We Keep Coding

msbuild fails on Certificate could not be opened, network password not correct

I am trying to create a signed appx package as a test using a purchased code signing certificate. I cannot get it to build without installing the cert locally first (which I don't want to do given this will be done in a CI/CD environment).
I am executing the following on a solution containing an empty WPF project and WAP project.
msbuild $Solution_Path /p:Platform=x64 /p:Configuration=Release
/p:UapAppxPackageBuildMode=SideLoadOnly /p:AppxBundlePlatforms="x64"
/p:AppxPackageDir=$App_Packages_Directory /p:AppxBundle=Never
/p:AppxPackageSigningEnabled=true /p:PackageCertificateThumbprint=$myThumbprint
/p:PackageCertificateKeyFile=$myCert /p:PackageCertificatePassword=$myPassword
error: Certificate could not be opened
error: The specified network password is not correct
I have confirmed the password of $myPassword and thumbprint is $myThumprint by importing the cert and verifying it. I have also tried assigning "" to $myThumprint. I have confirmed the location of $myCert
It will build if I assign AppxPackageSigningEnable=false, but it will be unusable as it is not signed.
In appxmanifest, I have assigned Identity/Publisher to the publisher id of the cert (e.g., Publisher="CN=John Doe, O=Acme, L=TheMoon, S=OuterSpace, C=Universe") and Properties/PublisherDisplayName = the cert's CN (=John Doe)
I have tried exporting the pfx into a cer and using that, but that fails on the cert is not usable as it doesn't include a private key.
I have tried exporting the pfx into a base64 string and then creating a pfx from that - still fails (desperate measures).
Any tips greatly appreciated!

I read that a password protected cert needs to be stored in a cert store for msbuild to use it. Therefore, I ignored the cert on build and added it later by doing the following:
Remove all signing parameters from msbuild as follows
msbuild $Solution_Path /p:Platform=x64 /p:Configuration=Release
/p:UapAppxPackageBuildMode=SideLoadOnly /p:AppxBundlePlatforms="x64"
/p:AppxPackageDir=$App_Packages_Directory /p:AppxBundle=Never
/p:AppxPackageSigningEnabled=false
Given the name of the appx will change based on version and I couldn't find a way to pass wildcards to the SignTool, I used this to grab the built appx:
$Packages_2Sign = (Get-ChildItem -Recurse -Path $currentDirectory -Include *.appx).fullname
Finally, use the SignTool to sign the appx built from the prior step
SignTool sign /fd sha256 /a
/f $certificatePath /p $certificatePwd $Packages_2Sign

How to fix Openssl SMIME error :ASN1_get_object:header too long?

I have a .p7s file, that is a PDF signed, which is now broken and i can't open it. When trying to convert it back to PDF i am having issues.
I have tried this repair tool https://www.pdf-online.com/osa/repair.aspx and it was able to give me a PDF, but it looks very bad and i can't read much from it.
I have also tried this command on my Mac:
openssl smime -inform DER -verify -noverify -in "file.p7s" -out "file.pdf"
But i am receiving this error:
Error reading S/MIME message
140735895516104:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.50.2/libressl/crypto/asn1/asn1_lib.c:152:
Does anybody have an idea of how to properly convert the .p7s back to a .pdf properly or fix the .p7s file so my command above works?

How to verify detached PKCS7 signature with signtool

We have a file, say, scup.jpg, that we want to sign and (later) verify with signtool.
For embedded content we execute
signtool.exe sign /p7 .\ /p7ce embedded /p7co 1.2.840.113549.1.7.2 /a /f .\pfx.p12 /p "somepass" .\scup.jpg
and it produces a file named scup.jpg.p7 that is verifiable with the folowing command:
signtool.exe verify /p7 scup2.jpg.p7
but what we need is not an embedded data, but rather a detached signature, so we change the signing command to
signtool.exe sign /p7 .\ /p7ce DetachedSignedData /p7co 1.2.840.113549.1.7.2 /a /f .\pfx.p12 /p "somepass" .\scup.jpg
and produce a detached signature file also named scup2.jpg.p7, but no matter what command options we try to verify the signature, signtool gives us errors, like tis one:
SignTool Error: CryptVerifyMessageSignature returned error: 0x8009310B
ASN1 bad tag value met.
SignTool Error: File not valid: scup.jpg.p7
Number of errors: 1
What do we do wrong and is it at all possible to verify a detached signature with signtool? I know I could use openssl or progarmming tools/API, but for the moment I need clarity regarding signtool itelf.

OpenSSL Decryption using a Key.txt and IV.txt file

Working with a client to set up OpenSSL file encryption. They've sent us an encrypted file (I'll call it sample.encrypted), along with key and iv files (key.txt and iv.txt).
The contents of the key.txt file look like this:
KEY: [string of 32 characters]
The contents of the iv.txt file look like this:
IV: [string of 16 characters]
I'm running Windows 7 Professional 64-bit, and learned that OpenSSL doesn't come installed by default with Windows (apparently it's primarily used by Linux users?)
So, I've downloaded and installed a 64-bit OpenSSL package from here:
(https:)//slproweb.com/products/Win32OpenSSL.html
Specifically, the "Win64 OpenSSL v1.0.2d Light" build found here:
(https:)//slproweb.com/download/Win64OpenSSL_Light-1_0_2d.exe
Once installed, I had to manually configure my environment variable for the OpenSSL config files as such (from the command prompt):
set OPENSSL_CONF=C:\OpenSSL-Win64\bin\openssl.cfg
I verified that the path information above was correct, and that the environment variable had stuck, and then attempted to run the following command:
openssl enc -d -K key.txt -iv iv.txt -in sample.encrypted -out sample.decrypted
This was based on the commands found here:https://www.openssl.org/docs/manmaster/apps/openssl.htmland here: https://www.openssl.org/docs/manmaster/apps/enc.html
The command breakdown being:
openssl - the OpenSSL base command
enc - the command used to begin encrypting/decrypting
-d - the tag used to specify decryption
-K - the tag used to specify the use of a key file
key.txt - the key file itself
-iv - the tag used to specify the use of an accompanying initialization vector
iv.txt - the IV file itself
-in - the tag used to specify the input file
sample.encrypted - the input file
-out - the tag used to specify the output file
sample.decrypted - the desired output file
As far as I can tell, the command works - the output file is generated, but its contents are not properly decrypted (it's just garbled text). I don't think there's anything wrong with the files that the client provided, but rather with my implementation of OpenSSL's commands to decrypt the file.
If anyone knows how to properly decrypt a file using provided Key and IV files, help would be greatly appreciated. I've been setting aside other responsibilities while Googling around trying to figure this out.

jarsigner "Only one alias can be specified"

In Windows command prompt:
>keytool -genkey -alias me
>keytool -selfcert -alias me
>jarsigner myJar.jar me
Only one alias can be specified
I have failed to find any info on this error on the web. I'm obviously only specifying one alias here. What could I be doing wrong?

I was getting the same error.
I resolved it by renaming the folders in my path
c:\this is a folder\ replaced with c:\this_is_a_folder\
jarsigner doesn't like spaces in folders

Just put quotes around the filename(s) with spaces. You need to quote arguments with spaces in them, to any program. Nothing to do with jarsigner whatsoever.

Remove the space from Folder Name like
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.jks D:\AndroidProject\CheckFinalCodeNew\CheckFinalCode\platforms\android\build\outputs\apk\android-release-unsigned.apk my-alias
The problem would be resolve

I had the same problem and solved it by switching to jarsigner from jdk 6. Although I created my cert with keytool from jdk 7, I could not sign it with its jarsigner.