I am using signTool like this:
Signtool sign /debug /v /s "Personal" /n www.site.com /t http://timestamp.digicert.com D:\file.exe
I have certificate issued by www.site.com and this file.exe. But it gives me
SignTool Error: File not found:
If I try like this:
Signtool sign /debug /v /sm /n www.site.com /t http://timestamp.digicert.com D:\file.exe
I have this output:
The following certificates were considered:
Issued to:
Issued by: www.columbo.me
Expires: Sun Oct 27 00:00:00 2024
SHA1 hash: 242E4B72FB3E67417DD2C8FCC3A12084F73B18EA
After EKU filter, 1 certs were left.
After expiry filter, 1 certs were left.
After Subject Name filter, 0 certs were left.
After Private Key filter, 0 certs were left.
SignTool Error: No certificates were found that met all the given criteria.
What am I doing wrong
Related
I’m having this super weird behaviour on an AppVeyor build (Visual Studio 2019): In a shell script (cmd.exe), when signing my app with signtool, all the options are interpreted as files (signtool can sign multiple files at once).
The line "$WINDOWSKITBIN\\signtool.exe" sign /tr http://timestamp.digicert.com /td sha256 /fd SHA256 /n "Jan Gerner" /v /debug "build\\TypeWorld.exe" produces:
Successfully signed: build\TypeWorld.exe
Number of files successfully Signed: 1
Number of errors: 10
SignTool Error: File not found: C:/Program Files/Git/tr
SignTool Error: File not found: http://timestamp.digicert.com
SignTool Error: File not found: C:/Program Files/Git/td
SignTool Error: File not found: sha256
SignTool Error: File not found: C:/Program Files/Git/fd
SignTool Error: File not found: SHA256
SignTool Error: File not found: N:/
SignTool Error: File not found: Jan Gerner
SignTool Error: File not found: V:/
SignTool Error: File not found: C:/Program Files/Git/debug
The wanted file TypeWorld.exe is signed, just without all the options, and all the options are interpreted as files to sign which then aren’t found, obviously.
I've confirmed the escaped backslashes and folder variable to be correct.
This line echo "$WINDOWSKITBIN\\signtool.exe" sign /tr http://timestamp.digicert.com /td sha256 /fd SHA256 /n "Jan Gerner" /v /debug "build\\TypeWorld.exe"
produces the expected rendering: C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x86\signtool.exe sign /tr http://timestamp.digicert.com /td sha256 /fd SHA256 /n Jan Gerner /v /debug build\TypeWorld.exe
I tried running the same in PowerShell, to same result.
None of what the AppVeyor staff recommended (also by email) helped.
What did help in the end is to not mix Windows and Linux (WSL) environments. In appveyor.yml I was calling the build script through sh (or later bash at the recommendation of AppVeyor staff):
build_script:
- cmd: C:\\msys64\\usr\\bin\\bash.exe wxPython/build/Windows/build-all.sh
Instead, for some commands it's better to keep things simple, so I converted the code signing part to a good old Windows batch file:
build_script:
- wxPython/build/Windows/build-sign.bat
Inside the batch file, the line
signtool.exe sign /tr http://timestamp.digicert.com /td sha256 /fd SHA256 /n "Jan Gerner" /v "build\\TypeWorld.exe" executes fine.
I am trying to sign .exe and .dll files inside Gitlab Pipeline with docker-windows setup, using docker image:
mcr.microsoft.com/dotnet/framework/sdk:4.8-windowsservercore-ltsc2019
I try to call these commands:
> sn.exe -R myfile.exe myKey.snk
> signtool.exe sign /v /f myCert.p12 /p myPassword /fd sha256 /tr "http://sha256timestamp.ws.symantec.com/sha256/timestamp" /td sha256 myFile.exe
When doing it locally on my machine files get succesfully signed:
> sn.exe -R myfile.exe myKey.snk
Microsoft (R) .NET Framework Strong Name Utility Version 4.0.30319.0
Copyright (c) Microsoft Corporation. All rights reserved.
Assembly 'myFile.exe' successfully re-signed
> signtool.exe sign /v /f myCert.p12 /p myPassword /fd sha256 /tr "http://sha256timestamp.ws.symantec.com/sha256/timestamp" /td sha256 myFile.exe
The following certificate was selected:
Issued to: someone
Issued by: some-private-ca
Expires: Fri Aug 28 09:40:11 2020
SHA1 hash: hash
Done Adding Additional Store
Successfully signed: myFile.exe
Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0
However, using Gitlab pipeline both Strong Name Tool (sn.exe) and signtool.exe fail:
> sn.exe -R myfile.exe myKey.snk
Microsoft (R) .NET Framework Strong Name Utility Version 4.0.30319.0
Copyright (c) Microsoft Corporation. All rights reserved.
Failed to re-sign the assembly -- Error code: 80131701
> signtool.exe sign /v /f myCert.p12 /p myPassword /fd sha256 /tr "http://sha256timestamp.ws.symantec.com/sha256/timestamp" /td sha256 myFile.exe
The following certificate was selected:
Done Adding Additional Store
I was not find out what error code 80131701 refers to.
In some cases people got the error code on System.Runtime.InteropServices.COMException (0x80131701).
Could this be caused by some certificate missing inside docker image, that is present on my computer?
Fo fix sn comamnd, I've had to replace local sn.exe file with C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\sn.exe:
> C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\sn.exe -R myfile.exe myKey.snk
To fix signtool command, it was necessary to import certificate in the docker container:
> Set-Content myCert.pfx -Encoding Byte -Value ([System.Convert]::FromBase64String(myCert.p12))
> Import-PfxCertificate -FilePath myCert.pfx -Password (ConvertTo-SecureString -String myPassword -AsPlainText -Force) -CertStoreLocation Cert:\LocalMachine\Root
> $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
> $cert.Import(myCert.pfx, myPassword, 'DefaultKeySet')
> Set-AuthenticodeSignature -Cert myCert.pfx -TimeStampServer http://sha256timestamp.ws.symantec.com/sha256/timestamp -FilePath myFile.exe -HashAlgorithm SHA256
where can i find the meaning of this error for the program SignTool.exe?
"Error: SignerSign() failed." (-1073700864/0xc000a000)
I have been getting this error randomly for a few days when calling the command
signtool.exe sign /debug /a /tr http://tsa.starfieldtech.com /td SHA256 MyDll.dll
Thanks.
Same issue occurred using a godaddy code singing certificate to sign a msi installer.
/tr specifies the URL of the RFC 3161 time stamp server.
Changing the url from http://tsa.starfieldtech.com to http://timestamp.digicert.com solves the problem.
signtool.exe sign /debug /a /tr http://timestamp.digicert.com /td SHA256 MyDll.dll
Even I was facing same problem during jenkins build. The problem got resolved by adding seconds delay before you sign the next binary.
ping 127.0.0.1 -n 16 > nul
I had the same issue for the past two days with Sectigo (Comodo CA) where all my post build signings kept randomly failing. Has been fine for two years and interestingly exactly 1-year to the day before the certificate expires these errors start happening. It seems as though it would work with a single build but for multiple builds it would randomly complain about one of them and not always the same.
changing my post build event from:
signtool.exe sign /f "$(ProjectDir)my-cert.pfx" /p mypassword /t http://timestamp.comodoca.com/authenticode "$(TargetDir)$(TargetName).dll"
to:
signtool.exe sign /f "$(ProjectDir)my-cert.pfx" /p mypassword /t http://timestamp.digicert.com "$(TargetDir)$(TargetName).dll"
solved the problem.
At the command prompt, as administrator, I can sign a file with signtool.exe. 15063.137. However, I am signing a file from within in app, and when I execute the same command from within the app, the command fails with an exit code of 1. I'm not 100% sure it's a permissions problem, but I'm guessing that it is. How can I give permission to the user that the app is running under to sign a file.
Do, I need to give the user special permission to use the certificate I am using?
PS: I've tried importing the certificate in to Trusted Publishers for the computer account, but for some reason, the certificate doesn't show up there in mmc.
I run signtool with just a normal-rights command box and I do not see a UAC prompt.
But this is with the certificate exported as a pfx file, for example:
"C:\Program Files (x86)\Windows Kits\10\App Certification Kit\SignTool.exe" sign /f c:\folder\cert.pfx /p PASSWORD /as /fd sha256 /tr http://sha256timestamp.ws.symantec.com/sha256/timestamp /v "c:\folder\sub folder\file.exe"
When using the signtool to digitally sign a catalog file (*.cat), what does the /s option actually do?
Example:
signtool sign /s SomeStore c:/someCAT.cat
What does the SomeStore parameter for the /s option do? How does one confirm that this parameter is correct?
I have checked the Microsoft signtool documentation here: https://msdn.microsoft.com/en-us/library/8s9b9yaz(v=vs.110).aspx#sign, but it does not seem to provide this information.
The /s option refers to the Certificate Store from which the signtool will be obtaining the data (credentials) necessary to sign the catalog file. See the following:
Digital Certificates: https://msdn.microsoft.com/en-us/library/windows/desktop/aa381975(v=vs.85).aspx
Certificate Stores: https://msdn.microsoft.com/en-us/library/windows/desktop/aa386971(v=vs.85).aspx
Running the signtool with the verify command provides feed back on whether the store specified with the /s option was valid.
Example:
signtool verify /pa /v c:\someCAT.cat
where the /pa and /v are described here: https://msdn.microsoft.com/en-us/library/windows/desktop/aa387764(v=vs.85).aspx