Problem
The AzureTrustedSigningService class hardcodes api-version=2022-06-15-preview in two places when constructing URLs for the Azure Trusted Signing API. Azure has deprecated this preview API version and now returns 401 Unauthorized for all requests using it, making the TRUSTEDSIGNING store type non-functional in jsign 7.1 through 7.4.
The error manifests as:
jsign: Unable to retrieve the certificate chain 'AccountName/ProfileName'
java.security.KeyStoreException: Unable to retrieve the certificate chain 'AccountName/ProfileName'
at net.jsign.jca.AzureTrustedSigningService.getCertificateChain(AzureTrustedSigningService.java:109)
...
Caused by: java.io.IOException: HTTP Error 401 - Unauthorized
(https://eus.codesigning.azure.net/codesigningaccounts/.../sign?api-version=2022-06-15-preview)
OAuth token acquisition succeeds (the credentials are valid), but the signing endpoint rejects the request because the API version is no longer supported. Testing with api-version=2024-02-05-preview confirms authentication passes and the endpoint responds normally.
Suggested fix
Make the API version configurable rather than hardcoded. This could be exposed as:
- A
--param or --ksparams CLI option (e.g., --param api-version=2024-02-05-preview)
- Appended to the
--keystore URL (e.g., --keystore "https://eus.codesigning.azure.net?api-version=2024-02-05-preview")
- Or at minimum, update the default to a currently supported version
Environment
- jsign versions tested: 7.1, 7.2, 7.4 (all affected)
- Azure Trusted Signing endpoint:
eus.codesigning.azure.net
- Working API versions (tested via direct REST calls):
2024-02-05-preview
- Platform: Linux (AWS CodeBuild, Amazon Corretto 17)
Problem
The
AzureTrustedSigningServiceclass hardcodesapi-version=2022-06-15-previewin two places when constructing URLs for the Azure Trusted Signing API. Azure has deprecated this preview API version and now returns401 Unauthorizedfor all requests using it, making theTRUSTEDSIGNINGstore type non-functional in jsign 7.1 through 7.4.The error manifests as:
OAuth token acquisition succeeds (the credentials are valid), but the signing endpoint rejects the request because the API version is no longer supported. Testing with
api-version=2024-02-05-previewconfirms authentication passes and the endpoint responds normally.Suggested fix
Make the API version configurable rather than hardcoded. This could be exposed as:
--paramor--ksparamsCLI option (e.g.,--param api-version=2024-02-05-preview)--keystoreURL (e.g.,--keystore "https://eus.codesigning.azure.net?api-version=2024-02-05-preview")Environment
eus.codesigning.azure.net2024-02-05-preview