Question concerning a failure I'm having when attempting to dual sign with SHA1/SHA256.
I've had a SHA256 code signing certificate for a few years now, but before the new year (2016), I started using /fd SHA256 for the hashing algorithm to be compliant with Microsoft's deprecation of SHA1.
This worked fine, but of course the signature hash doesn't validate on older OS's. I don't care about XP, but I still sort of care about Vista.
I first sign for SHA1 using the following:
signtool sign /fd SHA1 /f "cert.pfx" /p "password" /t http://timestamp.verisign.com/scripts/timsetamp.dll "file"
Then I try for my dual signature:
signtool sign /as /fd SHA256 /f "cert.pfx" /p "password" /tr http://timestamp.globalsign.com/?signature=sha2 "file"
And signtool gives me this:
Done Adding Additional Store
SignTool Error: An unexpected internal error has occurred.
Error information: "Error: SignerSign() failed." (-2147024846/0x80070032)
Now I can successfully sign a file with a single algorithm (Either SHA1 OR SHA256), but I can't add the second signature. My only guess is that because I'm using the SAME certificate for both algorithms it doesn't like that. Do I need to have a different physical certificate for each algorithm?
Just wondering because before the new year, I had been using a SHA256 certificate for years with a SHA1 algorithm and it validated fine on all Operating Systems.
This is from mis-matched dlls. signtool.exe needs the correct wintrust.dll and mssign32.dll otherwise I get 0x80070032 only when dual signing.
This site has a 8.1 download so you don't need the whole SDK
http://ksoftware.freshdesk.com/support/solutions/articles/17170-how-do-i-use-ksign-to-digitally-sign-files-
signtool 8.1 is at
http://cdn1.ksoftware.net/signtool_8.1.zip
I had the same issue, and that signtool from SDK 8.1 (6.3.9600.17298) seems to be VERY particular about the order of command line options !
If I used signtool sign /v /f my.pfx /p 1234 /fd sha256 /as test.exe
Dual-signing failed with this error:
"Multiple signature support is not implemented for this filetype"
which is actually the same error as the one from W10 SDK since -2147024846/0x80070032 translates to (HRESULT)ERROR_NOT_SUPPORTED
BUT, if I used signtool sign /v /f my.pfx /p 1234 /as /fd sha256 test.exe
it worked !
See what I did there? I just swapped the order of /as and /fd sha256 !
I mean this this stuff is just nightmare fuel when you are working on something important and then when it's time for production it just doesn't work for seemingly no reason. Luckily that was not the case this time as I was just testing but I thought I was going mad since I first got it to work once, but not again.
To be clear, this is the exact order how I could dual-sign files with SHA1 and SHA256, using the signtool.exe from Windows 8.1 SDK, available here (The one from W10 SDK still does not work, and the one from V7.1 SDK does not support multiple signatures at all)
Sign with SHA1: signtool sign /v /f my.pfx /p 1234 test.exe
Sign with SHA256: signtool sign /v /f my.pfx /p 1234 /as /fd sha256 test.exe
Related
I am trying to sign a MSIX made .appinstaller file using signtool on a Windows SDK supported docker image.
I am using the following command in my yml file to do so as:
- 'signtool.exe sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /a "C:\GR\SignPS\builds\k81Fedrd\0\TE-SW\PC\SW21042_MRS_Realizer_NET\src\RealizerMSIX\SharedOutDir\realizermsix.appinstaller"'
when I try to do I get the following error:
The setup is there,container paths are correct too. Need quick help.
I tried checking the container paths and also that if the SignTool is present, all seems good.
I am using an EV Code Token USB for this process.
I've got this .bat which signs an .exe with the help of signtool.exe
The bat works fine when i call it locally from cmd. It first calls an Autohotkey script (that is looking for the Windows Security window that is triggered by the signtool.exe (where you have to enter the PIN in order to successfully sign the .exe), starts the signtool process, the pin is entered automatically and all's good.
I'm trying to call the same .bat with the help of Jenkins, but no matter what I do, I keep getting this error
Error information: "Error: SignerSign() failed." (-2147023892/0x800703ec)
SignTool Error: An unexpected internal error has occurred.
The error means invalid flags but I literally do not know what that means.
The signing command line looks like this:
signtool.exe sign /tr http://timestamp.globalsign.com/?signature=sha2 /td SHA256 /sha1 [thumbprint] .exe
It doesn't change a thing if I run just the above command in Jenkins' "execute windows batch command" build step.
How could I get past this?
I have Microsoft Developer subscription, since it isn't yet possible to publish extensions in the store, I would like to distribute them myself. Is it possible? Could I sign appx with valid certificate?
I think packaging the appx in sideload mode may help you, you can distribute it yourself. For detail, please see
https://learn.microsoft.com/en-us/windows/uwp/packaging/packaging-uwp-apps
For how to create a certificate:
1. create certificate
https://technet.microsoft.com/en-us/itpro/powershell/windows/pkiclient/new-selfsignedcertificate
Example:
New-SelfSignedCertificate -Type Custom -Subject "CN=BurningFish" -KeyUsage DigitalSignature -CertStoreLocation "Cert:\LocalMachine\My"
You will get path of the certificate, such as A0A89249221A0BA3E8681A12021966475079214B.
2. export the PFX with powershell command:
$pwd = ConvertTo-SecureString -String "password" -Force -AsPlainText
Export-PfxCertificate -cert "Cert:\LocalMachine\My\A0A89249221A0BA3E8681A12021966475079214B" -FilePath C:\Temp\MyKey.pfx -Password $pwd
For how to package and sign the appx
I provide a solution in the question:Packging of Edge Extension which support nativemessaging(UWP app).
Prerequisites to run the appx
Set the system to sideload mode:
Go to Setting-> Update & security -> For Developers -> Sideload apps.
You can pack, sign and deploy to the store by yourself: this is known as side loading apps. All you have to do is follow this process step by step.
You cannot distribute this to other users, and you can only install on your own machine. Distribution is currently limited only through the store.
I have the following line in my Inno Setup script:
SignTool=MySign cmd /c C:\SigningTools\signtool.exe sign /f C:\MyCert.pfx /p MyPassword $f
This works on my local machine.
I then commit my changes to our server and Jenkins will compile and make a build automatically. Jenkins does not work and I get the following error.
Error on line 43 in C:\Windows\TEMP\fxbundler8328922406343131203\images\win-exe.image\MyProgram.iss: Value of [Setup] section directive "SignTool" is invalid.
Compile aborted.
I have no idea what the issue is, I have tried numerous things but can't seem to figure it out. I would settle with learning some better options to output error messages with Inno Setup.
I have verired that MySign exists on the server's compiler IDE (http://www.jrsoftware.org/ishelp/index.php?topic=setup_signtool)
I have tried numerous variations of having $q surround file paths
I have verified that the file paths match the two machines
You need to define the SignTool in your call to the compiler via the /s switch.
Example: "/sMySign$q=sign_application.bat$q $f"
sign_application.bat receives the path of the file to sign as first parameter and calls signtool.exe as you've already tried.
Take a look here: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Do not forget to Configure Sign Tools in the Inno Setup Compiler. I simply added signtool $p string.
In my case, the certificate has expired.
I found the following article usefull:
https://www.nextofwindows.com/how-to-check-a-pfx-certifications-expiry-date-on-windows
I opened a command prompt in the directory where my pfx file was and used this command to get details about the certificate:
certutil -dump "nameofcertfile.pfx"
Change nameofcertfile.pfx to your file name. You probably will be prompted for a password. Enter the password you used in your script (MyPassword in the OPs script). You may also copy/paste it.
NOTE: You will not see any character beeing typed while entering or pasting the password - so don't be confused.
I'm developing a virtual driver and QA needs to check out the x64 version on several Windows 7 machines. I have strictly followed the instructions on generating a certificate for test purposes, but I still have some problems. So, I've done the following steps:
Makecert -r -pe -n "CN=TestCertForWDK" -ss "TestCert" mccert.cer
I've added the following two lines in the installer to make auto certificate installation on the remote machines
certmgr.exe -add mccert.cer -s -r localMachine root
certmgr.exe -add mccert.cer -s -r localMachine trustedpublisher
And
Inf2cat.exe /driver:D:\Projects\MyDrv\package\ /os:7_X64
And finally
signtool sign /a /v /s "TestCert" /n "TestCertForWDK" mydrv.cat
signtool sign /a /v /s "TestCert" /n "TestCertForWDK" mydrv.sys
BTW, at first I've tried installing via devcon. It reported that "devcon succeeded", but the device in Device Manager was marked with yellow exclamation mark (not trusted signature).
Later, I've tried using hdwwiz - when I manually enter the path to driver (Have disk) - hdwwiz shows that driver has a signature and installation proceeds without any warnings. But after that, as I've already metioned, the device is not working because of invalid signature (yellow "!")
I have an account on Winqual, but the driver is still in development state, and I don't want to pay money for submission yet. Am I doing something wrong? Is it possible to install a x64 driver with my own makecert.exe-generated certificate and without disabling a driver signature on the end-user PC (this is not acceptable for me)?
Unfortunately, you need to have it cross signed by Microsoft as well. See here for more details.
Even if you want to use your own test certificate, you need to make changes using the BCDEdit tool.
bcdedit.exe {boot-entry-guid} testsigning on
This will allow your test certificate to be used. This is the only way to use a test certificate.