mage.exe manifest signing with certificate stored in AWS CloudHSM

Question

I am attempting to sign a manifest using mage.exe with a certificate that is stored in Amazon CloudHSM.

I have the Amazon CloudHSM Windows Client installed which adds the Cavium Key Storage Provider and the Cavium CNG Provider providers. I can sign with signtool.exe using my certificate in CloudHSM but I cannot get mage.exe to work. I have the mage.exe for NETFX 4.7.2 so it has the -CryptoProvider parameter.

I have tried specifying both of the above providers for -CryptoProvider:

"C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.7.2 Tools\mage.exe" -Sign myapp.exe.manifest -CertHash <thumbpring> -CryptoProvider "Cavium Key Storage Provider" -KeyContainer my

But I get:

Internal error, please try again. Invalid provider type specified.

What are the correct parameters for invoking mage.exe to sign a manifest with an alternate key storage provider?

NOTE: The certificate must be in an HSM. Using a certificate in a different store is not an option.

NOTE 2: Since I can sign with signtool.exe, the certificate is accessible, the CloudHSM is setup correctly, etc. This issue seems to be specific to accessing that certificate with mage.exe.

UPDATE: I used JetBrains dotPeek to disassemble the .NET Framework 4.7.2 mage.exe, exported it to a project, hacked the project enough to get it to compile, and I am able to sign with the hacked mage.exe. I only needed the -CertHash parameter and not -CryptoProvider. I'm not sure if it's a permissions issue, because some of what I took out to make it compile were assembly attributes and making it unsigned.

I'm not considering this resolved because I'd rather not use a hacked version of mage.exe for our production application. Plus I haven't even confirmed that I can sign the application and deployment manifests in a way that allows the ClickOnce app to deploy properly. This is just more info for finding the solution with the "authorized" mage.exe.

Answer 1

I ran into the same thing... I believe there's a bug in MAGE

Bug logged here: https://github.com/Microsoft/dotnet/issues/986

I had to recompile mage too, and re-target to .NET 4.7.2

I had to use the -CertFile, -CryptoProvider, and -KeyContainer to get it to sign, I couldn't figure out how to get -CertHash to work..

Note to find the Key Container:

Run

certutil -store my

Then look for your certificate, and then use the "Key Container = XXXXX" value

Answer 2

We use mage.exe integrated with AWS CloudHSM at my company and it works just fine without any recompiling of mage. However, we use an HSM proxy called GaraSign to do it. The signing client talks to GaraSign which handles all the authentication, authorization, policy enforcement, etc. If successful, the hash of the data is sent from the client to the server which is then offloaded to the HSM for signing. Our clients are configured with the GaraSign KSP instead of the CloudHSM KSP.

Answer 3

I had a similar issue using mage to sign a manifest file. In my case, the private key is stored in a SafeNet USB eToken, the error I got was different however ("This certificate does not contain a private key...").
Eventually, I got it working by decompiling mage (using JetBrains dotPeek), changing one (relevant) line of code and recompiling it again.
See my comment at https://github.com/Microsoft/dotnet/issues/986#issuecomment-534970170 for more details.