Troubleshooting Code Signing on Windows


 

Description

This article will look at some specific error messages that a user might run into while code signing on Windows with SignTool and JarSigner together with some suggested solutions to these problems. 

 

 

 

SignTool

 

Code Signing fails with Error: 0x8010006A

This error message could indicate that the private key's PIN policy was set to "Always", which is not working with the YubiKey Smart Card MiniDriver and SignTool due to a restriction in the Microsoft Base Smart Card CSP. 

 

Solutions:

Generate the Private Key and CSR from a PIV slot that does not have the PIN policy set to "Always" as default, like slot 9a where the default PIN policy is "once".

 

 

Error: SignerSign() failed." (-2146435071/0x80100001)

This error message indicates that there might be an issue where the public key not being compatible with the YubiKey's PIV applet (sometimes accompanied by ykpiv_sign_data failed: YKPIV_ALGORITHM_ERROR (-12))

For instance, the private key in a particular slot, 9a, could be ECCP384 but the certificate which is imported into the same slot has a public key that is RSA3072, which also means that the public key is not related to the private key in the same slot.

 

Perform the steps mentioned in the test-signature Yubico-PIV-tool article to see if this might be the case. The signature verification will most likely fail with the following message:

yubico-piv-tool -a read-certificate -a verify-pin -a test-signature -s 9a -o cert.pem -i cert.pem
Enter PIN:
Successfully verified PIN.
Unusable RSA key of 3072 bits, only 1024 and 2048 are supported.

 

Solutions:

  1. Import the certificate that was generated from the CSR (Certificate Signing Request) of the Private Key in this PIV slot.
  2. Generate a new CSR and import the resulting certificate into the same PIV slot.
  3. Contact your Signing Certificate Vendor to understand what might have gone wrong.

 

 

 

JarSigner

 

PKIX Path building failed

If you are receiving the message “PKIX path failed” when performing a signature with jarsigner, you likely need to make the full certificate chain available to the java keystore or make sure that the full certificate chain is imported unto the Yubikey. If the Certificate chain is only installed on the YubiKey itself, the YubiKey needs to be plugged in in order to verify the PKIX path.

Invalid certificate chain: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

 

Solutions:

Importing the Certificate Chain to the Java Keystore:

  1. keytool -import -noprompt -cacerts -storepass changeit -alias <rootCA_Name> -file ./<RootCA.pem>
  2. keytool -import -noprompt -cacerts -storepass changeit -alias <Intermediate_Name> -file ./<Intermediate.pem>

Importing the Certificate Chain to the YubiKey:

  1. ykman piv certificates import 82 "PATH\TO\ROOT\CERTIFICATE.pem"
  2. ykman piv certificates import 83 "PATH\TO\INTERMEDIATE\CERTIFICATE.pem

 

Full PKIX path not included in the signature

In some cases the Root and intermediate certificates are stored in the PIV “Retired Key Management”slots, for example slots 82 and 83. While this is the case, a regular third party PKCS#11 module might not be able to access these slots. If this is the case, then the usage of the libykcs11.dll/so/dylib that comes packaged with the Yubico PIV Tool would be needed.

The following example shows how to use ykman CLI to verify the slots used by the various certificates stored on the YubiKey, where slot 82 and 83 are used for storing the complete certificate chain:

 

> ykman piv info
PIV version:              5.2.4
PIN tries remaining:      3
Management key algorithm: TDES
PUK is blocked
Management key is stored on the YubiKey, protected by PIN.
CHUID: 3019d4e739da739ced39ce739d836858210842108421c84210c3eb3410b5d5b9e16f4b93d9a0fdbff69258add9350832303330303130313e00fe00
CCC:   No data available
Slot 82 (RETIRED1):
 Algorithm:   Unsupported
 Subject DN:  CN=Test subordinate CA,OU=Technical Support,O=Yubico,L=Stockholm,C=SE
 Issuer DN:   CN=Test root CA,OU=Technical Support,O=Yubico,L=Stockholm,C=SE
 Serial:      511651191053291511271809405270923685088546626025
 Fingerprint: 87c1c689b57282a861930f407250778824fc1eeb75b578b64cd780c42ffa7049
 Not before:  2023-07-10T06:36:00
  Not after:   2024-07-09T06:36:00

Slot 83 (RETIRED2):
 Algorithm:   Unsupported
 Subject DN:  CN=Test root CA,OU=Technical Support,O=Yubico,L=Stockholm,C=SE
 Issuer DN:   CN=Test root CA,OU=Technical Support,O=Yubico,L=Stockholm,C=SE
 Serial:      550933977875801178869348069256368183726342668431
 Fingerprint: 37f140c04d5c1f431e136ab4a084e23c646859faadf9c5e55140d3fdbbabda5f
 Not before:  2023-07-10T06:35:58
 Not after:   2033-07-07T06:35:58

Slot 9A (AUTHENTICATION):
 Algorithm:   ECCP256
 Subject DN:  CN=2ndCodeSign_9aECC
 Issuer DN:   CN=Test subordinate CA,OU=Technical Support,O=Yubico,L=Stockholm,C=SE
 Serial:      716532520625805465224678543206795883186711977292
 Fingerprint: c2b6032daf9b4c622dc843bfea7b684191530a6b241d86eba860da0dc4dc186f
 Not before:  2023-07-20T07:06:38
  Not after:   2024-07-19T07:06:38

 

Solutions:

Make sure that the java pkcs#11 configuration file has the "Library" configured to point to the libykcs11.dll file, as shown in the JarSigner Prerequisites example.