Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Manifest file signing #118

Open
cxn-sjuhasz opened this issue Apr 1, 2022 · 9 comments
Open

Manifest file signing #118

cxn-sjuhasz opened this issue Apr 1, 2022 · 9 comments
Labels
enhancement

Comments

@cxn-sjuhasz
Copy link

https://docs.microsoft.com/en-us/windows/win32/sbscs/manifest-files-reference
https://docs.microsoft.com/en-us/windows/win32/sbscs/application-manifests
We are trying to sign such file, using jsign 4.0, with the above error.
It is an application manifest.
@ebourg
Copy link
Owner

ebourg commented Apr 3, 2022

This file format isn't supported by Jsign. As I understand it's a different signing scheme, even signtool doesn't support it. These files are signed with the Manifest Generation and Editing Tool (mage.exe) from Visual Studio.

For the reference, I've played a bit with this tool and signed a manifest, it looks like this:

<?xml version="1.0" encoding="utf-8"?>
<asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0"
                xmlns:asmv1="urn:schemas-microsoft-com:asm.v1"
                xmlns="urn:schemas-microsoft-com:asm.v2"
                xmlns:asmv2="urn:schemas-microsoft-com:asm.v2"
                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                xmlns:co.v1="urn:schemas-microsoft-com:clickonce.v1"
                xmlns:asmv3="urn:schemas-microsoft-com:asm.v3"
                xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"
                xmlns:co.v2="urn:schemas-microsoft-com:clickonce.v2">
  <asmv1:assemblyIdentity name="Jsign.exe" version="1.0.0.0" publicKeyToken="ce7aed2aaa624904" language="neutral" processorArchitecture="msil" type="win32"/>
  <application/>
  <entryPoint>
    <co.v1:customHostSpecified/>
  </entryPoint>
  <trustInfo>
    <security>
      <applicationRequestMinimum>
        <PermissionSet Unrestricted="true" ID="Custom" SameSite="site"/>
        <defaultAssemblyRequest permissionSetReference="Custom"/>
      </applicationRequestMinimum>
      <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
        <requestedExecutionLevel level="asInvoker" uiAccess="false"/>
      </requestedPrivileges>
    </security>
  </trustInfo>
  <dependency>
    <dependentOS>
      <osVersionInfo>
        <os majorVersion="4" minorVersion="10" buildNumber="0" servicePackMajor="0"/>
      </osVersionInfo>
    </dependentOS>
  </dependency>
  <dependency>
    <dependentAssembly dependencyType="preRequisite" allowDelayedBinding="true">
      <assemblyIdentity name="Microsoft.Windows.CommonLanguageRuntime" version="4.0.30319.0"/>
    </dependentAssembly>
  </dependency>
  <publisherIdentity name="CN=Jsign Code Signing Test Certificate" issuerKeyHash="16a2067191a8d42844971f95e71a5f8c9bbe2be0"/>
  <Signature Id="StrongNameSignature" xmlns="http://www.w3.org/2000/09/xmldsig#">
    <SignedInfo>
      <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha256"/>
      <Reference URI="">
        <Transforms>
          <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
          <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        </Transforms>
        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha256"/>
        <DigestValue>H9NRNAUDPXi1szcvYmfffyK8pIr4nsqWXoDp89Byb4A=</DigestValue>
      </Reference>
    </SignedInfo>
    <SignatureValue>FOQH5N35leiWIUG3GVlkPzjjF5Q9Lb+9tM8VnSXst1kpognyTzIxlkjwb7ltA9AAXdf1sfGAFchGceufRjMFT83az+zGkGWynyv78ifGnXsF3YYX2KBwbihKHPD2VB4Oh7QJ3zCitmGLVXJAe2Azkc0QPmoF3852mOfKDdhgm+4=</SignatureValue>
    <KeyInfo Id="StrongNameKeyInfo">
      <KeyValue>
        <RSAKeyValue>
          <Modulus>mjCKCiuR5NMShaTaiQHz1N+1mCiydQORuqh2YmrOlG+lWBkm4GeSiyKavfv1OoZV4yRhAa1/WOWgf77G93JvzFfavRv4paKCBbBbOCafRCCRAASRxT0aaNYmd53wIT4i9RZQx6YXU5AJsDdQj85e6aMle6gId+de0zW4kY8jFu0=</Modulus>
          <Exponent>AQAB</Exponent>
        </RSAKeyValue>
      </KeyValue>
      <msrel:RelData xmlns:msrel="http://schemas.microsoft.com/windows/rel/2005/reldata">
        <r:license xmlns:r="urn:mpeg:mpeg21:2003:01-REL-R-NS" xmlns:as="http://schemas.microsoft.com/windows/pki/2005/Authenticode">
          <r:grant>
            <as:ManifestInformation Hash="806f72d0f3e9805e96ca9ef88aa4bc227fdf67622f37b3b5783d03053451d31f" Description="" Url="">
              <as:assemblyIdentity name="Jsign.exe" version="1.0.0.0" publicKeyToken="ce7aed2aaa624904" language="neutral" processorArchitecture="msil" type="win32"/>
            </as:ManifestInformation>
            <as:SignedBy/>
            <as:AuthenticodePublisher>
              <as:X509SubjectName>CN=Jsign Code Signing Test Certificate</as:X509SubjectName>
            </as:AuthenticodePublisher>
          </r:grant>
          <r:issuer>
            <Signature Id="AuthenticodeSignature" xmlns="http://www.w3.org/2000/09/xmldsig#">
              <SignedInfo>
                <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha256"/>
                <Reference URI="">
                  <Transforms>
                    <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                  </Transforms>
                  <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha256"/>
                  <DigestValue>szXcFF+IuzECIWD73RG/khP29t3KDVdUh/vETVgtcl4=</DigestValue>
                </Reference>
              </SignedInfo>
              <SignatureValue>W00OX+6gm5Gsm+9+fzc6R4VbQB1WSBSQ4W5xNWA8/MFboPketco6RMt73U/URtV01OmgWKz+DqcvZL8VDw7RnYJ9tGyZ/or8lalJ5uhWrnlrqtoaEnShsWgl6W9pWk/vRuW0VA/NqQAqKdK1eTGOC2dYJj8PRmF9ml6Ug0JwxFE=</SignatureValue>
              <KeyInfo>
                <KeyValue>
                  <RSAKeyValue>
                    <Modulus>mjCKCiuR5NMShaTaiQHz1N+1mCiydQORuqh2YmrOlG+lWBkm4GeSiyKavfv1OoZV4yRhAa1/WOWgf77G93JvzFfavRv4paKCBbBbOCafRCCRAASRxT0aaNYmd53wIT4i9RZQx6YXU5AJsDdQj85e6aMle6gId+de0zW4kY8jFu0=</Modulus>
                    <Exponent>AQAB</Exponent>
                  </RSAKeyValue>
                </KeyValue>
                <X509Data>
                  <X509Certificate>MIICvDCCAaSgAwIBAgIJAP9OZxamrmcQMA0GCSqGSIb3DQEBCwUAMCAxHjAcBgNVBAMMFUpzaWduIENvZGUgU2lnbmluZyBDQTAeFw0xNzA2MTUxOTU1NTZaFw0zNzA2MTAxOTU1NTZaMC4xLDAqBgNVBAMMI0pzaWduIENvZGUgU2lnbmluZyBUZXN0IENlcnRpZmljYXRlMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCaMIoKK5Hk0xKFpNqJAfPU37WYKLJ1A5G6qHZias6Ub6VYGSbgZ5KLIpq9+/U6hlXjJGEBrX9Y5aB/vsb3cm/MV9q9G/ilooIFsFs4Jp9EIJEABJHFPRpo1iZ3nfAhPiL1FlDHphdTkAmwN1CPzl7poyV7qAh3517TNbiRjyMW7QIDAQABo28wbTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUKe9fHJxmCiML1BRgdczt0cV16R0wHwYDVR0jBBgwFoAUFqIGcZGo1ChElx+V5xpfjJu+K+AwDQYJKoZIhvcNAQELBQADggEBAIjNRVnxdn8QkUSwFONiIdEW+DvupbciSzMDbjvVUTeyKV92ibOpBOfqxuBYu2lyk7ZpAEV1aNaZG9C/2GPOHoUyz6JTHm3mZemaWgQ3lYJA5BIDwr5pqyxg82bpHw2FzcqDljWlmkerlj+orOpn7j/rq9wOXWNQbX2ajqspebyQnYyM/VxFyEdZ4XZswJNSYFTvRSwbxjXrR+icwJCJyBk3g+A+2TXWYIWnAscXTCvbewplUcL+va34nW3JwMWmdic/fkxTiv1eHleKMBPnUAjuL2U/gePbh6mRqb1FY7BHwOJDoyuXLXP54J7qHtJu/tfmB+6QzSEThgw7WwozARk=</X509Certificate>
                  <X509Certificate>MIIDQzCCAiugAwIBAgIJAJn0giloDEJZMA0GCSqGSIb3DQEBCwUAMCsxKTAnBgNVBAMMIEpzaWduIFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE3MDYxNTE5NTU1NloXDTM3MDYxMDE5NTU1NlowIDEeMBwGA1UEAwwVSnNpZ24gQ29kZSBTaWduaW5nIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt1aZaaj2zdGSa0VyaXfGISGQisn+O4kGxsvQCd5WnvGqEEtpyE56jE4vgWgxItwnqyj8aQam6vv5DpObm5oM/wyuHc/vJo5+1C5zrH0MnzoSphr4rrYUiATXL7IEL3iM8o/oISASienMTEDMFp5T9zPT9IpRwGsVimQpbaCZ+98hj8x2i02AnRyiOKmCAfEr5dgv5BHbz83KCw7nkrnZ4EdgK2hiHVWEq8R+Vs5CycMNgXqI9XIoe2D/anIO5071fQ320Tkax/yc6wAwN4+Y8N9HI8D6oxkVEGWzgfOHDp0EMiePOqAkYm2o9cJ0Zlmo/Bosb9sBm3xfcBQ8yb0dgQIDAQABo3UwczAPBgNVHRMECDAGAQH/AgEAMAsGA1UdDwQEAwIBBjATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUFqIGcZGo1ChElx+V5xpfjJu+K+AwHwYDVR0jBBgwFoAUZnvU8wtg+UqfBmLSQKbdkLTJ3eIwDQYJKoZIhvcNAQELBQADggEBAEZzTYMJKMpAy6roqLJ4pOW0OplgjbZuLosUWmLWsSA4FE34UlK9FV2loCuasSKDlMga8rcfNLR+TJY00J9+zIySWFgRbnz2MHM3epFgksxbkXFm9IX7Gc8eIRekDfAQwt4bhvYyDF0oe2eujYnrVhUo+6RHLCKQYMtqKiYsvzSHRqdSo3nAdJ7lSzoFH0N3T6KZyPox5A7kWNts8EyJcl+JNtGQS0Sja0TW+tdQMLbTQ81qyS5JcbNpO6OoQgWBPGeMyfvm8lMRnDVy91rk74ezbcOyesIQrAW85WYVDzyYH5TqIXTg5xDNr81AwAItQb5glWkTRgmoZGIYW/26CvE=</X509Certificate>
                </X509Data>
              </KeyInfo>
              <Object>
                <as:Timestamp>MIIRuAYJKoZIhvcNAQcCoIIRqTCCEaUCAQMxDzANBglghkgBZQMEAgEFADCBlAYLKoZIhvcNAQkQAQSggYQEgYEwfwIBAQYJYIZIAYb9bAcBMDEwDQYJYIZIAWUDBAIBBQAEIAA83xPbxTL3Q/Rs1vhtgB/tXp0M6yddRMBVMZMjixLtAhEAjo4nmOY3Q1SV8pDxysttlRgPMjAyMjA0MDMyMDA3MDBaAhiQLDSI2qPPOq0KrsK3uFTE+4ymMoafCR6ggg18MIIGxjCCBK6gAwIBAgIQCnpKiJ7JmUKQBmM4TYaXnTANBgkqhkiG9w0BAQsFADBjMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xOzA5BgNVBAMTMkRpZ2lDZXJ0IFRydXN0ZWQgRzQgUlNBNDA5NiBTSEEyNTYgVGltZVN0YW1waW5nIENBMB4XDTIyMDMyOTAwMDAwMFoXDTMzMDMxNDIzNTk1OVowTDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDkRpZ2lDZXJ0LCBJbmMuMSQwIgYDVQQDExtEaWdpQ2VydCBUaW1lc3RhbXAgMjAyMiAtIDIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC5KpYjply8X9ZJ8BWCGPQz7sxcbOPgJS7SMeQ8QK77q8TjeF1+XDbq9SWNQ6OB6zhj+TyIad480jBRDTEHukZu6aNLSOiJQX8Nstb5hPGYPgu/CoQScWyhYiYB087DbP2sO37cKhypvTDGFtjavOuy8YPRn80JxblBakVCI0Fa+GDTZSw+fl69lqfw/LH09CjPQnkfO8eTB2ho5UQ0Ul8PUN7UWSxEdMAyRxlb4pguj9DKP//GZ888k5VOhOl2GJiZERTFKwygM9tNJIXogpThLwPuf4UCyYbh1RgUtwRF8+A4vaK9enGY7BXn/S7s0psAiqwdjTuAaP7QWZgmzuDtrn8oLsKe4AtLyAjRMruD+iM82f/SjLv3QyPf58NaBWJ+cCzlK7I9Y+rIroEga0OJyH5fsBrdGb2fdEEKr7mOCdN0oS+wVHbBkE+U7IZh/9sRL5IDMM4wt4sPXUSzQx0jUM2R1y+d+/zNscGnxA7E70A+GToC1DGpaaBJ+XXhm+ho5GoMj+vksSF7hmdYfn8f6CvkFLIW1oGhytowkGvub3XAsDYmsgg7/72+f2wTGN/GbaR5Sa2Lf2GHBWj31HDjQpXonrubS7LitkE956+nGijJrWGwoEEYGU7tR5thle0+C2Fa6j56mJJRzT/JROeAiylCcvd5st2E6ifu/n16awIDAQABo4IBizCCAYcwDgYDVR0PAQH/BAQDAgeAMAwGA1UdEwEB/wQCMAAwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwgwIAYDVR0gBBkwFzAIBgZngQwBBAIwCwYJYIZIAYb9bAcBMB8GA1UdIwQYMBaAFLoW2W1NhS9zKXaaL3WMaiCPnshvMB0GA1UdDgQWBBSNZLeJIf5WWESEYafqbxw2j92vDTBaBgNVHR8EUzBRME+gTaBLhklodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRSU0E0MDk2U0hBMjU2VGltZVN0YW1waW5nQ0EuY3JsMIGQBggrBgEFBQcBAQSBgzCBgDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMFgGCCsGAQUFBzAChkxodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRUcnVzdGVkRzRSU0E0MDk2U0hBMjU2VGltZVN0YW1waW5nQ0EuY3J0MA0GCSqGSIb3DQEBCwUAA4ICAQANLSN0ptH1+OpLmT8B5PYM5K8WndmzjJeCKZxDbwEtqzi1cBG/hBmLP13lhk++kzreKjlaOU7YhFmlvBuYquhs79FIaRk4W8+JOR1wcNlO3yMibNXf9lnLocLqTHbKodyhK5a4m1WpGmt90fUCCU+C1qVziMSYgN/uSZW3s8zFp+4O4e8eOIqf7xHJMUpYtt84fMv6XPfkU79uCnx+196Y1SlliQ+inMBl9AEiZcfqXnSmWzWSUHz0F6aHZE8+RokWYyBry/J70DXjSnBIqbbnHWC9BCIVJXAGcqlEO2lHEdPu6cegPk8QuTA25POqaQmoi35komWUEftuMvH1uzitzcCTEdUyeEpLNypM81zctoXAu3AwVXjWmP5UbX9xqUgaeN1Gdy4besAzivhKKIwSqHPPLfnTI/KeGeANlCig69saUaCVgo4oa6TOnXbeqXOqSGpZQ65f6vgPBkKd3wZolv4qoHRbY2beayy4eKpNcG3wLPEHFX41tOa1DKKZpdcVazUOhdbgLMzgDCS4fFILHpl878jIxYxYaa+rPeHPzH0VrhS/inHfypex2EfqHIXgRU4SHBQpWMxv03/LvsEOSm8gnK7ZczJZCOctkqEaEf4ymKZdK5fgi9OczG21Da5HYzhHF1tvE9pqEG4fSbdEW7QICodaWQR2EaGndwITHDCCBq4wggSWoAMCAQICEAc2N7ckVHzYR6z9KGYqXlswDQYJKoZIhvcNAQELBQAwYjELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEhMB8GA1UEAxMYRGlnaUNlcnQgVHJ1c3RlZCBSb290IEc0MB4XDTIyMDMyMzAwMDAwMFoXDTM3MDMyMjIzNTk1OVowYzELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDkRpZ2lDZXJ0LCBJbmMuMTswOQYDVQQDEzJEaWdpQ2VydCBUcnVzdGVkIEc0IFJTQTQwOTYgU0hBMjU2IFRpbWVTdGFtcGluZyBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMaGNQZJs8E9cklRVcclA8TykTepl1Gh1tKD0Z5Mom2gsMyD+Vr2EaFEFUJfpIjzaPp985yJC3+dH54PMx9QEwsmc5Zt+FeoAn39Q7SE2hHxc7Gz7iuAhIoiGN/r2j3EF3+rGSs+QtxnjupRPfDWVtTnKC3r07G1decfBmWNlCnT2exp39mQh0YAe9tEQYncfGpXevA3eZ9drMvohGS0UvJ2R/dhgxndX7RUCyFobjchu0CsX7LeSn3O9TkSZ+8OpWNs5KbFHc02DVzV5huowWR0QKfAcsW6Th+xtVhNef7Xj3OTrCw54qVI1vCwMROpVymWJy71h6aPTnYVVSZwmCZ/oBpHIEPjQ2OAe3VuJyWQmDo4EbP29p7mO1vsgd4iFNmCKseSv6De4z6ic/rnH1pslPJSlRErWHRAKKtzQ87fSqEcazjFKfPKqpZzQmiftkaznTqj1QPgv/CiPMpC3BhIfxQ0z9JMq++bPf4OuGQq+nUoJEHtQr8FnGZJUlD0UfM2SU2LINIsVzV5K6jzRWC8I41Y99xh3pP+OcD5sjClTNfpmEpYPtMDiP6zj9NeS3YSUZPJjAw7W4oiqMEmCPkUEBIDfV8ju2TjY+Cm4T72wnSyPx4JduyrXUZ14mCjWAkBKAAOhFTuzuldyF4wEr1GnrXTdrnSDmuZDNIztM2xAgMBAAGjggFdMIIBWTASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBS6FtltTYUvcyl2mi91jGogj57IbzAfBgNVHSMEGDAWgBTs1+OC0nFdZEzfLmc/57qYrhwPTzAOBgNVHQ8BAf8EBAMCAYYwEwYDVR0lBAwwCgYIKwYBBQUHAwgwdwYIKwYBBQUHAQEEazBpMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wQQYIKwYBBQUHMAKGNWh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRSb290RzQuY3J0MEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRSb290RzQuY3JsMCAGA1UdIAQZMBcwCAYGZ4EMAQQCMAsGCWCGSAGG/WwHATANBgkqhkiG9w0BAQsFAAOCAgEAfVmOwJO2b5ipRCIBfmbW2CFC4bAYLhBNE88wU86/GPvHUF3iSyn7cIoNqilp/GnBzx0H6T5gyNgL5Vxb122H+oQgJTQxZ822EpZvxFBMYh0MCIKoFr2pVs8Vc40BIiXOlWk/R3f7cnQU1/+rT4osequFzUNf7WC2qk+RZp4snuCKrOX9jLxkJodskr2dfNBwCnzvqLx1T7pa96kQsl3p/yhUifDVinF2ZdrM8HKjI/rAJ4JErpknG6skHibBt94q6/aesXmZgaNWhqsKRcnfxI2g55j7+6adcq/Ex8HBanHZxhOACcS2n82HhyS7T6NJuXdmkfFynOlLAlKnN36TU6w7HQhJD5TNOXrd/yVjmScsPT9rp/Fmw0HNT7ZAmyEhQNC3EyTN3B14OuSereU0cZLXJmvkOHOrpgFPvT87eK1MrfvElXvtCl8zOYdBeHo46Zzh3SP9HSjTx/no8Zhf+yvYfvJGnXUsHicsJttvFXseGYs2uJPU5vIXmVnKcPA3v5gA3yAWTyf7YGcWoWa63VXAOimGsJigK+2VQbc61RWYMbRiCQ8KvYHZE/6/pNHzV9m8BPqC3jLfBInwAM1dwvnQI38AC+R2AibZ8GV2QqYphwlHK+Z/GqSFD/yYlvZVVCsfgPrA8g4r5db7qS9EFUrnEw4d2zc4GqEr9u3WfPwxggN2MIIDcgIBATB3MGMxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5EaWdpQ2VydCwgSW5jLjE7MDkGA1UEAxMyRGlnaUNlcnQgVHJ1c3RlZCBHNCBSU0E0MDk2IFNIQTI1NiBUaW1lU3RhbXBpbmcgQ0ECEAp6SoieyZlCkAZjOE2Gl50wDQYJYIZIAWUDBAIBBQCggdEwGgYJKoZIhvcNAQkDMQ0GCyqGSIb3DQEJEAEEMBwGCSqGSIb3DQEJBTEPFw0yMjA0MDMyMDA3MDBaMCsGCyqGSIb3DQEJEAIMMRwwGjAYMBYEFIUI84ZRXLPTB322tLfAfxtKXkHeMC8GCSqGSIb3DQEJBDEiBCDRbsL08JcYwlKBdfaSLqq7Xq+PNkm/KkX49YxlWt3xIzA3BgsqhkiG9w0BCRACLzEoMCYwJDAiBCCdppAVw0nGwYl4Rbo1gq1wyI+kKTvbar6cK9JTknnmOzANBgkqhkiG9w0BAQEFAASCAgAVi8Uv4nnGRO43//E5QVG80Jy2fAm6mgzhRt9kjxDr4b4ELpYyU/eQsZAQjPPgh34xKIXg4YU76foJ6yUztaIsmf1dvVSGBi9RlE1oulVXVhBpNAa+p36JdKG6giiblvZ7JmSuIoMpmoEAmIbWX8lMxql2xccHu7Z+fgcFyat36yk+Y0wxSEN5I3q23/6BOdGMuRVT5WFyeELtUgxlGZRqj03AKjq5cCvMdtR42nD8n46aeVIV4Vlg2XHyCy1249j1u7jDBdPU0i7iXJ6Lv0+TPWURW6CoRgsxyh2o2Nf4N7KppvqKTfxB5j6+TTWe0pytB3PG9QjemY3C/W5jAzNDE6kKwPitSlKmgFKhlSVoFuXu4umqye+CI+GOJ4L0lOSLeM6dpxo8d7B7TMjA1sdPTNqe70p83Rf8OVsIakm8Qm0TcowsfC9hD/MaQDkI+ykInhKeC4OBinrv/taV2DLgSKeL7p25R6RTCHdQs+1fWkIA4oKN3EOORtOGfT6Dw8/rQqc2O/F/Wsug3apZ7+KHdXe9ZBlRB2l64F+7t27Lj3NikqqVE6LjmhOvkIAjAcC2iWmVegNgeRy4SrOi+EN3X6glECmkDpdt3N0NdFgQgrwotHxY7K5VbL/jnD9QsumxEOWXC3qc2X+L4BHEzFww+qSqg7gm5XLmfkKLvRagOQ==</as:Timestamp>
              </Object>
            </Signature>
          </r:issuer>
        </r:license>
      </msrel:RelData>
    </KeyInfo>
  </Signature>
</asmv1:assembly>

Files with this signature don't have a Digital Signature tab in the file properties (at least on Windows 10).

This kind of signature isn't an Authenticode signature. Even if Jsign is focused on Authenticode I don't mind supporting this format as well. But I won't have the time to work on it. If someone is interested in implementing it, I'll be happy to review and integrate it.

@ebourg ebourg changed the title jsign: Unsupported file: XXX.dll.manifest Manifest file signing Apr 3, 2022
@ebourg
Copy link
Owner

ebourg commented Apr 15, 2022

The generation of XML signatures in Java is documented here:
https://docs.oracle.com/javase/8/docs/technotes/guides/security/xmldsig/XMLDigitalSignature.html

@cxn-sjuhasz
Copy link
Author

Tried to reach out to you in email, but never heard back.
The question was, what if we put money on the table?
If interested, you have my address in my profile.

@ebourg
Copy link
Owner

ebourg commented Feb 2, 2024

I've played a bit with the XML signature API, the code snippet below is enough to sign a file but I don't think it makes a valid manifest signature yet:

  • The <msrel:RelData> element is missing from the signature, I don't know if it's required
  • The SHA-1 hash of the public key has to be computed and inserted in the publicKeyToken attribute of the assemblyIdentity element
  • The publisherIdentity element must be added
KeyStore keystore = new KeyStoreBuilder().keystore("keystore.p12").storepass(password).build();
PrivateKey privateKey = (PrivateKey) keystore.getKey(alias, password.toCharArray());
Certificate[] chain = keystore.getCertificateChain(alias);
PublicKey publicKey = keystore.getCertificate(alias).getPublicKey();

DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
documentBuilderFactory.setNamespaceAware(true);
DocumentBuilder builder = documentBuilderFactory.newDocumentBuilder();
Document document = builder.parse(new FileInputStream("application.manifest"));

XMLSignatureFactory factory = XMLSignatureFactory.getInstance("DOM");

DigestMethod digestMethod = factory.newDigestMethod(DigestMethod.SHA256, null);
Transform transform = factory.newTransform(Transform.ENVELOPED, (TransformParameterSpec) null);
Reference ref = factory.newReference("", digestMethod, Collections.singletonList(transform), null ,null);

CanonicalizationMethod c14n = factory.newCanonicalizationMethod(CanonicalizationMethod.EXCLUSIVE, (C14NMethodParameterSpec) null);
SignatureMethod signatureMethod = factory.newSignatureMethod("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256", null);
SignedInfo signedInfo = factory.newSignedInfo(c14n, signatureMethod, Collections.singletonList(ref));

// key info
KeyInfoFactory keyInfoFactory = factory.getKeyInfoFactory();
KeyValue keyValue = keyInfoFactory.newKeyValue(publicKey);
X509Data x509Data = keyInfoFactory.newX509Data(Arrays.asList(chain));
KeyInfo keyInfo = keyInfoFactory.newKeyInfo(Arrays.asList(keyValue, x509Data));

XMLSignature signature = factory.newXMLSignature(signedInfo, keyInfo, null, "StrongNameSignature", null);
signature.sign(new DOMSignContext(privateKey, document.getDocumentElement()));

TransformerFactory.newInstance().newTransformer().transform(new DOMSource(document), new StreamResult(System.out));

@macdanny
Copy link

macdanny commented May 6, 2024

I'm trying to figure this out myself. My use case is signing ClickOnce installers. The msrel:RelData element is definitely going to be required for that use case because that is where the Authenticode signature is, and Authenticode is the reason to sign ClickOnce installers in the first place.

The manifest has two signatures, one strong name signature which is used for integrity checking and the other Authenticode signature which is used for authentication. I'm not an expert in this, this is just what I've figured out so far. I suppose they're both signed by the same key because they have equal publicKeyToken values.

@ebourg
Copy link
Owner

ebourg commented May 7, 2024

Thank you for the info, I didn't realize there were two signature schemes.

I've found some references about strong name signatures:
https://learn.microsoft.com/en-us/archive/msdn-magazine/2006/july/clr-inside-out-using-strong-name-signatures
https://learn.microsoft.com/en-us/dotnet/standard/assembly/create-use-strong-named

It's not clear to me if the strong name signature is expected to be created first with a different tool (sn.exe) and a specific key, and then Jsign would add the Authenticode signature, or if both signatures should be created by Jsign with the same key.

@macdanny
Copy link

macdanny commented May 7, 2024

That is not clear to me either. I'm not sure it needs to use the same key ... I'm not that familiar with dot net. In my previous reply I thought it did have to use the same key, because they have the same publicKeyToken, but I learned yesterday that the publicKeyToken is unrelated to the key you use for signing. It's a value that is taken from an XML attribute in the manifest of the assembly you're signing, at least for ClickOnce installers. If you have an existing DLL or EXE that is a dot net assembly, you can also get it by running sn -T <assembly>.

@macdanny
Copy link

macdanny commented May 7, 2024

I guess I just answered my own question. If you needed to use the same key, then the publicKeyToken value would change when you sign the ClickOnce installer, because you're signing it with your own key, not the vendor's key. But it doesn't. So the strong name signature I think is taken care of by the machinery of dot net and the important signature is the Authenticode signature.

@ROGG437063
Copy link

I have been investigating a similar use-case and microsoft recommends to do strong naming with a self-signed key, so I don't see why that would also be used for authenticode signatures as you would want to have a key backed by a Certificate Authority there.
I believe the dotnet sign cli (https://github.com/dotnet/sign) implements this signing when using a pfx or azure keyvault. Though it seems to still rely on mage.exe

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ebourg @macdanny @cxn-sjuhasz @ROGG437063