Why does signtool.exe only find certificate when run as admin? - windows

I'm setting up a new development laptop, and have installed a self-issued code signing certificate. I can see it in certmgr under my Current Users's Personal Certificates.
When I try to build from the Developer Command Prompt For Visual Studio 2017 I get:
error : SignTool Error: No certificates were found that met all the given criteria.
This always worked fine on my old laptop.
I have found if I run the same build from the command prompt after starting it as admin that signtool succeeds and can find the cert.
This has happened to 3/4 colleagues when we've set up new laptops. One guy is ok and can sign without running as admin. On our old laptops we never had to run as admin.
I've tried googling to find what could be the cause because I wasn't aware that running as admin or not should have any affect over this. I haven't found any reference to this problem.
How can we use signtool.exe without running it as admin?
When not running as admin it appears to be at the Private Key filter step where the cert I'm expecting to be selected gets filtered out:
**********************************************************************
** Visual Studio 2017 Developer Command Prompt v15.9.12
** Copyright (c) 2017 Microsoft Corporation
**********************************************************************
C:\>signtool sign /v /debug /ph /i "<issuedby>" /fd sha256 /td sha256 "C:\TestSign.dll"
The following certificates were considered:
Issued to: Scott Langham
Issued by: <issuedby>
Expires: Sun Sep 25 09:54:55 2022
SHA1 hash: <a_hash>
Issued to: Scott Langham
Issued by: <issuedby_somethingelse>
Expires: Wed May 13 15:51:14 2020
SHA1 hash: <b_hash>
After EKU filter, 1 certs were left.
After expiry filter, 1 certs were left.
After Issuer Name filter, 1 certs were left.
After Private Key filter, 0 certs were left.
SignTool Error: No certificates were found that met all the given criteria.
I've ensured the version of signtool.exe I'm using is the same as the one that my colleague who has this working is using (10.0.18362.1). I've been able to spot any other differences between our systems.

I ran into this today and here is how I am now able to run signtool.exe via command line without elevating to admin.
Run 'mmc' and add the 'Certificates' snap-in
Select the correct key store location
(mine is in Local Computer so I select 'Computer account' here)
Find and select the certificate
Right click on the certificate, select All Tasks > Manage Private Keys...
In the 'Permissions for private keys' dialog, Add your user account and then give yourself 'Full Control'. You will now be able to sign using a normal command prompt.
Note: If you use a build machine, do the above steps for the account that performs the builds.

Similar to what #Baget said, I'd compare the certificates on your machine to that of your colleague who can successfully run the SignTool.exe command without the elevation token. Here's a chunk of PowerShell to assist you:
get-childitem -Path Cert:\ | foreach-object ({
$location = $_.Location
foreach($store in $_.StoreNames.Keys) {
get-childitem -Path "Cert:\$location\$store" | foreach-object ({
$thumb = $($_.ThumbPrint)
$issuer = $($_.Issuer)
if ($issuer -eq "CN=EXAMPLE, DC=EXAMPLE, DC=EXAMPLE, DC=EXAMPLE") {
write-host "$location $store $issuer"
}
})
}
})
Bear in mind that the output of the above may differ slightly if you run as a normal user and 'run as admin'.
Finally, do you and your colleague have the same UAC settings?

I found myself in a similar situation with signtool, it refused to work with an admin user but does work as actual Administrator.
In my case, I am not actually importing the certificate into the certificate store, but using a .pkcs12 file exported from a comodo certificate in firefox, so this makes things even stranger, as no permissions on any keys in the store are involved.
I tried granting myself permissions on some server key, but that did nothing.
I hope someone finds a solution to this problem.
In the meantime, I am signing my exe with osslsigncode instead, which works perfectly.
I extracted the exe and dependent dlls from the msys2 mingw64 build, here is a zip of everything in case it is of use to anyone, just extract it to a directory and put it in your PATH.
http://cachemiss.com/files/osslsigncode.zip
To extract this program yourself from an msys2 installation, you can use this command:
pacman --noconfirm -S mingw-w64-x86_64-osslsigncode
cd /mingw64/bin
mkdir ~/osslsigncode
cp osslsigncode.exe $(ldd osslsigncode.exe | sed -n 's,^.*\(/mingw64/[^ ]*\).*,\1,p' | sort -u) ~/osslsigncode/
cd
zip -9r osslsigncode.zip osslsigncode
I am using this in Visual Studio cmake builds with no issue.

There are two Certificate Store in Windows, User Store, and a machine store, you probably installed the certificate to the local machine, or you installed it when you run as elevated user.

Firstly you are getting such an error and you are using visual studio then See the signing tab in project properties. You will see a previously assigned signature (strong assembly)
If you enter the correct password here:
If your environment is the same as the environment in which the project is written, you will skip this error. Look the post on about the error
The reasons behind this error are:
1- Visual Studio needs some features when using certificate file to sign strong assembly.
ClickOnce Manifest Signing and Strong-Name Assembly Signing Using Visual Studio Project Designer's Signing Page
You can try this code to determine
signtool sign /debug /f mypfxfile.pfx /p <password> (mydllexectuable).exe
2- These settings can vary from machine to machine, and windows does not write these settings to the environment setting by default. check the config path
This part is just a deep note! not interested with the question you should add your private keystore file to request header and those all for this. My favorite steps about the creation of a certificate on this post

Related

Getting An error occurred while signing: Failed to sign file.exe. SignTool Error: No certificates were found that met all the given criteria

OK - so this is really odd. I have a TFS build that signs a file and I'm getting the message above. If I look at the log from the build it says that it successfully signed and timestamped my file, (there's a .proj file that manually calls signtool) but below that in a different step (not sure where exactly) - I assume that its in the ClickOnce signing I get the error.
I'm able to sign the file myself using Signtool using the same parameters as the build uses so I thought perhaps I needed to import he cert, so I opened mmc, added the certificates snap-in, went through the Import Wizard using Local Machine to install it (the TFS build runs under a different account than mine and I don't know the password for that account so I figured that installing it at a machine level would work). I browsed for the file and imported it successfully in the Trusted Root Certification Authorities (see below):
and still I get the error when I build. The signtool is called from a .proj file called in the TFS build, but then again by the build during ClickOnce. After importing the cert through the VS screen I now see this:
And get this error:
C:\Program Files (x86)\MSBuild\12.0\bin\Microsoft.Common.CurrentVersion.targets (2718): Unable to find code signing certificate in the current user’s Windows certificate store. To correct this, either disable signing of the ClickOnce manifest or install the certificate into the certificate store.
C:\Program Files (x86)\MSBuild\12.0\bin\Microsoft.Common.CurrentVersion.targets (2718): Cannot import the following key file: . The key file may be password protected. To correct this, try to import the certificate again or import the certificate manually into the current user’s personal certificate store.
C:\Program Files (x86)\MSBuild\12.0\bin\Microsoft.Common.CurrentVersion.targets (2718): Importing key file "les.pfx" was canceled.
The cert is in the same folder as the .csproj as well as being imported into the store.
Here's the cert info and the Thumbprint matches what's in the .csproj file:
Any ideas what I could be missing here?
According to the error message, you have to import the certificate into agent machine's personal store. When you reference the certificate from the personal store, it will not ask for the password, and thus you can access your code signing certificate.
If multiple projects being built with ClickOnce, then you have to import the certificate into each of the projects.
Please try to use the Visual Studio Command Prompt to import the certificate in your build agent machine:
Click Start → All Programs → Microsoft Visual Studio → Visual Studio
Tools → Visual Studio Command Prompt.
Type the following command sample:
sn -i "c:\Pathtofile\.pfx" VS_KEY_C1D3ACB8FBF1AGK4
Note: The sn.exe with the -i parameter, installs a key pair from into a key container named.
Re-import the pfx file into Visual Studio.
You can also try to create a PowerShell script and run pre-build scripts in your build definition to import the certificate.
The PowerShell script sample for your reference:
$pfxpath = 'pathtoees.pfx'
$password = 'password'
Add-Type -AssemblyName System.Security
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$cert.Import($pfxpath, $password, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]"PersistKeySet")
$store = new-object system.security.cryptography.X509Certificates.X509Store -argumentlist "MY", CurrentUser
$store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]"ReadWrite")
$store.Add($cert)
$store.Close()
Reference these threads:
Visual studio team services deploymen/buildt certificate error
Cannot import the keyfile 'blah.pfx' - error 'The keyfile may be password protected'
Build and Publish a ClickOnce App using Team Build/VSO. (The last section about using a certificate from store)

Code signing with signtool fails due to private key filter

While trying to sign some installer created by the company I am working for I encountered an error, which I have not been able to solve. I am using the same certificate which has been used on another machine (Win7) successfully in the same way for signing quasi the same installer. Anyway, on our Windows Server 2008 which is running CruiseControl.net I tried to sign an installer with signtool.exe and it fails with the following error:
The following certificates were considered:
Issued to: <our company>
Issued by: <some ca>
Expires: <is valid>
SHA1 hash: <...>
Issued to: <...>
Issued by: <...>
Expires: <...>
SHA1 hash: <...>
After EKU filter, 1 certs were left.
After expiry filter, 1 certs were left.
After Subject Name filter, 1 certs were left.
After Private Key filter, 0 certs were left.
SignTool Error: No certificates were found that met all the given criteria.
I tried installing the certificate to different certificate stores, tried different versions of signtool.exe and tried to use the .cer file directly, but it made no difference. I am receiving the error mentioned above in all of the cases. I tried the following command line commands
signtool.exe sign /debug /n "MyCompany" C:\my\installer.exe
signtool.exe sign /debug /f C:\path\to\my\certificate.cer C:\my\installer.exe
but I left the /debug away in some cases. Is there anything I am doing wrong or missing?
I had the same symptom, but an altogether different cause. As many developers do, I have a bunch of different tool chains installed on my system. I just surveyed them to show how this can look; scroll to the bottom of this answer for the full list.
I had installed my code-signing certificate from VeriSign to the system certificate store (requires /sm with signtool.exe) as usual, using certutil -importPFX cert.pfx from an elevated command prompt.
First tests looked promising, but then suddenly the signing started to fail.
To debug the issue I first started using signtool.exe sign /debug /v /a /sm ... in order to see what goes wrong. The output looked like this (also see question):
The following certificates were considered:
Issued to: localhost
Issued by: localhost
Expires: Tue Dec 26 00:00:00 2017
SHA1 hash: <...>
Issued to: <...>
Issued by: Symantec Class 3 SHA256 Code Signing CA
Expires: <...>
SHA1 hash: <...>
After EKU filter, 1 certs were left.
After expiry filter, 1 certs were left.
After Root Name filter, 1 certs were left.
After Private Key filter, 0 certs were left.
SignTool Error: No certificates were found that met all the given criteria.
I could rule out the missing private key, as the certificate store indicated clearly I have a matching private key:
Now I remember that there were some recent patches that allow Windows 7 to accept signatures made with a certificate that has a SHA256 hash. Although, of course, most older articles will state that Windows 7 cannot handle SHA-2 hashes at all.
So this already gave me a nudge into the direction of "it's got to be an old version of something involved in signing".
I still decided to remove the certificate plus key and reimport it using the invocation shown before.
Then, after surveying my system (see at the bottom of the answer), I found a whopping five different versions of signtool.exe. So I started by trying the newest one (6.3.9600.17298, from the Windows 8.1 SDK) and it worked immediately:
signtool.exe sign /debug /v /a /sm /r VeriSign /ac MSCV-VSClass3.cer /ph /t "http://timestamp.verisign.com/scripts/timstamp.dll" *.exe
The following certificates were considered:
Issued to: localhost
Issued by: localhost
Expires: Tue Dec 26 00:00:00 2017
SHA1 hash: <...>
Issued to: <...>
Issued by: Symantec Class 3 SHA256 Code Signing CA
Expires: <...>
SHA1 hash: <...>
After EKU filter, 1 certs were left.
After expiry filter, 1 certs were left.
After Root Name filter, 1 certs were left.
After Private Key filter, 1 certs were left.
The following certificate was selected:
Issued to: <...>
Issued by: Symantec Class 3 SHA256 Code Signing CA
Expires: <...>
SHA1 hash: <...>
Cross certificate chain (using machine store):
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 13:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
Issued to: VeriSign Class 3 Public Primary Certification Authority - G5
Issued by: Microsoft Code Verification Root
Expires: Mon Feb 22 19:35:17 2021
SHA1 hash: 57534CCC33914C41F70E2CBB2103A1DB18817D8B
Issued to: Symantec Class 3 SHA256 Code Signing CA
Issued by: VeriSign Class 3 Public Primary Certification Authority - G5
Expires: Sat Dec 09 23:59:59 2023
SHA1 hash: 007790F6561DAD89B0BCD85585762495E358F8A5
Issued to: <...>
Issued by: Symantec Class 3 SHA256 Code Signing CA
Expires: <...>
SHA1 hash: <...>
The following additional certificates will be attached:
Issued to: VeriSign Class 3 Public Primary Certification Authority - G5
Issued by: Microsoft Code Verification Root
Expires: Mon Feb 22 19:35:17 2021
SHA1 hash: 57534CCC33914C41F70E2CBB2103A1DB18817D8B
Issued to: Symantec Class 3 SHA256 Code Signing CA
Issued by: VeriSign Class 3 Public Primary Certification Authority - G5
Expires: Sat Dec 09 23:59:59 2023
SHA1 hash: 007790F6561DAD89B0BCD85585762495E358F8A5
Done Adding Additional Store
Successfully signed: <...>.exe
Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0
Tracking this down further I thought I had found the issue. However, it turned out that the error I got is not what I would have gotten to see with the older signtool.exe versions. Instead older versions would have complained about /ac, /fd and /ph being unrecognized command line options, respectively.
So I needed to dig a little deeper and it turned out that my (alternative) file manager was the culprit. I usually start my command prompts in the respective folder using that file manager and a handy keyboard shortcut. It turns out that it sometimes does not pass the environment variables - essentially the file manager "forgets" the environment variables. This turned out to be the root cause. A command prompt opened using Win+R and then cmd Enter would not expose this behavior despite executing signtool.exe from the same folder.
My best guess from this is that due to a messed up PATH variable or similar, signtool.exe ended up picking the wrong DLL. Notably mssign32.dll and wintrust.dll accompany signtool.exe in the same folder for the Windows SDK 8.0 and 8.1, but not for any of the earlier versions of signtool.exe which will pick the "global" system-wide DLLs, whatever they turn out to be.
On my system I had five different versions of signtool.exe.
signtool.exe 5.2.3790.1830
Doesn't even understand the /ac and /ph arguments I was using (also not /fd). But strangely enough worked without those two arguments.
C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\v2.0\Bin\signtool.exe
signtool.exe 6.0.4002.0
Doesn't even understand the /ac and /ph arguments I was using (also not /fd). But strangely enough worked without those two arguments.
C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Tools\Bin\signtool.exe
signtool.exe 6.1.7600.16385
First version to understand /fd sha256.
C:\WINDDK\7600.16385.1\bin\amd64\SignTool.exe
C:\WINDDK\7600.16385.1\bin\x86\SignTool.exe
C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin\signtool.exe
C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Bin\signtool.exe
C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Bin\signtool.exe
signtool.exe 6.2.9200.20789
C:\Program Files (x86)\Windows Kits\8.0\bin\x64\signtool.exe
C:\Program Files (x86)\Windows Kits\8.0\bin\x86\signtool.exe
signtool.exe 6.3.9600.17298
C:\Program Files (x86)\Windows Kits\8.1\bin\arm\signtool.exe
C:\Program Files (x86)\Windows Kits\8.1\bin\x64\signtool.exe
C:\Program Files (x86)\Windows Kits\8.1\bin\x86\signtool.exe
In order to sign a file you need to have the certificate's private key, which is not included in the *.cer file you copied from the Windows 7 machine. To export the certificate with its private key you can follow the instructions supplied here.
Do note that you'll only be able to export the private key if the certificate was set to allow exporting it when it was created (by passing -pe to makecert)
Just to be sure...
You need an special "code sign" certificate to be able to sign your code...
I have wasted a few hours by trying to sign our app with our domain certificate, what is not possible.
I had the same issue on Win7 machine and tried everything that good people suggested in this post with no luck. Then, even my machine has only one account and it has admin privileges, I opened command prompt window by "Run as administrator" and then all versions of signtool.exe that I have installed start working.
I had same problem as mentioned. This is what I did - assuming you have setup the rest of the pre-requisites for code signing.
Closed the solution and closed the VS IDE
Launched the Visual Studio IDE with Run as Administrator privileges
Open the solution and rebuild it
This time the signing process was successful.
I presume you have the right cert file and private key for signing and also imported the cert to the Trusted store.
If not, you can continue to read more.
Import the pfx file - "xyz.pfx" :: Open command prompt (launch - Run
as Administrator privileges) and run the following command
certutil.exe -p mypassword -importpfx xyz.pfx
An output from the command is shown below as example:
Certificate "CN=Name of the Cert, O=BLAH, OU=BLAH, E=john.doe#yourorg.com" added to
store.
CertUtil: -importPFX command completed successfully.
Add the certificate to the Trusted Root Certification Authorities by using the following command. There are many ways to do but I used this. Open command prompt (launch - Run as Administrator privileges) and run the following command
certmgr.exe -add -c mycertificate.cer -s -r localMachine root
You will see an output message like this
CertMgr Succeeded
Sign the assembly. Simple process from Visual Studio IDE.
Right click the Project in your solution and open its properties.
Open Signing section and click on Sign the Assembly check box (Enable it)
Choose the pfx file using Browse option and enter the password
you can also create a new one but you need a cert file that match to this pfx file, otherwise your signing will fail.
Save the changes
Now, Click on Build Events section and click Edit Post-Build to open the editor for post build events. Enter the following command.
"C:\Program Files (x86)\Windows Kits\10\bin\10.0.18362.0\x64\signtool.exe" sign /v /sm "$(TargetPath)"
Path of the signtool.exe depends on where/whether you have installed the Windows SDK.
Now build the solution, your solution should build successfully and your binaries signed. Ensure to run the VS IDE with Administrator privileges.
I also had to sign a file, using a certificate which I received from another source (similar to you). For me, the issue was that I only installed the certificate on my PC with the "Current User" option. Once I installed it, using the "Local Machine" option, it worked.

Cannot see self created certificate in certmanager?

I followed the steps in my answer to create a certificate. I will use this cert on my own computer. The command succeeded, but I see no personal certificate in cert manager (certmgr.msc). Answer - How do I create client certificates for local testing of two-way authentication over SSL?
Steps:
Launch Vs2010 Command Prompt: Start ► All Programs ► Visual Studio 2010 ► Visual Studio Tools ► Visual Studio Command Prompt (right click and Run as Administrator)
Create a self-signed (-r), private key exportable (-pe), saving to personal folder (-ss my) under local machine (Local Computer, sr localmachine), named (-n) "YangsoftCA",common name (-in) "Yangsoft.com" with private key file (-sv) as "YangsoftCA.pvk" and public key file "YangsoftCA.cer"
Command:
C:\Windows\system32>makecert -r -pe -ss my -sr LocalMachine -n "CN=YangsoftCA" -sv "YangsoftCA.pvk" YangsoftCA.cer
Above succeeded
Password was prompted to secure the private key file
This is what my cert manager looks like. There is nothing under personal certificates.
I was hoping that yangsoft would appear there.
How do I find out what happened and how do I see my cert ?
make sure you are checking under user certificate, not in computer certificate:
Go to mmc.exe. Follow the steps:
MMC > File > Add/remove snap-in > Certificates > You get three options:
My user account
Service account
Computer account
I don't know what it means, so I took My user account. It seems to be my lucky card in other problems.
Finish.
Then you will need to activate IIS server manager on your system:
control panel > programs and features > turn windows features on or off > IIS, the full name > ok
Once done, it can be seen in mmc.exe. In IIS server, under IIS list, click server certificates > create self signed certificate. Enter some stuff and you should be done.

Cannot import the following key file error when importing pfx

I researched this question thoroughly on stackoverflow and I have seen numerous answers but none of them have worked for us yet. We recently bought a code signing certificate from comodo that we are going to use to sign our c# WPF .net4 application. We have followed the instructions on the following URL
and have then imported the certificate in visual studio under 'project properties->singing->sign the assembly'. We then try to build the project and get the following error:
Cannot import the following key file: comodo.pfx. The key file may be password protected. To correct this, try to import the certificate again manually install the certificate to the Strong Name CSP with the following key container name: VS_KEY_xxxxxxxxxxxxxxx.
We have found numerous solutions on the internet and have tried the following:
Click on Change Password and use the same password in all 3 places
sn -i [comodo].pfx VS_KEY_xxxxxxxxxxxxx
tried converting it to password-less snk file and use that instead of .pfx
Tried running visual studio as admin and importing key
Tried creating very simple barebones project and signing with that
Tried visual studio 2010 as well as 2012
We tried adding the following to the assembly [assembly: AssemblyKeyFile("path to key file")]
Added event in postbuild "C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Bin\signtool.exe" sign /f "$(ProjectDir)[keyfile].pfx" /p [thepassword] /v "$(ProjectDir)obj\Release\$(TargetFileName)"
Added in a section in the .csproj file:
Downloaded http://visualstudiogallery.msdn.microsoft.com/a83505c6-77b3-44a6-b53b-73d77cba84c8 and clicked 'Apply Fix' on the error
We have had no success thus far. We can import the key just fine using the password so we know the password is correct. We also know that this works fine for signing the manifest in a clickonce publish. Just to make sure we weren't having any other issues, we turned off the cilckonce signing and are just trying to sign the assembly.
You can simply open "Project > Property > Signing" and uncheck the "Sign the ClickOnce manifests" checkbox.
I have learned that Visual Studio doesn't seem to handle subordinate certificates very well. I tried several certs on multiple machines (different OS/VS combinations) with the same results. I finally found this as a workaround:
Sign the assembly with
signtool sign /f "[path to pfx]" /p [password] /v "[path to assembly]"
Build your installer with mageUI (see "Manually Deploying a ClickOnce Application")
The issue with Visual Studio seems to be that it does not like certificate chaining. This you can solve by importing/exporting the certificate without the chaining. The next issue is addressed by using the certutil and export with the AT_SIGNATURE. I was able to import it into VS and build, however it doesn't seem to sign the assembly.
I got similar error. Solved it by choosing Install PFX from a context menu in Windows Explorer.
Another 'worked for me' ...
Right-clicked on the PFX in Windows Explorer, chose 'Install PFX' and in the wizard supplied the password. Then in the project properties in VS, under 'Signing' chose 'Change Password' and re-entered the password. Prior to this only running VS as administrator would work.
Best solution I can think of is go to Project --> Properties --> Choose a strong name key file dropdown and select "New" --> Create the key and then go to Certificate section on top --> click Select from File and choose the new Key you created --> Build Solution --> Publish.
For me following worked,
First Install certificate by double clicking on it. then,
Project Properties -> Signing -> If 'Sign the ClickOnce manifests' is checked -> click on 'Select from file' and select .pfx file and it should show all the certificate valid details like Issued to, Issued By, Intended Purpose etc.
I had the same issue. I am building the application from a thumb drive on numerous computers and believe this is the cause.
I found success with the "sn -i [comodo].pfx VS_KEY_xxxxxxxxxxxxx" method.
I did the following steps:
Run "Developer Command Prompt" as administrator (found in Start->All Programs->Visual Studio->Tools)
Navigate to your key directory (for me this was the root of my project directory, not the solution directory)
Execute "sn -i mykey.pfx VS_KEY_xxxxxxxxxxxxx" (mykey.pfx and VS_KEY_xxxxxxxxxxxxx are both found in the build error message)
Enter the password if required
When I tried this without running "Developer Command Prompt" as an administrator, I get the help display text when running "sn -i mykey.pfx VS_KEY_xxxxxxxxxxxxx" and it does not work. The trick was to make sure I ran the develop prompt as an administrator.
For context, I am using VS Community 2013.5, Window 7 x64 Professional, and NET Framework 4.7
Navigate to Project Properties --> Signing
Please select corresponding *.pfx file from drop down.
Enter the previous password used for code signing. (password: ask the person who has signed the assembly and created the self signed certificates and code signed)
(optional) It automatically adds your certificate as trusted. It can
be seen using Management console window ( run MMC command and add
certificate add-snaps to see the certificate)

How to make and deploy a self-signed ClickOnce manifest with Visual Studio 2012

Let's get this out of the way... I :
use Visual Studio 2012
develop VB.NET applications - mostly .NET framework 3.5, some 2.0.
use Windows 7 for development (users are also using Windows 7. There are a small number of internal users (less than 40).
I am also going to state that I am new at this and don't fully understand this process. I do understand the underlying concepts of encryption/hashing/keys etc., but I can't tell you why you might need a .cer file and not a .pfx file.
Now then...
We have an application that uses a certificate to sign its manifest that has worked for three (or so) years. We recently upgraded from Visual Studio 2008 to Visual Studio 2012, having basically skipped Visual Studio 2010. Somewhere in that process the certificate is now invalid or corrupted.
The proposed solution: Make a new one with makecert.exe "just like we did last time". No sense paying for a certificate when all we need it for is our own small set of users and the small convenience of not seeing that "do you trust this publisher?" message (I think?).
When trying to publish, the exact error is:
Cannot publish because a project failed to build.
An error occurred while signing: Failed to sign
bin\Release\app.publish\setup.exe. SignTool Error: The signer's
certificate is not valid for signing. SignTool Error: An error
occurred while attempting to sign: bin\Release\app.publish\setup.exe
Now, the article Support Certificates In Your Applications With The .NET Framework 2.0 says:
for desktop applications, you typically install certificates in the
user store.
So when I look at the user store (via MMC with certificate snap-in) I see:
Where the red line is is the OLD/INVALID certificate. One other one is still unexpired, with my username on it (2013-06-20).
When I go to select from the store, I see this:
And in case you are curious, the other intuitive place to put one of these looks like this:
So how do I add another one where the old/bad one is?
Here is what I have tried:
Following these instructions, I executed
makecert -n "CN=TempCA" -r -sv TempCA.pvk TempCA.cer
Now I have a .pvk file, and a .cer file. Then I followed the instructions in Pvk2Pfx (Windows Drivers) and ran
pvk2pfx.exe -pvk TempCA.pvk -spc TempCA.cer -pfx TempCA.pfx
Now I have a .pfx file... (is this what I need?), but when trying to import to the certificate store using MMC, the password I used is supposedly wrong no matter what - even if I copy and paste it in. (It sounds like a bug in the import program... I can reproduce this.)
Trying another route, after importing the .cer file, it will not show up in the "select from store" window in Visual Studio, so that's useless.
I've spent a day on this and am ready to give up, but I can't. What do I need to do?
The article Using Makecert to Create Certificates for Development helped about 90% of the way...
The rest was understanding that I could do one of two things (both of these options require the certificate must be in a "trusted root" area like "Trusted Root Certification Authority", or must be signed by one that is there):
In Visual Studio, under the "signing" tab I could just use "Select from file" and use the .cer file.
If I just put my .cer file in the "personal" folder, it will appear as an option from the "select from store" button (I may need to restart the computer or Visual Studio).
The answer by Watki02 is quite helpful but missing a few details. Also, key information in that blog post should also be posted here. So...
Create your own root authority certificate:
CD \path\to\whereyouwant
makecert -n "CN=Make Up A Name" -a sha1 -r -sv MakeUpANameCertificateAuthority.pvk MakeUpANameCertificateAuthority.cer -ss MakeUpANameCertificateAuthority -sr localMachine
Password prompts
You will be prompted to create a password and then submit a password. I used the same password for both prompts
User certificate
makecert -pe -n "CN=CN=Make Up A Name User" -ss MY -a sha1 -iv MakeUpANameCertificateAuthority.pvk -ic MakeUpANameCertificateAuthority.cer -sv MakeUpAName.pvk MakeUpAName.cer
Password prompts again
I used the same password as above again
Make a portable file for exchange
pvk2pfx -pvk "MakeUpAName.pvk" -spc "MakeUpAName.cer" -pfx "MakeUpAName.pfx" -pi SamePasswordAgain
Send the file to your private clients
"MakeUpAName.pfx"
Install the certificate
c:> MMC.EXE
MENU FILE -> Add / Remove Snapin
Certificates -> Add -> Computer Account -> Finish -> OK
MENU Action->All Tasks->Import
Go through the wizard
Choose *.pfx format
Choose file
Continue with default options

Resources