Error Signing File Error With New Entrust Time Stamp URL

This forum can be browsed by the general public. Posting is limited to current SAPIEN license holders with active maintenance and does not offer a response time guarantee.
Forum rules
DO NOT POST SUBSCRIPTION NUMBERS, LICENSE KEYS OR ANY OTHER LICENSING INFORMATION IN THIS FORUM.
Only the original author and our tech personnel can reply to a topic that is created in this forum. If you find a topic that relates to an issue you are having, please create a new topic and reference the other in your post.

Any code longer than three lines should be added as code using the 'Select Code' dropdown menu or attached as a file.
User avatar
dti.tony
Posts: 4
Joined: Mon Jun 20, 2016 8:56 am

Error Signing File Error With New Entrust Time Stamp URL

Post by dti.tony » Thu Oct 31, 2019 1:44 pm

We are running into issues code signing with the new entrust time stamp URL - Sapien is unable to sign any of our scripts, but we can use Microsoft's SignTool to successfully sign files. We use a public PFX cert to sign, and this URL for timestamping: http://timestamp.entrust.net/TSS/RFC3161sha2TS . When we try signing in Sapien, it throws this error in Tools Output: "Error Signing File" - the signature codeblock is never added as a result. I need some assistance in determining the issue with using this timestamping URL, which is Entrust's standard (we called them to verify this is the only URL they currently support for timestamping). Thanks!


To help you better we need some information from you.

*** Please fill in the fields below. If you leave fields empty or specify 'latest' rather than the actual version your answer will be delayed as we will be forced to ask you for this information. ***

Product, version and build: 5.6.167
32 or 64 bit version of product: 64-bit
Operating system: Windows 10 1903
32 or 64 bit OS: 64-bit

*** Please add details and screenshots as needed below. ***

DO NOT POST SUBSCRIPTIONS, KEYS OR ANY OTHER LICENSING INFORMATION IN THIS FORUM

User avatar
brittneyr
Site Admin
Posts: 236
Joined: Thu Jun 01, 2017 7:20 am

Re: Error Signing File Error With New Entrust Time Stamp URL

Post by brittneyr » Thu Oct 31, 2019 2:28 pm

I'm not sure why there would be an issue with signing. There is a setting in options to use an external signing tool:
SPS_ExternalSigningTool.png
SPS_ExternalSigningTool.png (31.47 KiB) Viewed 1906 times
Make sure to use the following variable for the file path:
%File%

Example:

Code: Select all

powershell.exe -Command "{ Set-AuthenticodeSignature -FilePath '%FILE%' }"
Also, there was changes to our signing tool in build 168 to address another issue. I would recommend seeing if that fixes your issue.
Brittney Ryn
SAPIEN Technologies, Inc.

User avatar
brittneyr
Site Admin
Posts: 236
Joined: Thu Jun 01, 2017 7:20 am

Re: Error Signing File Error With New Entrust Time Stamp URL

Post by brittneyr » Thu Oct 31, 2019 3:35 pm

From further inspection of the url you posted, it doesn't appear to be valid:
image (1).png
image (1).png (72.98 KiB) Viewed 1903 times
Brittney Ryn
SAPIEN Technologies, Inc.

User avatar
dti.tony
Posts: 4
Joined: Mon Jun 20, 2016 8:56 am

Re: Error Signing File Error With New Entrust Time Stamp URL

Post by dti.tony » Fri Nov 01, 2019 5:24 am

Brittney, thanks for the reply. I dug for days for a workaround to this and finally got somewhere last night - your reply helped me come up with a workaround. This issue isn't because of the Sapien product itself, but a failure within the crytpto module in PowerShell itself. The problem is related to your reply on the web server response. Per this post (https://github.com/PowerShell/PowerShell/issues/1752), the problem is one of the crypto modules in PowerShell expects a octet reply from the server, but with Entrust's new server I believe it replies in MIME instead - powershell doesn't know how to handle that response and returns Unknown Error.

So to prove this, I was able to replicate this exact error using PowerShell and the command you provided:
$cert = @(Get-ChildItem cert:\CurrentUser\My -CodeSigning)[0]
Set-AuthenticodeSignature C:\MyScript.ps1 $cert -HashAlgorithm "sha256" -TimestampServer "http://timestamp.entrust.net/TSS/RFC3161sha2TS"

Since from the github post, this has been a problem since 2016 now, I decided to use signtool with Sapien for the time being which works great! I really hope this saves someone else some time, but here was the command I ended up using - although, it has a TON of escape characters because we need to pass all the double quotes for the signtool args (not sure if there is a more efficient way to write that code). Also note your version of Signtool may differ depending on the SDK version you use - I recommend setting this as an environment variable so you dont need to put the whole path to signtool.exe in the command path):

powershell -command "[string]$vArgs = \"sign /n `\"MyCert`\" /tr `\"http://timestamp.entrust.net/TSS/RFC3161sha2TS`\" /td SHA256 /fd sha256 /v `\"%FILE%`\"`\"\"; Start-Process 'C:\Program Files (x86)\Windows Kits\10\bin\10.0.18362.0\x64\signtool.exe' -ArgumentList $vArgs -NoNewWindow -Wait -WindowStyle Hidden"

User avatar
Alexander Riedel
Posts: 7125
Joined: Tue May 29, 2007 4:43 pm

Re: Error Signing File Error With New Entrust Time Stamp URL

Post by Alexander Riedel » Mon Nov 11, 2019 11:57 am

It's great that it works. I am curious why you are launching signtool.exe through powershell rather than launching it directly?
Also, is the any specific reason for using this particular time stamp server? It's only a time stamp, so I am curious why it has to be that particular one.
Please let us know if you can.
Alexander Riedel
SAPIEN Technologies, Inc.

User avatar
dti.tony
Posts: 4
Joined: Mon Jun 20, 2016 8:56 am

Re: Error Signing File Error With New Entrust Time Stamp URL

Post by dti.tony » Tue Nov 12, 2019 7:37 am

Alexander, the only reason I launched it via PowerShell is so we can better hide the powershell window (better user experience). The reason we wanted to use the entrust one was due to the public cert we have is signed by them - we wanted to keep everything under one "roof". Hopefully in the future the PowerShell folks at Microsoft will update the crypto module, but if-not we have a functional workaround in either case with signtool for the foreseeable future.

User avatar
Alexander Riedel
Posts: 7125
Joined: Tue May 29, 2007 4:43 pm

Re: Error Signing File Error With New Entrust Time Stamp URL

Post by Alexander Riedel » Tue Nov 12, 2019 8:02 am

Please note that we are NOT using PowerShell internally to sign scripts, executable files or MSI installers. We are using the prescribed Windows API calls.
I am obviously in no position to tell you what to do, but I would just go with a standard time stamp server and void that trouble altogether. There is no requirement to use the time stamp server provided by the signature issuing authority.
Alexander Riedel
SAPIEN Technologies, Inc.