I use visual studio 2022 (ver 17.4.2) to build msix package for program install. I ran into these strange situations:
1, During making a package: If I export certs in certmanger to .CER format, delete installed cert, then import it back, "dotnet publish" command will tell me the valid cert is not found. But if I export certs into .PFX format with a password, delete it, import it back, publish command works well and msix package is built. I'm so curious why?
2, During install the msix package: If I double click the .cer file generated by VS, or use "import" in certmanager, the msix package will tell me no valid certs is installed and the installation process is unable to continue. But if I use "certutil.exe -addstore ..." command to install the same cert file (this is also what is done in VS generated .PS1 script), MSIX package install works well. It also confuses me much.
Thanks for your explaination or any thoughts.
How to install SignTool.exe in Visual Studio 2015 for Windown 10?
I tried to build my project but the program threw an error :
Error An error occurred while signing: SignTool.exe not found.
You need to install the Windows 10 SDK.
Visual Studio 2015 Update 1 contains it already, but it is not installed by default. You should go to Control Panel -> Programs and Features, find Microsoft Visual Studio 2015 and select "Change".
Visual Studio 2015 setup will start. Select "Modify".
In Visual Studio components list find "Universal Windows App Development Tools", open the list of sub-items and select "Windows 10 SDK (10.0.10240)".
Windows 10 SDK in VS 2015 Update 1 Setup
Of cause you can install Windows 10 SDK directly from Microsoft: https://go.microsoft.com/fwlink/?LinkID=698771
As josant already wrote - when the installation finishes you will find the SignTool.exe in the folders:
x86 -> c:\Program Files (x86)\Windows Kits\10\bin\x86
x64 -> c:\Program Files (x86)\Windows Kits\10\bin\x64\
If you only want SignTool and really want to minimize the install, here is a way that I just reverse-engineered my way to:
Download the .iso file from https://developer.microsoft.com/en-us/windows/downloads/windows-10-sdk (current download link is http://go.microsoft.com/fwlink/p/?LinkID=2022797) The .exe download will not work, since it's an online installer that pulls down its dependencies at runtime.
Unpack the .iso with a tool such as 7-zip.
Install the Installers/Windows SDK Signing Tools-x86_en-us.msi file - it's only 388 KiB large. For reference, it pulls in its files from the following .cab files, so these are also needed for a standalone install:
4c3ef4b2b1dc72149f979f4243d2accf.cab (339 KiB)
685f3d4691f444bc382762d603a99afc.cab (1002 KiB)
e5c4b31ff9997ac5603f4f28cd7df602.cab (389 KiB)
e98fa5eb5fee6ce17a7a69d585870b7c.cab (1.2 MiB)
There we go - you will now have the signtool.exe file and companions in C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x64 (replace x64 with x86, arm or arm64 if you need it for another CPU architecture.)
It is also possible to commit signtool.exe and the other files from this folder into your version control repository if want to use it in e.g. CI scenarios. I have tried it and it seems to work fine.
(All files are probably not necessary since there are also some other .exe tools in this folder that might be responsible for these dependencies, but I am not sure which ones could be removed to make the set of files even smaller. Someone else is free to investigate further in this area. :) I tried to just copy signtool.* and that didn't work, so at least some of the other files are needed.)
Here's where you'll find it:
C:\Program Files (x86)\Windows Kits\10\App Certification Kit
Screenshot:
Best solution end of 2020:
Just download Windows 10 SDK from Microsoft here:
https://go.microsoft.com/fwlink/?LinkID=698771
In setup, choose only Windows App Certification App (it's only 184 MB)
You can find signtool.exe here:
%PROGRAMFILES(X86)%\Windows Kits\10\bin\x64
Cheers!
As per the comments in the question... On Windows 10 Signtool.exe and other SDK tools have been moved into "%programfiles(x86)%\Windows Kits\".
Typical path to signtool on Windows 10.
32 bit = "c:\Program Files (x86)\Windows Kits\10\bin\x86\signtool.exe"
64 bit = "c:\Program Files (x86)\Windows Kits\10\bin\x64\signtool.exe"
Tools for SDK 8.0 and 8.1 also reside in the "Windows Kits" folder.
Another answer from 2021.
You might not need Windows SDK at all. If you have VS-2019 installed, you might already have signtool in C:\Program Files (x86)\Microsoft SDKs\ClickOnce\SignTool\signtool.exe
NOTE: The good thing about this particular signtool version (compared to the Windows SDK one), is that it's self-contained, and does not need all the dll's next to it (mssign32.dll, wintrust.dll etc, which usually lie around in Windows SDK folders).
You can even add this file to your source code repo (just one file), since this tool hasn't changed since 2016.
P.S. I had this signtool even without "ClickOnce publishing" component installed in my Visual Studio Community Edition.
Location:
C:\Program Files (x86)\Windows Kits\10\App Certification Kit\signtool.exe
In 2019, this is a quite recent link from Microsoft about how to obtain this tool:
The SignTool tool is a command-line tool that digitally signs files,
verifies signatures in files, or time stamps files. For information
about why signing files is important, see Introduction to Code
Signing. The tool is installed in the \Bin folder of the Microsoft
Windows Software Development Kit (SDK) installation path.
SignTool is available as part of the Windows SDK, which you can
download from https://go.microsoft.com/fwlink/p/?linkid=84091.
I only needed signtool, so I chose the minimal I came up with and signtool.exe is now in C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin\signtool.exe
Microsoft article link:
https://learn.microsoft.com/en-us/windows/win32/seccrypto/signtool
to install just the signingtools from the winsdksetup.exe (available at the same url as the windows sdk iso mentioned above) this is an option to, straight from the Dockerfile i'm working in:
RUN powershell Start-Process winsdksetup.exe -ArgumentList '/features OptionId.SigningTools', '/q', '/ceip off', '/norestart', -NoNewWindow -Wait
so if you're in windows then that'd be:
winsdksetup.exe /features OptionId.SigningTools
winsdksetup /h gives you the options, so i won't summarise them here.
I include the dockerfile snippet, as that is what i started my day looking for the solution for.
You don't have to install the Signtool. It might already be there.
Go to C:\Program Files (x86)\ and search for signtool.exe. In my system I found it under C:\Program Files (x86)\Microsoft SDKs\ClickOnce\SignTool
No matter which version of Windows you are using, the above signtool will solve your purpose.
If you're using VS Express 2015, just go to your control panel --> programs and features --> select vs 2015 --> click change, then in the VS Express installer select 'Modify' --> select Publishing tools, and finish. Once setup completes the changes you will be able to create your installer.
You should go to Control Panel -> Programs and Features, find Microsoft Visual Studio 2015 and select "Change".
Visual Studio 2015 setup will start. Select "Modify".
In Visual Studio components list, open the list of sub-items and select "ClickOnce Publication Tools" and "Windows 10 SDK" too.
I did a modify with the Visual Studio from Control Panel, Programs and Features. The SDK was not at first apparent so I installed the Common Tools which lo and behold did include the SDK Update 3.
It's available many, many places, depending upon what is installed:
On my box, every one except the v6.0A SDK version supports the /fd option.
SignTool is available as part of the Windows SDK (which comes with Visual Studio Community 2015). Make sure to select the "ClickOnce Publishing Tools" from the feature list during the installation of Visual Studio 2015 to get the SignTool.
Once Visual Studio is installed you can run the signtool command from the Visual Studio Command Prompt.
By default (on Windows 10) the SignTool will be installed in:
C:\Program Files (x86)\Windows Kits\10\bin\x86\signtool.exe
For me in 2021 the signtool.exe was here: "C:\Program Files (x86)\Windows Kits\10\bin\x64" or in: x86
and not under: C:\Program Files (x86)\Windows Kits\10\App Certification Kit
even if I have this folder and may files in it.
I ran into an issue using this tool in a restrictive Azure DevOps Pipelines environment, where I couldn't even expand PATH or call any tools from an absolute path outside of the ADO build directories, meaning in this case anything from C:\Program Files (x86)\
My solution was to package it as a Secure File in ADO Pipelines' Library -> Secure Files section, allow my pipeline to access the file via its security settings, then download it as a build task and run it via a powershell task.
In the example below, I just query the help with the /? command. Just replace that with whatever command you want to use.
- task: DownloadSecureFile#1
displayName: "Signtool Download"
name: MSSignTool
inputs:
secureFile: 'signtool.exe'
- task : PowerShell#2
displayName: "Run Signtool"
inputs:
targetType: "inline"
script: $(MSSignTool.secureFilePath) /?
Warning 1: I'm not sure what dependencies are required for signtool.exe to work standalone, or if it even has any. The Windows 10 SDK and ADK was already installed in this build environment. If querying the help causes the tool to fail or crash, make sure one or both of those are installed. Hopefully you will have access to something like choco to install any missing dependencies.
Warning 2: Be careful if copying those code segments. ADO is pretty strict with dynamic whitespace, so if your spacing is off it will brick your whole pipelines file until you adjust the spacing to its correct position.
I am trying to use Makecert.exe to create a signing certificate that I can use with our internal VS.NET applications, to be deployed using Clickonce on our local network
I have been following the MSDN guide MSDN: Certificate Expiration in ClickOnce Deployment
so I tried the below:
C:\Program Files (x86)\Microsoft Visual Studio 12.0>Makecert -sv DMTeam.pvk
-n "CN=DMTeam" DMTeam.cer -b 03/04/2015 -e 12/31/2020
in order to have a certificate for our applications
When I run the above command using the VS command prompt, I get the below error:
Error: Unable to create file for the subject ('DMTeam.pvk')
Error: Can't create the key of the subject ('DMTeam.pvk')
Failed
so what am doing wrong?
The key is to run the command prompt with Administrator privileges.
I did something very similar, though I wrote the pvk and cer files to my c:\Temp folder:
C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Bin>MakeCert –sv C:\Temp\DMTeam.pvk –n “CN=DMTeam” c:\Temp\DMTeam.cer –b 03/04/2015 –e 12/31/2020 -r
Don't forget the "-r" option as it will "Create a self-signed certificate"! Without it the project will not build when you use the created pfx file.
I ran this under the VS2012 x86 Native Tools Command Prompt (with Run as Administrator) and it works just fine. Run without Administrative privileges and then it fails.
Then to create the pfx file do the following:
C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Bin>pvk2pfx –pvk C:\Temp\DMTeam.pvk –spc C:\Temp\DMTeam.cer –pfx –po PasswordForPFXFile
Here are some good references:
See section: Test Certificates, MakeCert, RenewCert, and The Big Workaround
https://msdn.microsoft.com/en-us/library/ff369721.aspx
https://msdn.microsoft.com/en-us/library/bfsktky3(v=vs.110).aspx
ClickOnce signer's certificate not valid for signing when using makecer/pvk2pfx
My ClickOnce app now builds fine in Visual Studio 2013.
I am trying to code sign my application components using a digital certificate. The certificate format is .Pem
I referred the below url and try to implement the code signing using the Visual Studio SignTool.exe
CodeSign
C:\Program Files (x86)\Microsoft Visual Studio 10.0\VC>"C:\\Program Files (x86)\\Microsoft SDKs\\Windows\\v7.0A\\Bin\signtool.exe" sign /d "C:\\Users\\hpara\\Desktop\\SignCert\\Test.exe" /f "C:\\Users\\guest\\Desktop\\SignCert\\Test.pem"SignTool
Signtool.exe returned the error : "Error: Missing filename.".
Question:
Can I sign the code using signtool.exe and .pem file?
My actual build environment is on Linux. Just for testing purpose, I copied the certificate file to Win 7 computer and tried to sign the application using visual studio signtool.exe.
The signing certifictae request (csr) is generated on Linux machine. Finally I need to sign the application on Linux machine.
How to codsign using the Pem file ?
Solution:
Step 1: Generate .pfx file from the .Pem File
openssl pkcs12 -inkey MyprivateKey.key -in MyCertificate.pem -export -out MyCert.pfx
Step 2: Sign the code using .pfx file (Ex: Microsoft SDK SignTool.exe)
signtool sign /f "MyCert.pfx" /p password /t http://timestamp.verisign.com/scripts/timestamp.dll "myapp.exe"
I'm trying to sign an assembly in Visual Studio 2010 with our PFX file, after I enter the password for the private key I get "An attempt was made to reference a token that does not exist"
Running Visual Studio as Administrator fixed this issue for me.
I have the same problem. Just use signtool from the Visual Studio command prompt instead. Sometimes signtool will claim your password is invalid, but usually after a couple of tries it starts working for me.
signtool.exe sign /f YOURCERT.pfx /p YOURPASSWORD YOURTARGET.exe
If you want Visual Studio to automatically sign the files and work with ClickOnce, this is what I had to do:
Get a copy of OpenSSL. It is available for Windows. Or use a Linux box as they all pretty much all have it.
Run the following to export to a key file:
openssl pkcs12 -in certfile.pfx -out backupcertfile.key
openssl pkcs12 -export -out certfiletosignwith.pfx -keysig -in backupcertfile.key
Then in the project properties you can use the PFX file.
This is what worked for me.
First try to build your project with the Key signing option enabled for your project. The build will fail, goto the 'Output' window and you'll see an error like:
Error 1 Cannot import the following key file: MyKey.pfx. The
key file may be password protected. To correct this, try to import the
certificate again or manually install the certificate to the Strong
Name CSP with the following key container name:
VS_KEY_7B9423FE45F4DBEB Project.SomeName
Save the Key Store name (e.g. VS_KEY_7B9423FE45F4DBEB), you will need this later.
Now follow these steps:
Import the digital certificate key (PFX) in the Windows Certificate Store. Double click the PFX key in Windows Explorer and install/import it into your key store (I actually imported it into the trusted root certificates store by selecting manually choose store).
Start Visual Studio 2010 as regular user (I don't face this key signing issue as an Administrator, but I want to debug my apps as a user) (keep it open through this entire process)
From the Start Menu open the Visual Studio Command Prompt (2010) shortcut (x64 if you on a x64 machine) AS AN ADMINISTRATOR (right click on the Visual Studio 2010 Command Prompt shortcut and select run as Administrator). This should open an administrative command prompt with the Visual Studio environment setup. (not a regular command prompt)
In the command prompt, enter sn -d VS_KEY_xxxx with Key Store name from error message you saved at the beginning
Then enter sn -i xxx.pfx VS_KEY_xxxx, enter password when prompted, xxx.pfx if your digital certificate
Go back to Visual Studio and rebuild your project