RSACryptoServiceProvider "Key does not exist" on .Net 4.6.2

Question

I am using PackageDigitalSignatureManager to sign a Zip file and its contents. My code worked fine, until I updated to .Net 4.6.2 suddenly I get the following expection:

System.Security.Cryptography.CryptographicException: Key does not exist 
bei System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)
bei System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()
bei System.Security.Cryptography.RSACryptoServiceProvider.SignHash(Byte[] rgbHash, Int32 calgHash)
bei System.Security.Cryptography.RSAPKCS1SignatureFormatter.CreateSignature(Byte[] rgbHash)
bei System.Security.Cryptography.AsymmetricSignatureFormatter.CreateSignature(HashAlgorithm hash)
bei System.Security.Cryptography.Xml.SignedXml.ComputeSignature()
bei MS.Internal.IO.Packaging.XmlDigitalSignatureProcessor.Sign(IEnumerable`1 parts, IEnumerable`1 relationshipSelectors, X509Certificate2 signer, String signatureId, Boolean embedCertificate, IEnumerable`1 signatureObjects, IEnumerable`1 objectReferences)
bei System.IO.Packaging.PackageDigitalSignatureManager.Sign(IEnumerable`1 parts, X509Certificate certificate, IEnumerable`1 relationshipSelectors, String signatureId, IEnumerable`1 signatureObjects, IEnumerable`1 objectReferences)
bei System.IO.Packaging.PackageDigitalSignatureManager.Sign(IEnumerable`1 parts, X509Certificate certificate, IEnumerable`1 relationshipSelectors, String signatureId)
bei System.IO.Packaging.PackageDigitalSignatureManager.Sign(IEnumerable`1 parts, X509Certificate certificate, IEnumerable`1 relationshipSelectors)

The certificate and the private key I am using as well as the signing code I use did not change at all in the last months. The only change is the switch to .Net 4.6.2 .

I wasn't sure what happend until I found this article: https://blogs.msdn.microsoft.com/dotnet/2016/08/02/announcing-net-framework-4-6-2/ They mention changing Certificate and Signing code, I am not sure however what exactly broke.

Does anyone have an idea how I can fix this? Is there maybe a way to run my application in a backwards compatible way?

Answer 1

When creating an instance of RSACryptoServiceProvider you need to specify a CspParameters object with a specified KeyContainerName:

var cp = new CspParameters();
cp.KeyContainerName = "WhateverKeyContainerName";
var privateKey = new RSACryptoServiceProvider(cp);