PDA

View Full Version : Code Signing Certificate Mystery



Wayne Freeman
11-25-2008, 01:39 AM
Hi all, this is not a problem with SB. I'm posting here because this is where all the code-signing gurus hang out. (Jane?)

I've been code-signing my apps with a code-signing certificate from Comodo for about a year and a half, and renewed my certificate for two years through Lindersoft back in April of this year. I've had great success, all my apps sign with no errors, and thanks to Jane Fleming's great articles in Clarion Mag, I have had very few problems.

Or so I thought. Just today, in finishing up an app that interfaces with Quickbooks, QB complained that my certificate was invalid, and kicked me out! I verified the certificate through Windows Explorer, and then through signtool verify, and sure enough, both tell me that "The certificate is invalid for the requested usage". I have checked apps that I have signed after the renewal date, and apps that I signed last year, and it's the same story, so it has nothing to do with the renewal.

Since discovering this issue, I have used signtool with every parameter I can think of, and even used the signtool wizard, trying every combination I could think of, and it's always the same thing: I never get any errors during code-signing, but all verification methods say, "The certificate is invalid for the requested usage". It also doesn't matter if I "manually" use signtool or have SB do it.

In my frustration, I'd like to ask, if a code-signing certificate isn't valid for signing code, then what good is it? But that's not very nice, so instead, I'll ask, what could I possibly have done wrong? I'll reiterate, the certificate is valid. I've checked it, and it's good from 27 April 2008 until 27 April 2010.

Help! I need to get this Quickbooks interface done and this is a major show-stopper.

Thanks, and I apologize again for taking up space with a non-SB issue.

Wayne

linder
11-25-2008, 01:58 AM
Wayne,

Is this on a Vista machine? If this is the case, check the "Vista Event Viewer" and see if there is a CAPI2 application error.

Friedrich

Wayne Freeman
11-25-2008, 08:57 AM
Hi Friedrich,

No, I should have said. It's an XP machine.

Wayne
Analytica Business Systems
analyticabiz.com

linder
11-25-2008, 09:10 AM
Hi Wayne,

Perhaps some kind of Windows "root certificate" problem on your machine.

What do you see in Internet Explorer -> Tools -> Internet Options -> Content -> Certificates. Do you see your new Comodo certificate in the Personal list? If yes, please highlight it and click the "View" button. Then select the "Certification Path" tab. Does it say "This certificate is OK"?

Friedrich

Wayne Freeman
11-25-2008, 09:47 AM
Friedrich,

No, actually, it said it had expired on 4/27/2008, even though I had renewed it on 4/30/2008.

So I re-imported it, and now IE says it's okay, with an expiration date of 4/30/2010.

But when I sign an executable, I still get the same error, "This certificate is invalid for the usage requested" even though the type shows as "Digital Signature".

Wayne

linder
11-25-2008, 10:01 AM
Wayne,

Does it look like this (see attached screenshots)? Could you please post yours?

Friedrich

Wayne Freeman
11-25-2008, 10:52 AM
Friedrich,

Yes, it does. At least, I think so.

Wayne Freeman
11-25-2008, 10:58 AM
However, this is what the certificate details look like after signing an .exe with it:

linder
11-25-2008, 11:04 AM
Wayne,

Yes, looks okay to me. If Windows says "certificate OK" then there is no problem with your code-signing certificate.

What do you have in the Advanced options. Does it look like this (see attached screenshot). Is Code-Signing enabled?

Friedrich

Wayne Freeman
11-25-2008, 11:27 AM
Yes, exactly. "Code Signing" is checked, as are all the other check boxes visible in your screenshot.

But did you see the screenshots I posted of what Windows Explorer says about the certificate? It doesn't agree with IE at all!

Wayne

linder
11-25-2008, 11:42 AM
Hi Wayne,

Very strange. Unfortunately, I am running out of ideas :( I think there is something wrong with your machine (root certificate issue?). To be on the safe side, I would suggest to check the code-signing scenario on another machine.

Friedrich

Wayne Freeman
11-25-2008, 11:50 AM
I just noticed a very tiny detail.

In IE, the version number of the certificate is "V3", but after signing an .exe, Windows Explorer still shows the version number as "V2", which IE also said, before I imported the renewed certificate earlier today.

I'm thoroughly confused about the role IE plays in code signing certificates. Did my re-importing of the certficate into IE actually affect anything? Is it supposed to? Is there something else I need to do to get the man behind the curtain to recognize this renewed certificate?

I'm rebooting my system right now to see if that changes anything.

Wayne

linder
11-26-2008, 01:38 AM
Hi Wayne,

In fact, you only need the Credentials File (.spc) and the Private Key File (.pvk) to code-sign. Alternatively, you can use a .PFX file. The certificate in IE is not used at all.

IE also displays "V3" for our certificates and "V2" for the code-signed file. So this is okay (see attached screenshots).

Friedrich

Wayne Freeman
11-27-2008, 01:24 PM
Hi Friedrich, and anyone else following this:

After a couple of days of back-and-forth with Comodo technical support, their 3rd-level support found a solution.

The certificate had been issued incorrectly. Specifically: During enrollment (really when creating the keyset and the CSR) the KeySpec parameter has been incorrectly set to AT_KEYEXCHANGE (1). This must be AT_SIGNATURE (2).

The solution involved exporting the certificate using the MMC and doing an offline re-enrollment through CERTUTIL, to set the KeySpec parameter to AT_SIGNATURE.

I sure know more about code-signing certificates than I ever cared to!

Thanks, Friedrich, for your patience helping me through this.

Wayne
www.analyticabiz.com

linder
11-28-2008, 03:25 AM
Hi Wayne,

WOW, thanks for sharing this information. Very interesting!

Friedrich