Is -clientside supported by OpenPGPSigner workers?

[ralienpp]

I attempt to use the OpenPGPSigner to sign a JAR file as follows

.\signclient.cmd signdocument -workername OpenPGPSignerMaven 
    -infile test.jar 
    -outfile signed.asc 
    -host 127.0.0.1 -port 443 
    -truststore truststore.jks -truststorepwd "11111" 

The result is Client-side hashing and contruction is not supported. The error seems to be produced by the client itself, not by the server.

Am I invoking it incorrectly, or is it a known limitation of the client? If it is a limitation of the client, what alternatives can one use today?

[netmackan]

The -clientside flag is not supported by SignClient in Community Edition.

Or to be more correct the flag is supported, however currently there is no implementation in CE that supports parsing of the different file types, hashing them and then in the end inserting the signature in the correct place in respective type of file.

The example provided though should work. Just tried it out, allthough the Linux version of it. But I guess you mean that the same things does not work if you also add -clientside and -digestalgorithm, right?

[ralienpp]

If I omit -digestalgorithm the client complains that this mandatory parameter is missing.

Indeed, I use the community edition downloaded from the web-site. Our company does have a license for SignServer, should I ask my colleagues about a special version that they may have downloaded through other channels?

and then in the end inserting the signature in the correct place in respective type of file.

A relevant detail I use the OpenPGPSigner with a detached signature in an "armored" format. So the signed binary is unchanged, I get a separate file that has a base64-signature.

[ralienpp]

I tried it with the enterprise version and there's a different error:

[main] ERROR org.signserver.client.cli.defaultimpl.SignDocumentCommand - Failure for test.jar: org.bouncycastle.cms.CMSException: IOException reading content. There was a failure

I made sure I have read permissions for the input file. I also ran it while monitoring with "Process Monitor" (from Sysinternals, it shows all the file-system operations and their status). Note that my test environment is a Windows system, so the API calls below refer to the Windows API that java.exe invokes under the hood. My findings:

• Reading the input file was successful, all the API calls went through (e.g., CreateFile [roughly, this is the Windows API equivalent for fopen], ReadFile)
• The WriteFile calls for the target file are also successful

However, after it is written to, the file is open again with the FILE_DISPOSITION_DELETE flag, and after it is closed - it is indeed gone.

What I also found weird is that when the WriteFile calls are issued, the offset to which bytes are written grows steadily (as expected), but eventually it reaches values over 180K - this is strange, because the size of the signature file is ~491 bytes.

This is what a good run looks like (with server side hashing)

This is what a problematic run looks like:

Note the offsets which go waaaay beyond the expected size of the file, as well as the bottom part - where the resulting file is deleted (these calls don't occur when -clientside isn't used).

[ralienpp]

The same error occurs on Linux, so it doesn't seem to be a Windows quirk.

[netmackan]

Currently only SignClient from SignServer Enterprise has support for clientside hashing so yes you would need SignServer Enterprise for that and as you have an enterprise license you can use https://support.keyfactor.com to get help.

What would be asked then and is missing here is the exact command you are using (not the non-working from the first comment but the last you tried) as well as some information about the configuration of your worker "OpenPGPSignerMaven". Maybe you are trying to PGP-sign a JAR-file without telling SignClient not do attempt JAR signing (which is the default for JAR files)...