X-Recipient: archive-cygwin AT delorie DOT com
X-SWARE-Spam-Status: No, hits=2.8 required=5.0	tests=AWL,BAYES_00,EXECUTABLE_URI,RP_MATCHES_RCVD,SPF_HELO_PASS
X-Spam-Check-By: sourceware.org
From: Alan Sinclair <Alan DOT Sinclair AT citrix DOT com>
To: "cygwin AT cygwin DOT com" <cygwin AT cygwin DOT com>
CC: Alan Sinclair <Alan DOT Sinclair AT citrix DOT com>
Date: Thu, 29 Sep 2011 11:53:20 -0700
Subject: Cygwin LSA breaks code-signing -- how can I fix it?
Message-ID: <25171B03A3D9E24AADC227668ADE91C9DB77316E7B@SJCPMAILBOX01.citrite.net>
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by delorie.com id p8TIrkv5025166

After installing Cygwin LSA authentication, code signing fails coming in over ssh from another machine.
This is cygwin 1.7.9 on x64 Windows 2003 (CYGWIN_NT-5.2-WOW64 AlansW2033 1.7.9(0.237/5/3) 2011-03-29 10:10 i686 Cygwin)

Running locally, signing succeeds, but run in an ssh session the signing call gets:

    SignTool Error: ISignedCode::Sign returned error: 0x80092006
        No provider was specified for the store or object.

How can I get signing working with Cygwin LSA registered?

Details:

I installed and set up sshd using the ssh-host-config script (using default settings). At this point signing worked fine, but in a non-interactive ssh session Visual C++ failed (cl.exe /Zi got fatal error C1902), so the Cygwin LSA authentication package was registered.using cyglsa-config. Now in an ssh session cl.exe works but signing fails.

E.g.  

    $ ssh alansi AT 10 DOT 217 DOT 120 DOT 208 bash '/home/alansi/sign/signtest.sh'

where signtest.sh is

    #!/bin/sh
    /cygdrive/c/signing/signtool  sign -a -v \
    -n ' XXXXXXXX '
    -sha1 "1234567812345678123456781234567812345678" \
    -t "http://timestamp.verisign.com/scripts/timstamp.dll" \
    -ac MSCV-VSClass3.cer -d "MyProg" ./mybinary.sys

gets this message:

    The following certificate was selected:
        Issued to: XXXXXXXX
        Issued by: VeriSign Class 3 Code Signing 2004 CA
        Expires:   2/5/2012 4:59:59 PM
        SHA1 hash: 1234567812345678123456781234567812345678

    Done Adding Additional Store
    Attempting to sign: ./mybinary.sys

    Number of files successfully Signed: 0
    Number of warnings: 0
    Number of errors: 1
    SignTool Error: ISignedCode::Sign returned error: 0x80092006
        No provider was specified for the store or object.

(Incidentally, this signing over shh does work when run on the target machine; i.e. when ssh'ing onto itself.)

Fwiw I've also tried signing using the certificate (pfx) file with password. That also works locally but fails via ssh:

    #!/bin/sh
    /cygdrive/c/signing/signtool  sign  /f mycert.pfx /p password ./mybinary.sys 

    SignTool Error: IStore2::Load returned error: 0x80070005
        Access is denied.
    SignTool Error: An error occurred while attempting to load the signing certificate from: mycert.pfx

This is a showstopper, so if the machine has to be rebuilt from scratch that's fine. It must be able to compile with Visual C++ (gc++ is not an option, unfortunately) and sign over ssh.
Thanks

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple