Windows signtool.exe sign command /s option - windows

When using the signtool to digitally sign a catalog file (*.cat), what does the /s option actually do?
Example:
signtool sign /s SomeStore c:/someCAT.cat
What does the SomeStore parameter for the /s option do? How does one confirm that this parameter is correct?
I have checked the Microsoft signtool documentation here: https://msdn.microsoft.com/en-us/library/8s9b9yaz(v=vs.110).aspx#sign, but it does not seem to provide this information.

The /s option refers to the Certificate Store from which the signtool will be obtaining the data (credentials) necessary to sign the catalog file. See the following:
Digital Certificates: https://msdn.microsoft.com/en-us/library/windows/desktop/aa381975(v=vs.85).aspx
Certificate Stores: https://msdn.microsoft.com/en-us/library/windows/desktop/aa386971(v=vs.85).aspx
Running the signtool with the verify command provides feed back on whether the store specified with the /s option was valid.
Example:
signtool verify /pa /v c:\someCAT.cat
where the /pa and /v are described here: https://msdn.microsoft.com/en-us/library/windows/desktop/aa387764(v=vs.85).aspx

Related

Where is SignTool /d info (description of the signed content) used/displayed?

In the SignTool documentation it is said:
/d Specifies a description of the signed content.
Where can I find that description?
One significant place, where the description is shown, is on the UAC prompt, when running a signed application (typically an installer) that needs Administrator privileges:

signtool: options interpreted as files on AppVeyor

I’m having this super weird behaviour on an AppVeyor build (Visual Studio 2019): In a shell script (cmd.exe), when signing my app with signtool, all the options are interpreted as files (signtool can sign multiple files at once).
The line "$WINDOWSKITBIN\\signtool.exe" sign /tr http://timestamp.digicert.com /td sha256 /fd SHA256 /n "Jan Gerner" /v /debug "build\\TypeWorld.exe" produces:
Successfully signed: build\TypeWorld.exe
Number of files successfully Signed: 1
Number of errors: 10
SignTool Error: File not found: C:/Program Files/Git/tr
SignTool Error: File not found: http://timestamp.digicert.com
SignTool Error: File not found: C:/Program Files/Git/td
SignTool Error: File not found: sha256
SignTool Error: File not found: C:/Program Files/Git/fd
SignTool Error: File not found: SHA256
SignTool Error: File not found: N:/
SignTool Error: File not found: Jan Gerner
SignTool Error: File not found: V:/
SignTool Error: File not found: C:/Program Files/Git/debug
The wanted file TypeWorld.exe is signed, just without all the options, and all the options are interpreted as files to sign which then aren’t found, obviously.
I've confirmed the escaped backslashes and folder variable to be correct.
This line echo "$WINDOWSKITBIN\\signtool.exe" sign /tr http://timestamp.digicert.com /td sha256 /fd SHA256 /n "Jan Gerner" /v /debug "build\\TypeWorld.exe"
produces the expected rendering: C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x86\signtool.exe sign /tr http://timestamp.digicert.com /td sha256 /fd SHA256 /n Jan Gerner /v /debug build\TypeWorld.exe
I tried running the same in PowerShell, to same result.
None of what the AppVeyor staff recommended (also by email) helped.
What did help in the end is to not mix Windows and Linux (WSL) environments. In appveyor.yml I was calling the build script through sh (or later bash at the recommendation of AppVeyor staff):
build_script:
- cmd: C:\\msys64\\usr\\bin\\bash.exe wxPython/build/Windows/build-all.sh
Instead, for some commands it's better to keep things simple, so I converted the code signing part to a good old Windows batch file:
build_script:
- wxPython/build/Windows/build-sign.bat
Inside the batch file, the line
signtool.exe sign /tr http://timestamp.digicert.com /td sha256 /fd SHA256 /n "Jan Gerner" /v "build\\TypeWorld.exe" executes fine.

CMake get list of files to be signed

I'm trying to make a .msi installation package using CMake, CPack, and Wix. The issue is I'm trying to sign the executables and DLLs that are going to be installed.
Currently I am trying to use a custom cmake script by setting CPACK_INSTALL_SCRIPTS
SET( CPACK_INSTALL_SCRIPTS "${CMAKE_CURRENT_LIST_DIR}/signcert.cmake")
And inside signcert.cmake is where I run into issue. I want to use signtool to sign:
execute_process(
COMMAND cmd /c signtool sign /debug /v /sm /fd sha256 /tr http://timestamp.comodoca.com /td sha256 /sha1 ${THUMBPRINT} "${CMAKE_INSTALL_PREFIX}applications/bin/*"
)
The signtool command execute properly when done in a VS Command Console (vcvarsall.bat), however the wild card does not expand properly in the execute_process, it says cannot find *.
How can I find a list of files in a particular directory and store it in a CMake variable? For example ${CMAKE_INSTALL_PREFIX}applications/bin/* ?
This issue is likely caused by the fact that your signcert.cmake script will not know the path for CMAKE_INSTALL_PREFIX. It is not forwarded from the main CMake invocation.
To get around this, you can make a script template signcert.cmake.in, and use configure_file to insert the CMAKE_INSTALL_PREFIX path into your script.
Within your script, one option to more safely obtain and pass a list of files is to use file(GLOB ...) to get a list of files in the directory, before calling execute_process. Here's what your script could look like (note the #CMAKE_INSTALL_PREFIX# marked for variable substitution):
file(GLOB MY_FILES_TO_SIGN
LIST_DIRECTORIES false
#CMAKE_INSTALL_PREFIX#applications/bin/*)
# Pass MY_FILES_TO_SIGN variable to execute_process.
execute_process(
COMMAND cmd /c signtool sign /debug /v /sm /fd sha256 /tr http://timestamp.comodoca.com /td sha256 /sha1 ${THUMBPRINT} ${MY_FILES_TO_SIGN}
)
In your main CMake project, configure this file using the following, which will generate signcert.cmake with the value of CMAKE_INSTALL_PREFIX substituted inside:
configure_file(signcert.cmake.in ${CMAKE_CURRENT_LIST_DIR}/signcert.cmake #ONLY)

Signtool SignerSign() Error (-1073700864/0xc000a000)

where can i find the meaning of this error for the program SignTool.exe?
"Error: SignerSign() failed." (-1073700864/0xc000a000)
I have been getting this error randomly for a few days when calling the command
signtool.exe sign /debug /a /tr http://tsa.starfieldtech.com /td SHA256 MyDll.dll
Thanks.
Same issue occurred using a godaddy code singing certificate to sign a msi installer.
/tr specifies the URL of the RFC 3161 time stamp server.
Changing the url from http://tsa.starfieldtech.com to http://timestamp.digicert.com solves the problem.
signtool.exe sign /debug /a /tr http://timestamp.digicert.com /td SHA256 MyDll.dll
Even I was facing same problem during jenkins build. The problem got resolved by adding seconds delay before you sign the next binary.
ping 127.0.0.1 -n 16 > nul
I had the same issue for the past two days with Sectigo (Comodo CA) where all my post build signings kept randomly failing. Has been fine for two years and interestingly exactly 1-year to the day before the certificate expires these errors start happening. It seems as though it would work with a single build but for multiple builds it would randomly complain about one of them and not always the same.
changing my post build event from:
signtool.exe sign /f "$(ProjectDir)my-cert.pfx" /p mypassword /t http://timestamp.comodoca.com/authenticode "$(TargetDir)$(TargetName).dll"
to:
signtool.exe sign /f "$(ProjectDir)my-cert.pfx" /p mypassword /t http://timestamp.digicert.com "$(TargetDir)$(TargetName).dll"
solved the problem.

Give User Access To Sign A File

At the command prompt, as administrator, I can sign a file with signtool.exe. 15063.137. However, I am signing a file from within in app, and when I execute the same command from within the app, the command fails with an exit code of 1. I'm not 100% sure it's a permissions problem, but I'm guessing that it is. How can I give permission to the user that the app is running under to sign a file.
Do, I need to give the user special permission to use the certificate I am using?
PS: I've tried importing the certificate in to Trusted Publishers for the computer account, but for some reason, the certificate doesn't show up there in mmc.
I run signtool with just a normal-rights command box and I do not see a UAC prompt.
But this is with the certificate exported as a pfx file, for example:
"C:\Program Files (x86)\Windows Kits\10\App Certification Kit\SignTool.exe" sign /f c:\folder\cert.pfx /p PASSWORD /as /fd sha256 /tr http://sha256timestamp.ws.symantec.com/sha256/timestamp /v "c:\folder\sub folder\file.exe"

Resources