Code Signing Fails with "ASN1 bad tag value met"

This forum can be browsed by the general public. Posting is limited to current SAPIEN license holders with active maintenance and does not offer a response time guarantee.
Forum rules
DO NOT POST SUBSCRIPTION NUMBERS, LICENSE KEYS OR ANY OTHER LICENSING INFORMATION IN THIS FORUM.
Only the original author and our tech personnel can reply to a topic that is created in this forum. If you find a topic that relates to an issue you are having, please create a new topic and reference the other in your post.

Any code longer than three lines should be added as code using the 'Select Code' dropdown menu or attached as a file.
Grobas
Posts: 3
Joined: Sun Mar 24, 2019 5:33 am

Code Signing Fails with "ASN1 bad tag value met"

Post by Grobas » Sun Jun 30, 2019 10:50 pm

To help you better we need some information from you.

*** Please fill in the fields below. If you leave fields empty or specify 'latest' rather than the actual version your answer will be delayed as we will be forced to ask you for this information. ***

Product, version and build:
PowerShellStudio 2019 -- 5.6.160
Operating system:
Windows Server 2016, 64 bit
*** Please add details and screenshots as needed below. ***

DO NOT POST SUBSCRIPTIONS, KEYS OR ANY OTHER LICENSING INFORMATION IN THIS FORUM

Hi,
this is my first try of using PowerShell Studio. All my scripts are signed with certificate that private key I have.
Certificate info:
Thumbprint algorithm: SHA1
Signature algorithm: SHA512RSA
Signature hash algorithm: SHA512
Public Key: RSA (2048)
Key Usage: Code Signing (1.3.6.1.5.5.7.3.3)

When I try to sign using PowershellStudio, after entering password for Private Key I get:
Code Signing Fails with "ASN1 bad tag value met"

I did some digging and found couple of topics on the same matter, but without the proper solution provided:
example: viewtopic.php?f=12&t=13060

Worth to mention:
1. My Machine has limited access to internet and not able to use http://timestamp.globalsign.com/*
2. Unfortunately I can't replace current cert based on SHA1 anytime soon
3. Script signing works without issues with PowerGUI - the tool that PowerShellStudio was suppose to replace


Thanks in Advance

User avatar
davidc
Posts: 5913
Joined: Thu Aug 18, 2011 4:56 am

Re: Code Signing Fails with "ASN1 bad tag value met"

Post by davidc » Mon Jul 01, 2019 10:40 am

You can get this error when:

1. The certificate is expired.
2. The password is incorrect.

PowerShell Studio requires the certificate to be in the store and thus doesn't supply a password field. The solution here is to use the External signing tool field in Options->PowerShell:
External Signing Tool.png
External Signing Tool.png (28.39 KiB) Viewed 1339 times

You could invoke an external tool such as PowerShell.exe itself to sign the script. Make sure to use the following variable for the file path:
%File%

Example:

Code: Select all

powershell.exe -Command "{ Set-AuthenticodeSignature -FilePath '%FILE%' }"
David
SAPIEN Technologies, Inc.

Grobas
Posts: 3
Joined: Sun Mar 24, 2019 5:33 am

Re: Code Signing Fails with "ASN1 bad tag value met"

Post by Grobas » Mon Jul 01, 2019 11:25 pm

Hi,
thanks, your workaround worked. I created dedicated ps1 to perform the signing part, however I would really appriciate if this feature worked using built-in out of the box tool's engine

To answer your concerns:
1. certificate is not expired
2. password is correct (if the password is incorrect, call to Windows for CriptoAPI will prompt for the password again)
Again it's working with PowerGUI, working if I sign directly using powershell (in both cases I get password prompt for "Signing data with your private signature"

Code: Select all

$command = "Set-AuthenticodeSignature -FilePath $file -Certificate (Get-ChildItem -Path Cert:\CurrentUser\My -CodeSigningCert)"
$bytes = [System.Text.Encoding]::Unicode.GetBytes($command)
$encodedCommand = [Convert]::ToBase64String($bytes)
$private:CodeSign = powershell.exe -encodedCommand $encodedCommand
PowerShell Studio requires the certificate to be in the store and thus doesn't supply a password field.
Can you please clarify this statement. My certificate is in store, but since this is code signing, for security reasons I protect my private key with password


Thanks





davidc wrote:
Mon Jul 01, 2019 10:40 am
You can get this error when:

1. The certificate is expired.
2. The password is incorrect.

PowerShell Studio requires the certificate to be in the store and thus doesn't supply a password field. The solution here is to use the External signing tool field in Options->PowerShell:

External Signing Tool.png


You could invoke an external tool such as PowerShell.exe itself to sign the script. Make sure to use the following variable for the file path:
%File%

Example:

Code: Select all

powershell.exe -Command "{ Set-AuthenticodeSignature -FilePath '%FILE%' }"

User avatar
davidc
Posts: 5913
Joined: Thu Aug 18, 2011 4:56 am

Re: Code Signing Fails with "ASN1 bad tag value met"

Post by davidc » Tue Jul 02, 2019 7:35 am

There is no password field at this time for the signing process. I recommend submitting a feature request here:

https://www.sapien.com/requests

That way we could address it in a future release.
David
SAPIEN Technologies, Inc.

Grobas
Posts: 3
Joined: Sun Mar 24, 2019 5:33 am

Re: Code Signing Fails with "ASN1 bad tag value met"

Post by Grobas » Tue Jul 02, 2019 11:09 pm

Thanks, as per your advice I have raised the feature request.
One more thing - is it possible to validate certificate in ps1 with some built-in feature by simply clicking on some icon ? (I can't find it anywhere across all the menus)

User avatar
davidc
Posts: 5913
Joined: Thu Aug 18, 2011 4:56 am

Re: Code Signing Fails with "ASN1 bad tag value met"

Post by davidc » Wed Jul 03, 2019 8:05 am

Do you mean validate the signature or the certificate itself?

The application doesn't have a feature to validate the certificate or the signature at this time.
David
SAPIEN Technologies, Inc.