"Error: SignerSign() failed." (-2147023673/0x800704c7)

Question

While using signtool for code signing on our buildserver jenkins shows the following error message:

Done Adding Additional Store
Error information: "Error: SignerSign() failed." (-2147023673/0x800704c7)
SignTool Error: An unexpected internal error has occurred.

We use an EV code sign certificate on a USB token. All tools are the latest ones available actually.

Any ideas?

---

It is not a problem at all using the same build task and running it manually on the same machine (as the user mentioned below) that jenkins is running on, and the same environment / directory.

The Jenkins service runs on a Windows 10 pro VM as a simple user with admin rights (not as Local System).

For more details see this excerpt from the Jenkins log:

  Signiere FlinkySchule.FormularEditor.exe:
  Verbindung zu Token auf- bzw. abbauen
  ***** code signing *****
  Aktueller Pfad des signtool:
  c:\JW\FS\Production\Deployment\Tools\signtool\kits
  Zu signierende Datei:
  c:\JW\FS\Production\Application\Assemblies\FlinkySchule.FormularEditor\bin\Release\\FlinkySchule.FormularEditor.exe
  The following certificate was selected:
      Issued to: Dirk W.

      Issued by: GlobalSign CodeSigning CA - SHA256 - G3

      Expires:   Fri Apr 03 15:58:51 2020

      SHA1 hash: 4187Cxyxyxyxyxyxyxyxyxyxyx7978C4


  Done Adding Additional Store
EXEC : error information: "Error: SignerSign() failed." (2147023673/0x800704c7) [c:\JW\FS\Production\Application\Assemblies\FlinkySchule.FormularEditor\FlinkySchule.FormularEditor.csproj]
EXEC : SignTool error : An unexpected internal error has occurred. [c:\JW\FS\Production\Application\Assemblies\FlinkySchule.FormularEditor\FlinkySchule.FormularEditor.csproj]

---

One issue was the over all path length: Even in the year 2017 you will run into the 260 characters path length restriction. Annoying! But we solved this and the error still occurs sometimes.

Answer 1

I ran into this problem as well. I was able to duplicate error outside of Jenkins by running Signtool.exe, but when the prompt appeared for the token password, click cancel. You'll get the same error.

I have a C program which watches for the Symantec prompt and automatically enters the toke password. But Jenkins clearly wasn't running Signtool.exe in the same context as my password helper program. So I then edited my program which runs Signtool.exe to run the password helper program as well. It was still no good. Then I realized that maybe the problem how Jenkins is being run on the node. I had the Jenkins node running a service. Once I stopped the service, and connected by running the java command directly on the command line, it worked!

So now I know, if I'm going to run signtool on a Windows node, make sure the node is connected by running on the command line (via scheduled task), not a service. This changes the context Jenkins is run under which allows SignTool and the Token Prompt to play nice.

Answer 2

EV codesign with Jenkins using an eToken

Found a solution using jsign

java -jar jsign-2.0.jar --keystore .\eToken.cfg --alias %yourCertAlias% --storetype PKCS11 --tsaurl http://rfc3161timestamp.globalsign.com/advanced --tsmode RFC3161 --storepass %tokenPassword% %file2sign%

eToken.cfg:

name=eToken
library=c:\WINDOWS\system32\eTPKCS11.dll

Get the certificates alias using java keytool

keytool -list -keystore NONE -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerArg eToken.cfg

This should output something like

Keystore-Typ: PKCS11
Keystore-Provider: SunPKCS11-eToken

Keystore enthält 1 Eintrag

te-318f471f-9a0e-4101-bf45-96a656cc2306, PrivateKeyEntry,
Zertifikat-Fingerprint (SHA1): 
41:87:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:X:XX:XX:XX:XX:79:78:C4

Maybe there are some more entries in the store. To find the right have look at your certifcate's fingerprint. The alias you need for jsign's alias parameter is the string in the example that starts with "te-318f4...."

Need more detailed help about this part? Please have a look at Trustzone.

Please let me know if you are interested in knowing how we do an automated build process on a separate build machine using only one eToken USB device.

Answer 3

I had the same issue and solved it by installing the latest Windows 10 SDK, i.e. 10.0.15063.0

Answer 4

I omitted the countersignature :

 /tr http://tsa.starfieldtech.com