On Wed, Jun 9, 2021 at 6:40 PM Mark Thomas <ma...@apache.org> wrote:
> On 09/06/2021 17:36, ma...@apache.org wrote:
> > This is an automated email from the ASF dual-hosted git repository.
> >
> > markt pushed a commit to branch main
> > in repository https://gitbox.apache.org/repos/asf/tomcat.git
> >
> >
> > The following commit(s) were added to refs/heads/main by this push:
> > new 9f391c9 Integrate JSign for cross-platform builds with signed
> Windows binaries
> > 9f391c9 is described below
> >
> > commit 9f391c998ee9adbc22acce2bbabbc2c6b8fc4172
> > Author: Mark Thomas <ma...@apache.org>
> > AuthorDate: Wed Jun 9 17:36:25 2021 +0100
> >
> > Integrate JSign for cross-platform builds with signed Windows
> binaries
>
> The signing works on Linux. I'm just testing it on Windows before
> back-porting.
>
-installer-sign-uninstaller:
[jsign] Adding Authenticode signature to
/home/remm/Work/releases/tomcat-9.0.47/output/dist/Uninstall.exe
BUILD FAILED
/home/remm/Work/releases/tomcat-9.0.47/build.xml:2615: Couldn't sign
/home/remm/Work/releases/tomcat-9.0.47/output/dist/Uninstall.exe
With the command line and after getting a real standalone JVM, I'm still
getting:
[remm@omni releases]$ java -jar libs/jsign-3.1/jsign-3.1.jar --keystore
~/.digicertone/pkcs11properties.cfg --storepass NONE --storetype PKCS11
--alias "Tomcat-PMC-key-2021-04" --alg SHA-512 --tsaurl
http://timestamp.digicert.com tomcat-9.0.47/output/dist/Uninstall.exe
Adding Authenticode signature to tomcat-9.0.47/output/dist/Uninstall.exe
jsign: Couldn't sign tomcat-9.0.47/output/dist/Uninstall.exe
java.security.ProviderException:
sun.security.pkcs11.wrapper.PKCS11Exception: CKR_FUNCTION_FAILED
at
jdk.crypto.cryptoki/sun.security.pkcs11.P11Signature.engineSign(P11Signature.java:685)
at
java.base/java.security.Signature$Delegate.engineSign(Signature.java:1404)
at java.base/java.security.Signature.sign(Signature.java:713)
at
net.jsign.bouncycastle.operator.jcajce.JcaContentSignerBuilder$1.getSignature(Unknown
Source)
at net.jsign.bouncycastle.cms.SignerInfoGenerator.generate(Unknown Source)
at net.jsign.bouncycastle.cms.CMSSignedDataGenerator.generate(Unknown
Source)
at net.jsign.bouncycastle.cms.CMSSignedDataGenerator.generate(Unknown
Source)
at
net.jsign.asn1.authenticode.AuthenticodeSignedDataGenerator.generate(AuthenticodeSignedDataGenerator.java:50)
at
net.jsign.AuthenticodeSigner.createSignedData(AuthenticodeSigner.java:368)
at net.jsign.AuthenticodeSigner.sign(AuthenticodeSigner.java:339)
at net.jsign.SignerHelper.sign(SignerHelper.java:424)
at net.jsign.JsignCLI.execute(JsignCLI.java:111)
at net.jsign.JsignCLI.main(JsignCLI.java:40)
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_FUNCTION_FAILED
at
jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.C_SignFinal(Native
Method)
at
jdk.crypto.cryptoki/sun.security.pkcs11.P11Signature.engineSign(P11Signature.java:635)
... 12 more
Try `java -jar jsign.jar --help' for more information.
The cfg file is:
name=DigiCertONE
library="/home/remm/.digicertone/smpkcs11.so"
slotListIndex=0
The .so is there (otherwise it would complain earlier). Also the smctl tool
shows the key. I tried other algorithms but no success so far.
Rémy
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: dev-h...@tomcat.apache.org
>
>
