Hi,
I need to sign rdp format file and i have issues.
Singtool.exe and Jsing works fine on windows powershell, but they does not work for rdp file.
I tried to use "rdpsign.exe", but it is not working due to Google Cloud KMS certificate issues.
When i run certutil -user -repairstore my THUMBPRINT, the message error appears:
Ao executar com o "/v" apresenta .. Contêiner da chave = projects//locations/global/keyRings//cryptoKeys//cryptoKeyVersions/1 I0424 13:10:15.936791 8916 logging.cc:81] returning 0x80090027 from OpenKeyFn due to status INVALID_ARGUMENT: at bridge.cc:188: unsupported legacy key spec specified: 0 [type.googleapis.com/kmscng.StatusDetails='SECURITY_STATUS=0x80090027'] Provider = Google Cloud KMS Provider ProviderType = 0 Sinalizadores = 0 KeySpec = 0 -- XCN_AT_NONE I0424 13:10:15.939649 8916 logging.cc:81] returning 0x80090029 from SetProviderPropertyFn due to status NOT_FOUND: at provider.cc:121: unsupported property specified [type.googleapis.com/kmscng.StatusDetails='SECURITY_STATUS=0x80090029'] I0424 13:10:15.939840 8916 logging.cc:81] returning 0x80090027 from OpenKeyFn due to status INVALID_ARGUMENT: at bridge.cc:188: unsupported legacy key spec specified: 0 [type.googleapis.com/kmscng.StatusDetails='SECURITY_STATUS=0x80090027']
Additional info:
The Problem:
Native Windows tools like rdpsign.exe and certutil -repairstore fail with error 0x80090027.
Direct Evidence from CNG Provider Logs:
returning 0x80090027 from OpenKeyFn due to status INVALID_ARGUMENT: at bridge.cc:188: unsupported legacy key spec specified: 0
Validation Tests Performed:
signtool.exe: Works correctly for executables (pure CNG).
gcloud kms asymmetric-sign: Works correctly via API (proves key and IAM are OK).
rdpsign.exe: Fails because it triggers a legacy KeySpec call that the Google bridge.cc explicitly rejects at line 188.
Impact:
Customers cannot sign RDP files with Cloud HSM keys, as rdpsign.exe is the only standard tool that correctly packages the certificate and signature into the RDP format. Manual signing via gcloud is insufficient as the MSTSC client requires the certificate blob which is handled by rdpsign.
Request:
Please update bridge.cc in the CNG Provider to support or gracefully ignore legacy key spec 0 when called by standard Windows SDK utilities.
Thank you.
Alexandre
Hi,
I need to sign rdp format file and i have issues.
Singtool.exe and Jsing works fine on windows powershell, but they does not work for rdp file.
I tried to use "rdpsign.exe", but it is not working due to Google Cloud KMS certificate issues.
When i run certutil -user -repairstore my THUMBPRINT, the message error appears:
Ao executar com o "/v" apresenta .. Contêiner da chave = projects//locations/global/keyRings//cryptoKeys//cryptoKeyVersions/1 I0424 13:10:15.936791 8916 logging.cc:81] returning 0x80090027 from OpenKeyFn due to status INVALID_ARGUMENT: at bridge.cc:188: unsupported legacy key spec specified: 0 [type.googleapis.com/kmscng.StatusDetails='SECURITY_STATUS=0x80090027'] Provider = Google Cloud KMS Provider ProviderType = 0 Sinalizadores = 0 KeySpec = 0 -- XCN_AT_NONE I0424 13:10:15.939649 8916 logging.cc:81] returning 0x80090029 from SetProviderPropertyFn due to status NOT_FOUND: at provider.cc:121: unsupported property specified [type.googleapis.com/kmscng.StatusDetails='SECURITY_STATUS=0x80090029'] I0424 13:10:15.939840 8916 logging.cc:81] returning 0x80090027 from OpenKeyFn due to status INVALID_ARGUMENT: at bridge.cc:188: unsupported legacy key spec specified: 0 [type.googleapis.com/kmscng.StatusDetails='SECURITY_STATUS=0x80090027']
Additional info:
The Problem:
Native Windows tools like rdpsign.exe and certutil -repairstore fail with error 0x80090027.
Direct Evidence from CNG Provider Logs:
returning 0x80090027 from OpenKeyFn due to status INVALID_ARGUMENT: at bridge.cc:188: unsupported legacy key spec specified: 0
Validation Tests Performed:
signtool.exe: Works correctly for executables (pure CNG).
gcloud kms asymmetric-sign: Works correctly via API (proves key and IAM are OK).
rdpsign.exe: Fails because it triggers a legacy KeySpec call that the Google bridge.cc explicitly rejects at line 188.
Impact:
Customers cannot sign RDP files with Cloud HSM keys, as rdpsign.exe is the only standard tool that correctly packages the certificate and signature into the RDP format. Manual signing via gcloud is insufficient as the MSTSC client requires the certificate blob which is handled by rdpsign.
Request:
Please update bridge.cc in the CNG Provider to support or gracefully ignore legacy key spec 0 when called by standard Windows SDK utilities.
Thank you.
Alexandre