Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-56800

signtool.exe cannot use certificate due to private key filter

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Critical
    • Resolution: Not A Defect
    • Component/s: ec2-plugin
    • Environment:
      Jenkins v2.1.68
      Amazon Ec2 Plugin v1.42
      Windows 2016 server
      signtool.exe from windows 10 sdk
    • Similar Issues:

      Description

      On our build servers we use signtool.exe to sign our artifacts.

      The same arguments are passed to signtool.exe each time, but it fails or passes sporadically due to our certificate not being used because of a "private key filter".

      We have been using this process for a while but we started seeing failures the morning of March 27, 2019.

      We start the signtool.exe process with the following arguments:
      `sign /fd sha256 /f "cert.p12" /p certPass /du hostSiteHere /v /debug /tr timeStampUrl "fileNames"`

      Specifications

      • signtool.exe is from the windows 10 sdk
      • build servers are hosted in AWS as windows 2016 server ec2 instances
      • jenkins (v2.1.68) runs the builds using the amazon ec2 plugin (v1.42)

      The logs, depending on if it passes or fails:

      • PASS
        ```
        The following certificates were considered:
        Issued to: myCompany, Inc.
        Issued by: DigiCert SHA2 Assured ID Code Signing CA
        Expires: Wed Oct 30 12:00:00 2019
        SHA1 hash: myCertSha1Hash
        After EKU filter, 1 certs were left.
        After expiry filter, 1 certs were left.
        After Private Key filter, 1 certs were left.
        The following certificate was selected:
        Issued to: myCompany, Inc.
        Issued by: DigiCert SHA2 Assured ID Code Signing CA
        Expires: Wed Oct 30 12:00:00 2019
        SHA1 hash: myCertSha1Hash
        The following additional certificates will be attached:
        Issued to: DigiCert SHA2 Assured ID Code Signing CA
        Issued by: DigiCert Assured ID Root CA
        Expires: Sun Oct 22 12:00:00 2028
        SHA1 hash: digiCertSigningSha1Hash
        Done Adding Additional Store
        ```
      • FAIL
        ```
        The following certificates were considered:
        Issued to: myCompany, Inc.
        Issued by: DigiCert SHA2 Assured ID Code Signing CA
        Expires: Wed Oct 30 12:00:00 2019
        SHA1 hash: myCertSha1Hash
        After EKU filter, 1 certs were left.
        After expiry filter, 1 certs were left.
        After Private Key filter, 0 certs were left.
        No certificates were found that met all the given criteria.
        ```

      Odd behaviors to note:

      • the same ec2 instance can work successfully and then fail later
      • an ec2 instance failing may start working if a user RDPs into the ec2 instance
      • the same certificate, signtool.exe and arguments are being passed every time

        Attachments

          Activity

          Hide
          dfrank David Frank added a comment -

          After further investigation we found that the issue was reproducible excluding Jenkins by using WinRM into the AWS EC2 instance and running the signtool.exe manually. Further, after replacing signtool.exe with powershell Set-AuthenticodeSignature we are able to avoid the issue. We are assuming that something has been modified between AWS EC2 startup and the windows instance to cause this defect.

          Show
          dfrank David Frank added a comment - After further investigation we found that the issue was reproducible excluding Jenkins by using WinRM into the AWS EC2 instance and running the signtool.exe manually. Further, after replacing signtool.exe with powershell Set-AuthenticodeSignature we are able to avoid the issue. We are assuming that something has been modified between AWS EC2 startup and the windows instance to cause this defect.

            People

            • Assignee:
              thoulen FABRIZIO MANFREDI
              Reporter:
              dfrank David Frank
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: