Digicert and Google Cloud KMS - Oauth2?? #335
Replies: 2 comments 6 replies
-
|
Are you sure the authentication token is still valid? |
Beta Was this translation helpful? Give feedback.
-
|
Yes I think so. I followed another guide for jsign and I think the authentication is a bit different but I also approved it. However I got signtool working without problems now after switching to the newest 64bit Version. So after spending 3-4 hours trying to get jsign working I stopped trying to find a solution why it doesn't work. |
Beta Was this translation helpful? Give feedback.
-
|
May I ask how you generated the token? Is it the same token used by the Google CNG Provider? |
Beta Was this translation helpful? Give feedback.
-
|
I followed through this guide And this Guide: And installed this for authentication: Plus maybe some more. I got lost by all the tools I installed in trying to get it running. There was definitely another tool I ran or insrslled for authentication but I don't know which anymore. |
Beta Was this translation helpful? Give feedback.
-
|
A yeah I definitely also installed And then ran the |
Beta Was this translation helpful? Give feedback.
-
|
That looks good. Jsign was invoked immediately after generating the token? How did you assign its value to the GOOGLE_TOKEN environment variable? |
Beta Was this translation helpful? Give feedback.
-
|
I have no clue, here is a redacted console copy: C:\Users\Name>java -jar C:\domain\jsign-7.4.jar --verbose --storetype GOOGLECLOUD --storepass "C:\domain\domain_svn\valued-bivouac-yyyy.json" --keystore "projects/valued-bivouac-yyyy/locations/global/keyRings/Sectigo_Keyring" --alias Sectigo_Key --certfile C:\domain\domain_svn\Name_lastname.pem --tsaurl http://timestamp.sectigo.com C:\domain\filename.exe C:\Users\Name>java -jar C:\domain\jsign-7.4.jar --verbose --storetype GOOGLECLOUD --storepass "$(gcloud auth application-default print-access-token)" --keystore "projects/valued-bivouac-yyyy/locations/global/keyRings/Sectigo_Keyring" --alias Sectigo_Key/cryptoKeyVersions/1 --certfile C:\domain\domain_svn\Name_lastname.crt --tsaurl http://timestamp.sectigo.com C:\domain\filename.exe |
Beta Was this translation helpful? Give feedback.
-
|
I'm not sure what cert to use (fullchain or private only) - I guess the try were it starts with Adding Authenticode to .... is the correct one |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
I don't manage to get jsign to work, a similar command with signtool works without problems. I authenticated using google CNG Provider. My problem is that signtool frequently crashes if it runs several instances simultaneously (was okay using pfx but not with cloud hosted key). With jsign however i get stuck:
I tried already using full pem and using only private crt (as for signtool), also removing /cryptoKeyVersions/1 from alias doesn't change much (then the error starts with jsign: Failed to retrieve the private key from the keystore )
Could someone give a step by step how to authenticate jsign with google hsm?
C:\Users\me >java -jar C:\jsign-7.4.jar --verbose --storetype GOOGLECLOUD --storepass "%GOOGLE_TOKEN%" --keystore "projects/XXX/locations/global/keyRings/XXX_Keyring" --alias Sectigo_Key/cryptoKeyVersions/1 --certfile C:\mycert.crt --tsaurl http://timestamp.sectigo.com C:\test.exe
Adding Authenticode signature to C:\test.exe
jsign: Couldn't sign C:\test.exe
net.jsign.bouncycastle.operator.RuntimeOperatorException: exception obtaining signature: java.security.GeneralSecurityException: java.io.IOException: 401 - UNAUTHENTICATED: Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.
at net.jsign.bouncycastle.operator.jcajce.JcaContentSignerBuilder$1.getSignature(JcaContentSignerBuilder.java:249)
at net.jsign.bouncycastle.cms.SignerInfoGenerator.generate(SignerInfoGenerator.java:176)
at net.jsign.bouncycastle.cms.CMSSignedDataGenerator.generateSignerInfo(CMSSignedDataGenerator.java:247)
at net.jsign.bouncycastle.cms.CMSSignedDataGenerator.generate(CMSSignedDataGenerator.java:186)
at net.jsign.asn1.authenticode.AuthenticodeSignedDataGenerator.getSignerInfo(AuthenticodeSignedDataGenerator.java:56)
at net.jsign.asn1.authenticode.AuthenticodeSignedDataGenerator.generate(AuthenticodeSignedDataGenerator.java:43)
at net.jsign.AuthenticodeSigner.createSignedData(AuthenticodeSigner.java:393)
at net.jsign.AuthenticodeSigner.sign(AuthenticodeSigner.java:370)
at net.jsign.SignerHelper.sign(SignerHelper.java:475)
at net.jsign.SignerHelper.execute(SignerHelper.java:325)
at net.jsign.JsignCLI.execute(JsignCLI.java:229)
at net.jsign.JsignCLI.main(JsignCLI.java:58)
Caused by: java.security.SignatureException: java.security.GeneralSecurityException: java.io.IOException: 401 - UNAUTHENTICATED: Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.
at net.jsign.jca.SigningServiceSignature.engineSign(SigningServiceSignature.java:48)
at java.base/java.security.Signature$Delegate.engineSign(Signature.java:1410)
at java.base/java.security.Signature.sign(Signature.java:713)
at net.jsign.bouncycastle.operator.jcajce.JcaContentSignerBuilder$1.getSignature(JcaContentSignerBuilder.java:245)
... 11 more
Caused by: java.security.GeneralSecurityException: java.io.IOException: 401 - UNAUTHENTICATED: Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.
at net.jsign.jca.GoogleCloudSigningService.sign(GoogleCloudSigningService.java:201)
at net.jsign.jca.SigningServiceSignature.engineSign(SigningServiceSignature.java:46)
... 14 more
Caused by: java.io.IOException: 401 - UNAUTHENTICATED: Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.
at net.jsign.jca.RESTClient.query(RESTClient.java:190)
at net.jsign.jca.RESTClient.post(RESTClient.java:74)
at net.jsign.jca.GoogleCloudSigningService.sign(GoogleCloudSigningService.java:196)
... 15 more
Beta Was this translation helpful? Give feedback.
All reactions