I downloaded the 1.1.0 version of the CoseSignTool and the required .NET dependencies. When I ran the CoseSignTool.exe without any arguments it hit an exception:

%> CoseSignTool.exe
Unhandled exception. System.IndexOutOfRangeException: Index was outside the bounds of the array.
   at CoseSignTool.CoseSignTool.Main(String[] args) in D:\a\CoseSignTool\CoseSignTool\CoseSignTool\CoseSignTool.cs:line 27

This is unexpected, I expected the tool to print out it's help text.

Note that when I passed in --help it worked as expected:

%> CoseSignTool.exe --help

*** CoseSignTool ***
A tool for signing, validating, and getting payload from Cose signatures.

Usage:
    ...

Currently CoseSignTool.exe sign supports signing with password protected .pfx certificates with the /Password argument. The user should be prompted for the password at runtime so we can consume it as a secure string.

Is this tooling capable of performing signing using KSP / CSP?

CoseSignTool.exe validate appears to falsely report successful validation when the certificate chain does not lead to a known root.

This appears to be isolated to just the CoseSignTool.exe validate command line tool and not the CoseHandler API.

Repro steps:

1.) Produce a detached COSE signature (See: Sign command)
1.) Make sure that the root CA of the signing certificate is not installed in trusted root store
2.) Attempt to call CoseSignTool.exe validate on the payload and previously produced .cose file with no /Roots specified
3.) Observe "Validation succeeded message"

It's time to review and renew the intent of this repository

An owner or administrator of this repository has previously indicated that this repository can not be migrate to GitHub inside Microsoft because it is going public, open source, or it is used to collaborate with external parties (customers, partners, suppliers, etc.).

Action

👀 ✍️ In order to keep Microsoft secure, we require repository owners and administrators to review this repository and regularly renew the intent whether to opt-in or opt-out of migration to GitHub inside Microsoft which is specifically intended for private or internal projects.

❗Only users with admin permission in the repository are allowed to respond. Failure to provide a response will result to your repository getting automatically archived. 🔒

Instructions

❌ Opt-out of migration

If this repository can not be migrated to GitHub inside Microsoft, you can opt-out of migration by replying with a comment on this issue containing one of the following optout command options below.

@gimsvc optout --reason <staging|collaboration|delete|other>

Example: @gimsvc optout --reason staging

Options:

• staging : My project will ship as Open Source
• collaboration : Used for external or 3rd party collaboration with customers, partners, suppliers, etc.
• delete : This repository will be deleted because it is no longer needed.
• other : Other reasons not specified

✅ Opt-in to migrate

If the circumstances of this repository has changed and you decide that you need to migrate, then you can specify the optin command below. For example, the repository is no longer going public, open source or require external collaboration.

@gimsvc optin --date <target_migration_date in mm-dd-yyyy format>

Example: @gimsvc optin --date 03-15-2023

Need more help? 🖐️

• Email [email protected]. ✉️
• Post your questions in GitHub inside Microsoft Team in Microsoft Teams.

I tried to use this tool to sign SBOM for our driver package with PFX certificate with password and got error.

>"H:\Program Files\Windows Kits\10\Tools\10.0.26063.0\x64\CoseSignTool.exe" sign /PayloadFile NetKVM.sbom.json /PfxCertificate VirtIOTestCertPass.pfx
COSE Sign failed.
The specified network password is not correct.

If I try to use a certificate without a password, everything works.
How should I specify the password for the certificate? How can I use this tool to sign SBOM with an EV Code Signing token certificate?

Best regards