Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Signing using MAGE fails when providing -CertFile -CryptoProvider and -KeyContainer #986

Closed
samshteinman opened this issue Mar 25, 2019 · 12 comments
Closed

Signing using MAGE fails when providing -CertFile -CryptoProvider and -KeyContainer #986

samshteinman opened this issue Mar 25, 2019 · 12 comments

Comments

@samshteinman
Copy link

samshteinman commented Mar 25, 2019
edited

MAGE located in:
C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.7.2 Tools\

The error I receive is:
This certificate does not contain a private key - "C:\cert.crt", if this is a public key certificate, please provide valid cryptographic service provider and key container names

I believe the cryptographic service provider and key container names are correct, I got them by running:
certutil -store my
And then taking the Key Container = xxxx, and Provider = xxxx values

Please note: If I decompile mage.exe and rebuild with a couple changes, I can successfully sign. Mage -Verify tells me the manifest is signed correctly, and I see the updated settings in the .manifest file.

My exact changes were

Target .NET 4.7.2

AssemblyInfo.cs -
DELETE [assembly: AssemblyKeyFile("f:\dd\tools\devdiv\FinalPublicKey.snk")]
DELETE [assembly: DefaultDllImportSearchPaths]

Mage.NCryptMethods
MODIFY
internal static extern int NCryptEnumStorageProviders(
out int pdwProviderCount,
out NCryptMethods.NCryptProviderName* ppProviderList,
[In] int dwFlags = 0);
TO
internal unsafe static extern int NCryptEnumStorageProviders(
out int pdwProviderCount,
out NCryptMethods.NCryptProviderName* ppProviderList,
[In] int dwFlags = 0);

public static extern int NCryptEnumKeys(
[In] SafeNCryptProviderHandle hProvider,
[In] string pszScope,
out NCryptMethods.NCryptKeyName* ppKeyName,
[In, Out] ref void* ppEnumState,
[In] int dwFlags = 0);
TO
public unsafe static extern int NCryptEnumKeys(
[In] SafeNCryptProviderHandle hProvider,
[In] string pszScope,
out NCryptMethods.NCryptKeyName* ppKeyName,
[In, Out] ref void* ppEnumState,
[In] int dwFlags = 0);

MageCLI.Command - Command(string[] args)
ADD
line 164 break;
the case '/' didn't have a break; at the end of it

Those were the only changes, then I can successfully sign.
@samshteinman samshteinman mentioned this issue Mar 26, 2019
Closed
2 tasks
@Tanya-Solyanik
Copy link
Member

A duplicate of the same issue: https://stackoverflow.com/questions/54752638/mage-exe-manifest-signing-with-certificate-stored-in-aws-cloudhsm
FYI - @merriemcgaw

@hhonisch
Copy link

I had the same issue ("This certificate does not contain a private key...") when trying to sign a manifest using mage.
Tried both mage from Net 4.7.2 and 4.8 - no difference.
The certificate's private key is stored in a SafeNet USB eToken, I've installed GlobalSign SafeNet Drivers 10.4

mage -sign MyManifest -CertFile MyCertificate.cer -CryptoProvider "eToken Base Cryptographic Provider" -KeyContainer "[{{eTokenPassword}}]=te-xxxx...."

Like @samshteinman, I ended up decompiling mage.exe using JetBrains dotPeek 2019.2.2 and recompiling it using VS 2017 after applying the changes mentioned in this bug report.
But the recompiled mage.exe showed the same error as the original one.
However, after I changed the CspParameters KeyNumber in Certificate.cs

public static bool SetPrivateKeyIfNeeded(...  
...  
    CspParameters parameters = new CspParameters();  
...
    // original code
    // parameters.KeyNumber = (int) KeyNumber.Signature; 
    // new code
    parameters.KeyNumber = (int) KeyNumber.Exchange; 
...

signing the manifest worked fine.
I've uploaded the modified mage.exe here, in case anyone wants to try it.
https://drive.google.com/open?id=1uw8W1FRFqj45nobDq47zG9LmqP8YKtB8

@DesrosiersC
Copy link

We have the same issue and I would be interested in an answer from MS.

@RedTahr
Copy link

RedTahr commented Jan 19, 2021

I'd love an official fix too, I've installed .net 4.8 and that version of mage v4.8.3928.0 does the same thing for me;
"This certificate does not contain a private key - "xxxxx.cer", if this is a public key certificate, please provide valid cryptographic service provider and key container names"

I used ILspy (v7.0 preview 2), opened the 4.7.2 project, targeted 4.7.2 and x64 and I can now sign and get a verified (by the official mage.exe) .application file (haven't tried the manifest yet, fingers crossed).

@NikolaosWakem NikolaosWakem mentioned this issue Sep 15, 2021
Closed
@RhomGit RhomGit mentioned this issue Feb 12, 2023
Closed
@RhomGit
Copy link

RhomGit commented Feb 13, 2023

Did you guys ever get any resolution to this?
I am stuck in this position now and not sure what to do.

@RedTahr
Copy link

RedTahr commented Feb 13, 2023

Did you guys ever get any resolution to this?
I am stuck in this position now and not sure what to do.

No official resolution.
My reverse engineered mage.exe was still in use for digital signing when I left that job.

@RhomGit
Copy link

RhomGit commented Feb 20, 2023

Thanks @RedTahr .

I have re-filed this issue here: https://developercommunity.visualstudio.com/t/ClickOnce-EV-Signing-with-HSM/10278648 as this repository has been closed.

@merriemcgaw
Copy link
Member

Thank you! I'll have @Tanya-Solyanik take a look at the issue, she may be able to help find a solution.

@Tanya-Solyanik
Copy link
Member

One known HSM certificate signing failure is caused by different bitness between the mage.exe tool and the CryptoServiceProvider packages installed on your machine. Prior to .NET Framework SDK 4.8.1, we shipped only a 32 bit version of the mage tool, and on 64 bit machines, with only a 64 bit crypto provider installed, 32 bit process couldn't load provider and thus consume the certificate. Starting with 4.8.1, we added a 64 bit version of the mage tool. The .NET Framework SDK 4.8.1 is available with Visual Studio as well as in the devpack.

However, if your certificate contains an exchange key, as described in this comment, I don't have a workaround.

@RhomGit
Copy link

RhomGit commented Mar 23, 2023
edited

I appreciate the response @Tanya-Solyanik
Is the exchange key method the one that pops up this when signing with signtool.exe?
image

This used to work with mage also (via Visual Studio).
I was publishing ClickOnce apps using authenticode/my hardware token until a few months ago when I received new EV certificates (one for each of the software vendors I do work for). I believe these are a longer length than they have been in the past however the CA isn't very forthcoming with this information.

I used to be able to use the UI to select the certificate from Store. It is no longer visible.
image

I believe this is the article from the CA describing the change and reason:
https://www.ssl.com/blogs/new-minimum-rsa-key-size-for-code-signing-certificates/

@Tanya-Solyanik
Copy link
Member

Tanya-Solyanik commented Mar 24, 2023
edited

No, the PIN prompt will be displayed for any certificate, it's not related to certificate use.

SHA384 certificates are not supported by mage, this request belongs to deployment-tools repo.

Are you using a 64 bit version of mage?

@Tanya-Solyanik Tanya-Solyanik mentioned this issue Mar 24, 2023
Open
@Tanya-Solyanik
Copy link
Member

dotnet/deployment-tools#256 is a more appropriate repo to track update requests to mage. Thus closing this one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@RedTahr @samshteinman @hhonisch @DesrosiersC @Tanya-Solyanik @merriemcgaw @RhomGit