the private key doesn't match the certificate

Open outrunthewolf opened this issue 2 years ago • 8 comments

Hi, I'm consistently getting Signature verification failed, the private key doesn't match the certificate

I'm running JSign on Linux Ubunutu

I'm using GCP KMS and this is my command:

jsign --storetype GOOGLECLOUD --storepass $(gcloud auth print-access-token) \
--keystore projects/PROJECT/locations/us-east1/keyRings/KEYRING \
--alias KEYNAME --certfile chain.pem \
my.exe

What I know:

  • I'm convinced JSign is selecting the correct key from my keyring, omitting alias lists out the keys available correctly.
  • I'm convinced my private key and certificate do match. I've run openssl md5 on the certificate, and the public key and all match. I'm not sure how I can test the private key from GCP though.

My only other idea is my certfile is incorrectly formatted. In some cases I can see people using .pem (chained certs) and documentation mentions PKCS#7 or P7B format.

My certfile looks like:

-----BEGIN CERTIFICATE-----

... My cert

-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----

... Certificate Authority

-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----

... trusted root

-----END CERTIFICATE-----

Is there anyway you can give more information on the certfile formatting? Is there further way to run the JSign program in debug or verbose mode? Perhaps that could help me spot an issue.

Thanks.

outrunthewolf avatar Feb 19 '24 22:02 outrunthewolf

How is configured your private key? Did you select PKCS#1 v1.5 padding?

ebourg avatar Feb 20 '24 20:02 ebourg

Is there a plan to support RSA-PSS key in jsign?

oleksii-tymofieiev avatar Mar 07 '24 00:03 oleksii-tymofieiev

My understanding is that Authenticode doesn't support RSA-PSS, but I may be wrong.

ebourg avatar Mar 07 '24 01:03 ebourg

Thank you for your answers @ebourg and for the great work you are doing.

oleksii-tymofieiev avatar Mar 07 '24 04:03 oleksii-tymofieiev

@oleksii-tymofieiev You're welcome. Do you think you could send your signing certificate with the RSA-PSS key to [email protected]? I'd like to do some tests and see if I can print a useful error message when such a key is used.

ebourg avatar Mar 07 '24 07:03 ebourg

Hi, I've got a similar issue with a YUBIKEY. Signature Algorithm sha384ECDSA Public key ECDSA_P384, ECC (384 bits) I can't tell you more, I can't see the private key. Thanks

apique13 avatar Mar 08 '24 16:03 apique13

@apique13 What command line did you use?

ebourg avatar Mar 08 '24 16:03 ebourg

Sorry, I think the problem is maybe the certificate on my yubikey. I tried with signtool too, there is no error, but the outpur file is not properly signed.

apique13 avatar Mar 08 '24 18:03 apique13