"No signature found"/"No signature was present in the subject" when signing exe

Hi,

Firstly - thanks for your amazing work on jsign. It’s exactly what we need!

We’re trying to sign a Windows exe using a SHA512 key stored in Google KMS and with an EV certificate from GlobalSign, but the digital signature on the exe has the “No signature was present in the subject” message, and verifying with SignTool reports “No signature found”.

I’m running jsign from code, having cloned the repo a couple of days ago.

We created a key like this:

gcloud kms keys create focal-point-code-signing-key \
--keyring code-signing-ring \
--location europe-west2 \
--purpose asymmetric-signing \
--protection-level hsm \
--default-algorithm rsa-sign-pss-4096-sha512

gcloud kms keys versions \
get-public-key 1 \
--location europe-west2 \
--keyring code-signing-ring \
--key focal-point-code-signing-key \
--output-file ./focal-point-code-signing-key.pub

and a CSR using https://github.com/mattes/google-cloud-kms-csr, which we used to get our certificate from GlobalSign. The certificate itself has a signature algorithm of sha256WithRSAEncryption but my understanding is that this doesn’t need to match the signature algorithm we use to sign the exe?

We’re using the following parameters with jsign:

--storetype "GOOGLECLOUD" \
--storepass <token>
--keystore projects/waives-service/locations/europe-west2/keyRings/code-signing-ring
--alias projects/waives-service/locations/europe-west2/keyRings/code-signing-ring/cryptoKeys/focal-point-code-signing-key/cryptoKeyVersions/1
--tsaurl http://timestamp.globalsign.com/tsa/r6advanced1
--tsmode RFC3161
--alg SHA-512
--certfile /home/mark/code/code-signing/focal-point-code-signing-certificate.cer
<file-to-sign.exe>

Do you have any ideas about what could be going on, or suggestions about how we could investigate? We don’t currently have a thread to pull on.

Really appreciate all your work, and any suggestions you might have!

Thanks,

Mark