DigiCert and Google KMS signing

[oleksii-tymofieiev]

Hello,

Asking for help/additional reading link on this seemingly trivial issue.

   jsign

   --storetype GOOGLECLOUD \

   --keystore projects/.../keyRings/Code-Signing-Certs \

   --storepass $(gcloud auth application-default print-access-token) \

   --alias DigiCert_EV-Code-Signing/cryptoKeyVersions/1 \

   --certfile full_chain.pem  OS.exe

Adding Authenticode signature to OS.exe
jsign: Couldn't sign OS.exe

java.security.SignatureException: Signature verification failed, the private key doesn't match the certificate
at net.jsign.AuthenticodeSigner.verify(AuthenticodeSigner.java:498)
at net.jsign.AuthenticodeSigner.createSignedData(AuthenticodeSigner.java:382)
at net.jsign.AuthenticodeSigner.sign(AuthenticodeSigner.java:354)
at net.jsign.SignerHelper.sign(SignerHelper.java:394)
at net.jsign.JsignCLI.execute(JsignCLI.java:134)
at net.jsign.JsignCLI.main(JsignCLI.java:40)
Try `jsign --help' for more information.

The key was created according to the instructions here: https://cloud.google.com/kms/docs/reference/pkcs11-openssl
The full_chain.pem is the file generated by DigiCert console and actually consists of the three certificates provided by DigiCert.
The key is attested successfully in Google Cloud by the platform's attestation Python script.

Please advise what can be wrong here. It looks like something really simple is missing in what I am doing.

[ebourg]

If you've generated a RSA-PSS key that may be the issue. You need a PKCS#1 v1.5 one.

[oleksii-tymofieiev]

Thank you, we did generate the RSA-PSS key.
Trying with PKCS#1 v1.5 now.

[oleksii-tymofieiev]

Looks like an already known issue:
#203