-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Signing using MAGE fails when providing -CertFile -CryptoProvider and -KeyContainer #986
Comments
A duplicate of the same issue: https://stackoverflow.com/questions/54752638/mage-exe-manifest-signing-with-certificate-stored-in-aws-cloudhsm |
I had the same issue ("This certificate does not contain a private key...") when trying to sign a manifest using mage.
Like @samshteinman, I ended up decompiling mage.exe using JetBrains dotPeek 2019.2.2 and recompiling it using VS 2017 after applying the changes mentioned in this bug report. public static bool SetPrivateKeyIfNeeded(...
...
CspParameters parameters = new CspParameters();
...
// original code
// parameters.KeyNumber = (int) KeyNumber.Signature;
// new code
parameters.KeyNumber = (int) KeyNumber.Exchange;
... signing the manifest worked fine. |
We have the same issue and I would be interested in an answer from MS. |
I'd love an official fix too, I've installed .net 4.8 and that version of mage v4.8.3928.0 does the same thing for me; I used ILspy (v7.0 preview 2), opened the 4.7.2 project, targeted 4.7.2 and x64 and I can now sign and get a verified (by the official mage.exe) .application file (haven't tried the manifest yet, fingers crossed). |
Did you guys ever get any resolution to this? |
No official resolution. |
Thanks @RedTahr . I have re-filed this issue here: https://developercommunity.visualstudio.com/t/ClickOnce-EV-Signing-with-HSM/10278648 as this repository has been closed. |
Thank you! I'll have @Tanya-Solyanik take a look at the issue, she may be able to help find a solution. |
One known HSM certificate signing failure is caused by different bitness between the mage.exe tool and the CryptoServiceProvider packages installed on your machine. Prior to .NET Framework SDK 4.8.1, we shipped only a 32 bit version of the mage tool, and on 64 bit machines, with only a 64 bit crypto provider installed, 32 bit process couldn't load provider and thus consume the certificate. Starting with 4.8.1, we added a 64 bit version of the mage tool. The .NET Framework SDK 4.8.1 is available with Visual Studio as well as in the devpack. However, if your certificate contains an exchange key, as described in this comment, I don't have a workaround. |
I appreciate the response @Tanya-Solyanik This used to work with mage also (via Visual Studio). I used to be able to use the UI to select the certificate from Store. It is no longer visible. I believe this is the article from the CA describing the change and reason: |
No, the PIN prompt will be displayed for any certificate, it's not related to certificate use. SHA384 certificates are not supported by mage, this request belongs to deployment-tools repo. Are you using a 64 bit version of mage? |
dotnet/deployment-tools#256 is a more appropriate repo to track update requests to mage. Thus closing this one. |
MAGE located in:
C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.7.2 Tools\
The error I receive is:
This certificate does not contain a private key - "C:\cert.crt", if this is a public key certificate, please provide valid cryptographic service provider and key container names
I believe the cryptographic service provider and key container names are correct, I got them by running:
certutil -store my
And then taking the Key Container = xxxx, and Provider = xxxx values
Please note: If I decompile mage.exe and rebuild with a couple changes, I can successfully sign. Mage -Verify tells me the manifest is signed correctly, and I see the updated settings in the .manifest file.
My exact changes were
Target .NET 4.7.2
AssemblyInfo.cs -
DELETE [assembly: AssemblyKeyFile("f:\dd\tools\devdiv\FinalPublicKey.snk")]
DELETE [assembly: DefaultDllImportSearchPaths]
Mage.NCryptMethods
MODIFY
internal static extern int NCryptEnumStorageProviders(
out int pdwProviderCount,
out NCryptMethods.NCryptProviderName* ppProviderList,
[In] int dwFlags = 0);
TO
internal unsafe static extern int NCryptEnumStorageProviders(
out int pdwProviderCount,
out NCryptMethods.NCryptProviderName* ppProviderList,
[In] int dwFlags = 0);
public static extern int NCryptEnumKeys(
[In] SafeNCryptProviderHandle hProvider,
[In] string pszScope,
out NCryptMethods.NCryptKeyName* ppKeyName,
[In, Out] ref void* ppEnumState,
[In] int dwFlags = 0);
TO
public unsafe static extern int NCryptEnumKeys(
[In] SafeNCryptProviderHandle hProvider,
[In] string pszScope,
out NCryptMethods.NCryptKeyName* ppKeyName,
[In, Out] ref void* ppEnumState,
[In] int dwFlags = 0);
MageCLI.Command - Command(string[] args)
ADD
line 164 break;
the case '/' didn't have a break; at the end of it
Those were the only changes, then I can successfully sign.
The text was updated successfully, but these errors were encountered: