I am trying to sign a .exe file and I have a certificate and private key in format .pem.
I convert my cert using openssl to format .pfx
openssl pkcs12 -export -in "cert.pem" -inkey "key.pem" -out certificate.pfx -certfile "CA.cer"
I try using signtool
signtool sign /f "certificate.pfx" /p mypass /t http://timestamp.comodoca.com/authenticode "app.exe"
But I have the next error
SignTool Error: No certificates were found that met all the given criteria.
Reference
Signing .exe with .cer file (what is my certificate's name that signtool.exe is asking for?)
Related
I want to decrypt a file that is AES encryptet, with a script on powershell. To decrypt it I want to use a openSSL binary, that the script automatically downloads.
When I execute the openssl.exe with start-Process -FilePath "$pwd\openssl\openssl.exe" a new cmd-window opens and I can enter my command to decrypt the file there. (which works I have tested it)
So my question:
Is there a way to execute the command openssl aes-256-cbc -d -a -in secrets.txt.enc -out secrets.txt.new with the .exe without having to manually input it into the new window?
Yes, try this:
& ".\openssl\openssl.exe" aes-256-cbc -d -a -in secrets.txt.enc -out secrets.txt.new
Using Start-Process, you can pass the parameters with -ArgumentList:
Start-Process -FilePath "$pwd\openssl\openssl.exe" -ArgumentList "aes-256-cbc -d -a -in secrets.txt.enc -out secrets.txt.new"
I'm making a CI build task in PowerShell to sign an assembly and the manifest with signtool and mage.
It works great, except that I have to run PowerShell as Administrator to get mage to accept the certificate. What I find really strange is that signtool can use the same certificate without privileges.
The certificate is a .pfx file.
Script:
signtool sign /f $certPath /p $certPassword /q /t $timestampUri "Example.dll"
mage -s "Example.dll.manifest" -CertFile $certPath -Password $certPassword -ti $timestampUri
Without privileges:
Done Adding Additional Store
Successfully signed and timestamped: Example.dll
Unable to open certificate "D:\example.pfx":
Access denied.
With privileges:
Done Adding Additional Store
Successfully signed and timestamped: Example.dll
Example.dll.manifest successfully signed
Does anyone know what is going on here?
Edit:
I used Procmon as adviced. Log below in CSV
Procmon logs
I have one keystore which has around 30 certificates i want to delete most of them.
How can i do it rather than doing keytool -delete -alias <AliasName> -keystore keystore.jks
I have a new certificate from DigiCert .pfx file which when I try to use it for signing gives the error "The specified PFX password is not correct" However the password works fine when installing it locally. I have tried without specifying a password without success. The certificate was given to me buy another person who purchased it.
Thanks
I had the same issue but solved it by removing " from the password.
Before: signtool.exe sign /f mycert.pfx /p "password" /v /t http://... "application.exe"
After: signtool.exe sign /f mycert.pfx /p password /v /t http://... application.exe
I had the same issue as well when trying to sign dll files with post-build events in Visual Studio. I found out that the issue was having special characters like percentage sign (%) and comma (,) in the password. I fixed it after setting a new password without those special characters.
I hope this helps
Another possible issue is the encryption of the PFX could be unrecognized, for example a newer SHA256 encrypted cert cannot be used to sign on older SDK's
See related SO answers:
signtool - the specified PFX password is not correct from new machine
and
Why I get "The specified PFX password is not correct" when trying to sign application with signtool?
I had the same issue in Azure Devops where I was using a Command Line task:
"C:\Program Files (x86)\Windows Kits\10\bin\10.0.18362.0\x86\signtool.exe" sign /f "D:\Cert\CodeSigning.pfx" /p %_pwd123_% /d "" /du "" /fd sha256 /tr http://timestamp.comodoca.com/?td=sha256 /td sha256 "D:\Build\Installer.msi"
This resulted in 'The specified PFX password is incorrect'.
But I was able to take the actual script command from the failed pipeline, copy it into a cmd prompt on the build machine and run it (without any changes) successfully.
I also tried creating a pipeline variable as I've seen others do and use that in the command like $(pfxPwd). That also seemed to translate perfectly when run but still failed.
The solution was to use the pipeline variable but include it in the command like this instead: %pfxPwd%
"C:\Program Files (x86)\Windows Kits\10\bin\10.0.18362.0\x86\signtool.exe" sign /f "D:\Cert\CodeSigning.pfx" /p %pfxPwd% /d "" /du "" /fd sha256 /tr http://timestamp.comodoca.com/?td=sha256 /td sha256 "D:\Build\Installer.msi"
Perhaps this trouble was caused by the password beginning and ending with %.
But since this certificate and password came from IT, there were no other options.
Note: I later discovered that if I change the variable type to 'secret' it no longer works.
I've lost my keystore file that was used to make release build for an android app. But I've the certificate file. Now I want to generate a new keystore from this existing certificate file but I'm unable to do that because I've forgot the alias name that was set when the keystore was created for the first time. Is there a way that I can use the same certificate file and generate a new keystore ? I have tried the following command but it didn't work.
keytool -import -alias foo -file certfile.cer -keystore publicKey.store
Does this link help ?
Generate a keystore using following command:
keytool -genkey -alias tomcat -keyalg RSA -keystore keystore.jks
Import CER file in java keystore:
keytool -importcert -file certificate.cer -keystore keystore.jks -alias "Alias"