Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-56800

signtool.exe cannot use certificate due to private key filter

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Not A Defect
    • Icon: Critical Critical
    • ec2-plugin
    • Jenkins v2.1.68
      Amazon Ec2 Plugin v1.42
      Windows 2016 server
      signtool.exe from windows 10 sdk

      On our build servers we use signtool.exe to sign our artifacts.

      The same arguments are passed to signtool.exe each time, but it fails or passes sporadically due to our certificate not being used because of a "private key filter".

      We have been using this process for a while but we started seeing failures the morning of March 27, 2019.

      We start the signtool.exe process with the following arguments:
      `sign /fd sha256 /f "cert.p12" /p certPass /du hostSiteHere /v /debug /tr timeStampUrl "fileNames"`

      Specifications

      • signtool.exe is from the windows 10 sdk
      • build servers are hosted in AWS as windows 2016 server ec2 instances
      • jenkins (v2.1.68) runs the builds using the amazon ec2 plugin (v1.42)

      The logs, depending on if it passes or fails:

      • PASS
        ```
        The following certificates were considered:
        Issued to: myCompany, Inc.
        Issued by: DigiCert SHA2 Assured ID Code Signing CA
        Expires: Wed Oct 30 12:00:00 2019
        SHA1 hash: myCertSha1Hash
        After EKU filter, 1 certs were left.
        After expiry filter, 1 certs were left.
        After Private Key filter, 1 certs were left.
        The following certificate was selected:
        Issued to: myCompany, Inc.
        Issued by: DigiCert SHA2 Assured ID Code Signing CA
        Expires: Wed Oct 30 12:00:00 2019
        SHA1 hash: myCertSha1Hash
        The following additional certificates will be attached:
        Issued to: DigiCert SHA2 Assured ID Code Signing CA
        Issued by: DigiCert Assured ID Root CA
        Expires: Sun Oct 22 12:00:00 2028
        SHA1 hash: digiCertSigningSha1Hash
        Done Adding Additional Store
        ```
      • FAIL
        ```
        The following certificates were considered:
        Issued to: myCompany, Inc.
        Issued by: DigiCert SHA2 Assured ID Code Signing CA
        Expires: Wed Oct 30 12:00:00 2019
        SHA1 hash: myCertSha1Hash
        After EKU filter, 1 certs were left.
        After expiry filter, 1 certs were left.
        After Private Key filter, 0 certs were left.
        No certificates were found that met all the given criteria.
        ```

      Odd behaviors to note:

      • the same ec2 instance can work successfully and then fail later
      • an ec2 instance failing may start working if a user RDPs into the ec2 instance
      • the same certificate, signtool.exe and arguments are being passed every time

            thoulen FABRIZIO MANFREDI
            dfrank David Frank
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: