Page 1 of 1

Code Signing Fails with "ASN1 bad tag value met"

Posted: Sun Jun 30, 2019 10:50 pm
by Grobas
To help you better we need some information from you.

*** Please fill in the fields below. If you leave fields empty or specify 'latest' rather than the actual version your answer will be delayed as we will be forced to ask you for this information. ***

Product, version and build:
PowerShellStudio 2019 -- 5.6.160
Operating system:
Windows Server 2016, 64 bit
*** Please add details and screenshots as needed below. ***

DO NOT POST SUBSCRIPTIONS, KEYS OR ANY OTHER LICENSING INFORMATION IN THIS FORUM

Hi,
this is my first try of using PowerShell Studio. All my scripts are signed with certificate that private key I have.
Certificate info:
Thumbprint algorithm: SHA1
Signature algorithm: SHA512RSA
Signature hash algorithm: SHA512
Public Key: RSA (2048)
Key Usage: Code Signing (1.3.6.1.5.5.7.3.3)

When I try to sign using PowershellStudio, after entering password for Private Key I get:
Code Signing Fails with "ASN1 bad tag value met"

I did some digging and found couple of topics on the same matter, but without the proper solution provided:
example: viewtopic.php?f=12&t=13060

Worth to mention:
1. My Machine has limited access to internet and not able to use http://timestamp.globalsign.com/*
2. Unfortunately I can't replace current cert based on SHA1 anytime soon
3. Script signing works without issues with PowerGUI - the tool that PowerShellStudio was suppose to replace


Thanks in Advance

Re: Code Signing Fails with "ASN1 bad tag value met"

Posted: Mon Jul 01, 2019 10:40 am
by davidc
You can get this error when:

1. The certificate is expired.
2. The password is incorrect.

PowerShell Studio requires the certificate to be in the store and thus doesn't supply a password field. The solution here is to use the External signing tool field in Options->PowerShell:
External Signing Tool.png
External Signing Tool.png (28.39 KiB) Viewed 13395 times

You could invoke an external tool such as PowerShell.exe itself to sign the script. Make sure to use the following variable for the file path:
%File%

Example:

Code: Select all

powershell.exe -Command "{ Set-AuthenticodeSignature -FilePath '%FILE%' }"

Re: Code Signing Fails with "ASN1 bad tag value met"

Posted: Mon Jul 01, 2019 11:25 pm
by Grobas
Hi,
thanks, your workaround worked. I created dedicated ps1 to perform the signing part, however I would really appriciate if this feature worked using built-in out of the box tool's engine

To answer your concerns:
1. certificate is not expired
2. password is correct (if the password is incorrect, call to Windows for CriptoAPI will prompt for the password again)
Again it's working with PowerGUI, working if I sign directly using powershell (in both cases I get password prompt for "Signing data with your private signature"

Code: Select all

$command = "Set-AuthenticodeSignature -FilePath $file -Certificate (Get-ChildItem -Path Cert:\CurrentUser\My -CodeSigningCert)"
$bytes = [System.Text.Encoding]::Unicode.GetBytes($command)
$encodedCommand = [Convert]::ToBase64String($bytes)
$private:CodeSign = powershell.exe -encodedCommand $encodedCommand
PowerShell Studio requires the certificate to be in the store and thus doesn't supply a password field.
Can you please clarify this statement. My certificate is in store, but since this is code signing, for security reasons I protect my private key with password


Thanks





davidc wrote: Mon Jul 01, 2019 10:40 am You can get this error when:

1. The certificate is expired.
2. The password is incorrect.

PowerShell Studio requires the certificate to be in the store and thus doesn't supply a password field. The solution here is to use the External signing tool field in Options->PowerShell:

External Signing Tool.png


You could invoke an external tool such as PowerShell.exe itself to sign the script. Make sure to use the following variable for the file path:
%File%

Example:

Code: Select all

powershell.exe -Command "{ Set-AuthenticodeSignature -FilePath '%FILE%' }"

Re: Code Signing Fails with "ASN1 bad tag value met"

Posted: Tue Jul 02, 2019 7:35 am
by davidc
There is no password field at this time for the signing process. I recommend submitting a feature request here:

https://www.sapien.com/requests

That way we could address it in a future release.

Re: Code Signing Fails with "ASN1 bad tag value met"

Posted: Tue Jul 02, 2019 11:09 pm
by Grobas
Thanks, as per your advice I have raised the feature request.
One more thing - is it possible to validate certificate in ps1 with some built-in feature by simply clicking on some icon ? (I can't find it anywhere across all the menus)

Re: Code Signing Fails with "ASN1 bad tag value met"

Posted: Wed Jul 03, 2019 8:05 am
by davidc
Do you mean validate the signature or the certificate itself?

The application doesn't have a feature to validate the certificate or the signature at this time.