signtool: No private key is available (Google cloud HSM)

Question

I want to sign an MSIX package with an EV Code Signing Certificate I bought from Globalsign.

The keys are stored on Google Cloud KMS with a HSM storage type. I basically followed this article to generate my CSR and this this doc to know which argument I should pass to signtool.

My signtool command:

cmd /C '"C:\Program Files (x86)\Windows Kits\10\App Certification Kit\signtool.exe"  sign /fd SHA256 /f .\final.cer /t http://timestamp.globalsign.com/tsa/r6advanced1 /csp "Google Cloud KMS Provider" /kc projects/redacted/locations/redacted/keyRings/redacted/cryptoKeys/redacted/cryptoKeyVersions/2 .\package.msix'

It returns this error: SignTool Error: No private key is available.

This error message makes me think that signtool cannot get the private key stored in kms but I can't find the reason. I'm logged into gcp using gcloud auth application-default login and my account has access to the KMS resource.

Has someone experienced this error?

I'm also wondering if an error during the CSR generation could cause this error.

What other tool could I use to sign my package on Windows?

Thanks!

Answer 1

I forgot to install the Google Cloud CNG Provider.

Also, the private key has to be generated with either EC_SIGN_P256_SHA256 or EC_SIGN_P384_SHA384. You should make sure your certificate provider is compatible with these algorithms.

Answer 2

What other tool could I use to sign my package on Windows?

You can use Jsign instead of signtool, it supports Google Cloud KMS out of the box, no need to install the CNG provider, and it works on any platform. The syntax looks like this:

jsign --storetype GOOGLECLOUD \
      --keystore projects/first-rain-123/locations/global/keyRings/mykeyring \
      --storepass <api-access-token> \
      --alias test/cryptoKeyVersions/1 \
      --certfile full-chain.pem package.msix

(disclaimer: I'm the author or this project)