Getting error: "Bad signature length" #214

henryharrod · 2024-03-27T18:38:12Z

henryharrod
Mar 27, 2024

When using Google Cloud KMS, I'm getting the following error when using jsign to sign a .exe in Debian. Any ideas what might be causing it?

net.jsign.bouncycastle.operator.RuntimeOperatorException: exception obtaining signature: Bad signature length: got 512 but was expecting 256
	at net.jsign.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder$SigVerifier.verify(Unknown Source)
	at net.jsign.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder$RawSigVerifier.verify(Unknown Source)
	at net.jsign.bouncycastle.cms.SignerInformation.doVerify(Unknown Source)
	at net.jsign.bouncycastle.cms.SignerInformation.verify(Unknown Source)
	at net.jsign.AuthenticodeSigner.createSignedData(AuthenticodeSigner.java:368)
	at net.jsign.AuthenticodeSigner.sign(AuthenticodeSigner.java:338)
	at net.jsign.SignerHelper.sign(SignerHelper.java:550)
	at net.jsign.JsignCLI.execute(JsignCLI.java:117)
	at net.jsign.JsignCLI.main(JsignCLI.java:40)
Caused by: java.security.SignatureException: Bad signature length: got 512 but was expecting 256
	at java.base/sun.security.rsa.RSASignature.engineVerify(RSASignature.java:215)
	at java.base/java.security.Signature$Delegate.engineVerify(Signature.java:1435)
	at java.base/java.security.Signature.verify(Signature.java:789)
	... 9 more
Try `java -jar jsign.jar --help' for more information.

ebourg · 2024-03-27T20:34:57Z

ebourg
Mar 27, 2024
Maintainer

It looks like the private key in Google Cloud KMS is a 4096 bit key, but the public key in the certificate is a 2048 bit key.

0 replies

oleksii-tymofieiev · 2024-03-29T01:03:00Z

oleksii-tymofieiev
Mar 29, 2024

@ebourg I seem to have the same issue.

Should the certifying company re-issue the certs for us to correspond to the private key?

JIC I am building the full chain using this command:
gcloud kms keys versions get-certificate-chain 1 \ --key key_name \ --location location \ --keyring keyring_name \ --output-file google-full-chain.pem

2 replies

ebourg Mar 29, 2024
Maintainer

Does google-full-chain.pem contain your signing certificate, or only the root and intermediate CA certificates?

oleksii-tymofieiev Mar 29, 2024

There were 4 entities in the generated file.

I tried to generate the same manually with cat and in this case the chain was accepted.

So the issue was probably with how my initial file was generated.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Getting error: "Bad signature length" #214

Uh oh!

{{title}}

Uh oh!

Replies: 2 comments 2 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Uh oh!

Getting error: "Bad signature length" #214

Uh oh!

henryharrod Mar 27, 2024

Replies: 2 comments · 2 replies

Uh oh!

ebourg Mar 27, 2024 Maintainer

Uh oh!

Uh oh!

oleksii-tymofieiev Mar 29, 2024

Uh oh!

ebourg Mar 29, 2024 Maintainer

Uh oh!

oleksii-tymofieiev Mar 29, 2024

henryharrod
Mar 27, 2024

Replies: 2 comments 2 replies

ebourg
Mar 27, 2024
Maintainer

oleksii-tymofieiev
Mar 29, 2024

ebourg Mar 29, 2024
Maintainer