-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dotnet nuget sign error: Unknown error (0xc100000d) #100414
Comments
Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones |
Presumably the private key is stored on some security key, right? What would be the manufacturer, firmware and driver version of the said key? |
It's a Safenet 5110: https://cpl.thalesgroup.com/access-management/authenticators/pki-usb-authentication/etoken-5110-usb-token |
(didn't mean to close it) |
If you are using a hardware token, then it seems like we have an issue where the key is on hardware but we are using BCrypt instead of NCrypt with the key handle, which isn't going to work. Let me see if I can reproduce this. |
I was just able to reproduce the issue with the nuget CLI, let me see if I can work create a reproduction with As a workaround for now, I would recommend using |
Okay, this is just a case of using System;
using System.Security.Cryptography;
using System.Security.Cryptography.Pkcs;
using System.Security.Cryptography.X509Certificates;
using RSA rsa = RSA.Create(2048);
CertificateRequest req = new CertificateRequest("CN=Kevin Jones", rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
X509Certificate2 self = req.CreateSelfSigned(DateTime.Now, DateTime.Now.AddYears(1));
X509Certificate2 cert = new(self.RawDataMemory.Span);
self.Dispose();
SignedCms cms = new(new ContentInfo([1, 2, 3]));
CmsSigner signer = new(cert);
cms.ComputeSignature(signer); We should probably fail earlier in |
This appears to be a regression with RSABCrypt introduced in .NET 8. It does not handle "this key is not a private key". Smaller repro: using System.Security.Cryptography;
using RSA rsa = RSA.Create(2048);
using RSA pub = RSA.Create();
pub.ImportParameters(rsa.ExportParameters(false));
pub.SignData("hi"u8, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); On non-Windows this will correctly tell you "I do not have a private key for this". On Windows, this will give an Unknown error. |
The documentation says to export the certificate, but this introduces errors when the certificate is stored in a hardware token. You just need to specify the certificate fingerprint, no need to export. See issue dotnet/runtime#100414
Thank you @vcsjones I confirm that it works with the hardware token when specifying --certificate-fingerprint instead of specifying a certificate path. I was following this documentation https://learn.microsoft.com/en-us/nuget/create-packages/sign-a-package and got thrown off by the "export a certificate" instructions. I made a PR to clarify the documentation. Would still be nice to get a fix for the error message on windows. |
Description
I try to sign a nuget package with my EV2 code signing certificate from Entrust and I get this error:
error: Unknown error (0xc100000d)
The EV2 certificate being used is valid and is confirmed working for signing exe and jar files
Reproduction Steps
This is the command I'm using (with some info redacted):
dotnet nuget sign "mynugetpackage.nupkg" --certificate-path "mycert.cer" --timestamper "http://timestamp.entrust.net/rfc3161ts2" -v detailed
Expected behavior
Package gets signed
Actual behavior
This is the output I'm getting (with some info REDACTED). The information on the certificates matches what I expect for my certificate.
Regression?
No response
Known Workarounds
No response
Configuration
dotnet --info
Other information
No response
The text was updated successfully, but these errors were encountered: