Skip to content

ClickOnce EV code sign with USB HSM add support for EDCSA keys #256

Description

@RhomGit

Description

I am manually signing application manifest via mage.exe or mageui.exe.
I have an EVCS from a CA issued on a USB HSM (Yubikey).
signtool.exe has signed the executable correctly using the HSM.
mage.exe is reporting "This certificate does not contain a private key"
mageui.exe is asking for a Certificate file which I don't have.
image

To Reproduce

Try and sign a manifest file using a USB HSM.

.\mage.exe -Sign "C:\my_app.exe.manifest" -csp "Microsoft Smart Card Key Storage Provider" -kc "9b5…" -CertHash "c15…"

Exceptions (if any)

"This certificate does not contain a private key"

Configuration

C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8.1 Tools>

Other information

I have a ticket open with Visual Studio here: https://developercommunity.visualstudio.com/t/ClickOnce-EV-Signing-with-HSM/10278648

I can use signtool to successfully use the HSM for EVCS. This works and I just need mage to do the same. I run the following in PowerShell which prompts for PIN and works perfectly:

cd "C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64"
.\signtool.exe sign /fd sha256 /tr http://ts.ssl.com /td sha256 /n "UniqueStringInMyCertificate" "C:\My.exe"

Some others have reverse engineered mage to get this working: https://stackoverflow.com/questions/54752638/mage-exe-manifest-signing-with-certificate-stored-in-aws-cloudhsm

I am happy to help give more feedback/troubleshooting to help resolve this issue. It is affecting many of our clients (today has been awful) as its been sitting triaged for 3 weeks in the other forum and this looks like the appropriate repo for mage. Thanks

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions