Problem with Jar Signer using Azure Trusted Services

[batubudin]

Hi, thanks in advance for looking at my issue,
My main goal is signing jar files using AzureTrustedSigning, however from (your) another discussion, you refer to first run the .exe signing syntax,

java -jar jsign-7.0-SNAPSHOT.jar \
     --storetype TRUSTEDSIGNING \
     --keystore weu.codesigning.azure.net \
     --storepass <api-access-token> \
     --alias <account>/<profile> application.exe

I implemented this in my .bat syntax as:

@REM az login --service-principal -u %AZURE_CLIENT_ID% -p %AZURE_CLIENT_SECRET% --tenant %AZURE_TENANT_ID%

 FOR /F "delims=" %%i IN ('az account get-access-token --query accessToken --output tsv') DO SET "AZURE_ACCESS_TOKEN=%%i"

 echo TOKEN = %AZURE_ACCESS_TOKEN%

 java -debug -jar jsign-7.0.jar --verbose ^
    --storetype TRUSTEDSIGNING ^
    --keystore https://eus.codesigning.azure.net ^
    --storepass %AZURE_ACCESS_TOKEN% ^
    --alias %ALIAS% "%JAR_FILE%"

However, even with this, I am getting an error:

java.security.KeyStoreException: Unable to retrieve the certificate chain 'alias-account/alias-profile'
        at net.jsign.jca.AzureTrustedSigningService.getCertificateChain(AzureTrustedSigningService.java:109)
        at net.jsign.jca.SigningServiceKeyStore.engineGetCertificateChain(SigningServiceKeyStore.java:43)
        at java.security.KeyStore.getCertificateChain(KeyStore.java:1048)
        at net.jsign.SignerHelper.build(SignerHelper.java:354)
        at net.jsign.SignerHelper.sign(SignerHelper.java:450)
        at net.jsign.SignerHelper.execute(SignerHelper.java:305)
        at net.jsign.JsignCLI.execute(JsignCLI.java:213)
        at net.jsign.JsignCLI.main(JsignCLI.java:57)
Caused by: java.io.IOException: HTTP Error 401 - Unauthorized (https://eus.codesigning.azure.net/codesigningaccounts/alias-account/certificateprofiles/alias-profile/sign?api-version=2022-06-15-preview)
        at net.jsign.jca.RESTClient.query(RESTClient.java:161)
        at net.jsign.jca.RESTClient.post(RESTClient.java:73)
        at net.jsign.jca.AzureTrustedSigningService.sign(AzureTrustedSigningService.java:147)
        at net.jsign.jca.AzureTrustedSigningService.getCertificateChain(AzureTrustedSigningService.java:106)
        ... 7 more

From my understanding (which is about a week old of this signing topic), since I am able to retrieve a valid azureAccessToken, I feel that the problem might be somewhere else. The error indicates "Unauthorized," which is contradicting what I just said. Basically i am very much confused, I would appreciate it if you could help clarify this.

Once this issue is fixed, I will be able to conclude my project, which involves automating JAR file signing.

FYI: I use placeholders for the values where the alias-information stands.
FYI: By using the AzureSigningTool (signtool.exe & Azure.CodeSigning.Dlib.dll), and by using Service Principle credientials, I am able to sign dll, and exe formats.

[ebourg]

Could you try this command to fetch the access token?

az account get-access-token --resource https://codesigning.azure.net

[batubudin]

Good Morning, I updated it and it still fails on the same error message,

 jarsigner -J-cp -Jjsign-7.0.jar:$JAVA_HOME//lib//tools.jar ^

I am not sure what is the reason, I feel like I am making syntax error. I tried all the options for the syntax ( // or / or \ ),

POWERSHELL: java -version
openjdk version "1.8.0_442"
OpenJDK Runtime Environment Corretto-8.442.06.1 (build 1.8.0_442-b06)
OpenJDK 64-Bit Server VM Corretto-8.442.06.1 (build 25.442-b06, mixed mode)

and I am having the same issue:

Error: Could not find or load main class sun.security.tools.jarsigner.Main

[ebourg]

Maybe replace the colon with a semi-colon in the -cp parameter?

jarsigner -J-cp -Jjsign-7.0.jar;path/to/jdk/lib/tools.jar ^

[batubudin]

Yes that worked, thanks to you a lot, I have some other issues and after finding the reason, I will write a complete answer. I believe it has to do with my certification.

The signer's certificate chain is invalid. Reason: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

The signer certificate will expire on 2025-01-31.

[batubudin]

The answer:

My steps for achieving non-interactive JAR signing, by using JSign and Azure Trusted Signing:

Things to be considered and a short summary

• In this project I am running .bat file
• I will authenticate myself using --service-principle account settings.
• Then by using the service principle, I will retrieve the Azure Access Token using the Azure CLI commands;
• And using that and other parameters mentioned, proceed the signing.

Login with Azure CLI

 az login --service-principal -u %AZURE_CLIENT_ID% -p %AZURE_CLIENT_SECRET% --tenant %AZURE_TENANT_ID%

Retrive the Access Token

FOR /F "delims=" %%i IN ('az account get-access-token --resource https://codesigning.azure.net --query accessToken --output tsv') DO SET "AZURE_ACCESS_TOKEN=%%i"

Signing

jarsigner -J-cp -Jjsign-7.0.jar;C:\Dev_Tools\amazon-corretto\jdk1.8.0_442\lib\tools.jar ^
	--providerClass net.jsign.jca.JsignJcaProvider ^
	--providerArg eus.codesigning.azure.net ^
	--storetype TRUSTEDSIGNING ^
	--keystore NONE ^
	--tsa http://timestamp.acs.microsoft.com ^
	--storepass %AZURE_ACCESS_TOKEN% ^
	"%JAR_FILE%" ALIAS

1. ALIAS information has to be changed using AccountName/ProfileName
2. ; (semicolon) has to be used for seperating the Jjsign Jar file and, the JDK`s tools.jar file, and not : (colon). This might be special for .bat files. I have no clue.

Verifying

jarsigner -verify -verbose PATH\TO\SIGNEDJAR.jar

Again thanks for your help!

[ebourg]

Thank you for the summary