Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Using SHA256 with Authenticode
See original GitHub issueI can get jsign and signtool to work for SHA-1 signing as follows:
signtool.exe sign /f codesigning.pfx /p %CODESIGN_PASS% /t http://timestamp.comodoca.com/authenticode tosign.exe`
PESignerCLI --keystore codesigning.pfx --storepass %CODESIGN_PASS% --alg SHA-1 --tsmode Authenticode tosign.exe
But for SHA-256, signtool works but JSign fails.
signtool.exe sign /f codesigning.pfx /p %CODESIGN_PASS% /fd sha256 /tr http://timestamp.comodoca.com/rfc3161 /td sha256 tosign.exe
PESignerCLI --keystore codesigning.pfx --storepass %CODESIGN_PASS% --alg SHA-256 --tsmode RFC3161 tosign.exe
In the case of SHA-256, JSign completes without error, and the executable gets a little bigger, but Windows 10 fails to recognize the cert. It does recognize the cert when signed by signtool.
I’m using the latest code from master, which seems to include SHA-256 and RFC3161. I get the same behavior if I update to BouncyCastle 1.53. Is this related to Issue #7? Any tips?
Issue Analytics
- State:
- Created 8 years ago
- Comments:10 (1 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
To complete my concerns:
Here is how to get the alias name from the pfx file: keytool -v -list -storetype pkcs12 -keystore “your pfx.pfx” > keyfile.txt
keytool is shipped with java
I confirm that a SHA256 signature with a SHA1 authenticode timestamp works. So this issue is actually a duplicate of the issue #7, jsign doesn’t support RFC3161 timestamps yet.