Code Signing Fails with "ASN1 bad tag value met"

This forum can be browsed by the general public. Posting is limited to current SAPIEN license holders with active maintenance and does not offer a response time guarantee.
Forum rules
DO NOT POST LICENSE NUMBERS, ACTIVATION KEYS OR ANY OTHER LICENSING INFORMATION IN THIS FORUM.
Only the original author and our tech personnel can reply to a topic that is created in this forum. If you find a topic that relates to an issue you are having, please create a new topic and reference the other in your post.

Any code longer than three lines should be added as code using the 'Select Code' dropdown menu or attached as a file.
This topic is 4 years and 8 months old and has exceeded the time allowed for comments. Please begin a new topic or use the search feature to find a similar but newer topic.
Grobas
Posts: 5
Last visit: Sun Oct 16, 2022 5:15 pm

Code Signing Fails with "ASN1 bad tag value met"

Post by Grobas »

To help you better we need some information from you.

*** Please fill in the fields below. If you leave fields empty or specify 'latest' rather than the actual version your answer will be delayed as we will be forced to ask you for this information. ***

Product, version and build:
PowerShellStudio 2019 -- 5.6.160
Operating system:
Windows Server 2016, 64 bit
*** Please add details and screenshots as needed below. ***

DO NOT POST SUBSCRIPTIONS, KEYS OR ANY OTHER LICENSING INFORMATION IN THIS FORUM

Hi,
this is my first try of using PowerShell Studio. All my scripts are signed with certificate that private key I have.
Certificate info:
Thumbprint algorithm: SHA1
Signature algorithm: SHA512RSA
Signature hash algorithm: SHA512
Public Key: RSA (2048)
Key Usage: Code Signing (1.3.6.1.5.5.7.3.3)

When I try to sign using PowershellStudio, after entering password for Private Key I get:
Code Signing Fails with "ASN1 bad tag value met"

I did some digging and found couple of topics on the same matter, but without the proper solution provided:
example: viewtopic.php?f=12&t=13060

Worth to mention:
1. My Machine has limited access to internet and not able to use http://timestamp.globalsign.com/*
2. Unfortunately I can't replace current cert based on SHA1 anytime soon
3. Script signing works without issues with PowerGUI - the tool that PowerShellStudio was suppose to replace


Thanks in Advance
User avatar
davidc
Posts: 5913
Last visit: Mon Jul 08, 2019 8:55 am
Been upvoted: 2 times

Re: Code Signing Fails with "ASN1 bad tag value met"

Post by davidc »

You can get this error when:

1. The certificate is expired.
2. The password is incorrect.

PowerShell Studio requires the certificate to be in the store and thus doesn't supply a password field. The solution here is to use the External signing tool field in Options->PowerShell:
External Signing Tool.png
External Signing Tool.png (28.39 KiB) Viewed 13380 times

You could invoke an external tool such as PowerShell.exe itself to sign the script. Make sure to use the following variable for the file path:
%File%

Example:

Code: Select all

powershell.exe -Command "{ Set-AuthenticodeSignature -FilePath '%FILE%' }"
David
SAPIEN Technologies, Inc.
Grobas
Posts: 5
Last visit: Sun Oct 16, 2022 5:15 pm

Re: Code Signing Fails with "ASN1 bad tag value met"

Post by Grobas »

Hi,
thanks, your workaround worked. I created dedicated ps1 to perform the signing part, however I would really appriciate if this feature worked using built-in out of the box tool's engine

To answer your concerns:
1. certificate is not expired
2. password is correct (if the password is incorrect, call to Windows for CriptoAPI will prompt for the password again)
Again it's working with PowerGUI, working if I sign directly using powershell (in both cases I get password prompt for "Signing data with your private signature"

Code: Select all

$command = "Set-AuthenticodeSignature -FilePath $file -Certificate (Get-ChildItem -Path Cert:\CurrentUser\My -CodeSigningCert)"
$bytes = [System.Text.Encoding]::Unicode.GetBytes($command)
$encodedCommand = [Convert]::ToBase64String($bytes)
$private:CodeSign = powershell.exe -encodedCommand $encodedCommand
PowerShell Studio requires the certificate to be in the store and thus doesn't supply a password field.
Can you please clarify this statement. My certificate is in store, but since this is code signing, for security reasons I protect my private key with password


Thanks





davidc wrote: Mon Jul 01, 2019 10:40 am You can get this error when:

1. The certificate is expired.
2. The password is incorrect.

PowerShell Studio requires the certificate to be in the store and thus doesn't supply a password field. The solution here is to use the External signing tool field in Options->PowerShell:

External Signing Tool.png


You could invoke an external tool such as PowerShell.exe itself to sign the script. Make sure to use the following variable for the file path:
%File%

Example:

Code: Select all

powershell.exe -Command "{ Set-AuthenticodeSignature -FilePath '%FILE%' }"
User avatar
davidc
Posts: 5913
Last visit: Mon Jul 08, 2019 8:55 am
Been upvoted: 2 times

Re: Code Signing Fails with "ASN1 bad tag value met"

Post by davidc »

There is no password field at this time for the signing process. I recommend submitting a feature request here:

https://www.sapien.com/requests

That way we could address it in a future release.
David
SAPIEN Technologies, Inc.
Grobas
Posts: 5
Last visit: Sun Oct 16, 2022 5:15 pm

Re: Code Signing Fails with "ASN1 bad tag value met"

Post by Grobas »

Thanks, as per your advice I have raised the feature request.
One more thing - is it possible to validate certificate in ps1 with some built-in feature by simply clicking on some icon ? (I can't find it anywhere across all the menus)
User avatar
davidc
Posts: 5913
Last visit: Mon Jul 08, 2019 8:55 am
Been upvoted: 2 times

Re: Code Signing Fails with "ASN1 bad tag value met"

Post by davidc »

Do you mean validate the signature or the certificate itself?

The application doesn't have a feature to validate the certificate or the signature at this time.
David
SAPIEN Technologies, Inc.
This topic is 4 years and 8 months old and has exceeded the time allowed for comments. Please begin a new topic or use the search feature to find a similar but newer topic.