16

I cant get signtool to find my certificate. The pfx file works for signing, i've checked that by specifying the pfx file directly together with the password. But due to other people having access to the code repository i really dont want to store the certificate + password there.

That's why I've installed the pfx (from symantec) on the build server (as local computer, not per user) in "trusted root certification authorities". This is because Jenkins is started with the local system account.

This is what i'm trying at the moment:

signtool sign /v /sm /s Root /n <thename> /t http://timestamp.digicert.com <thefile>

/sm / s Root - this should tell signtool to switch to the "local machine" store, right? and Root should specify "trusted root certification authorities"?

/n - here i'm using the "Issued to" value from the certificate, which is the company name.

I'm met by the following error:

"SignTool Error: No certificates were found that met all the given criteria."

I have plowed through so many links today, trying to find out what i'm doing wrong. i've I've checked with mmc with a snap-in for certificates on the local computer and the certificate is resiging in "trusted root certification authorities".

sundown
  • 663
  • 1
  • 8
  • 19

1 Answers1

17

Try this command:

signtool sign /v /sm /s My /n <thename> /t http://timestamp.digicert.com <thefile>

You did well to use /sm option but when you added /s Root you said that signtool should look in Computer store but in Root authorities. You could also skip /s parameter because /s My is the default.

For more information see documentation of signtool.

pepo
  • 8,644
  • 2
  • 27
  • 42
  • i switched to "My" and installed the certificate in local machine / personal and now it works! Thank you! now i encountered another problem, the timestamp server cant be reached. it's reachable when i trigger the signtool manually from commandline on the buildserver. but not when the buildserver triggers it. – sundown Nov 19 '14 at 08:54
  • Probably a proxy issue? User has proxy set but system account does not. – pepo Nov 19 '14 at 14:42
  • 1
    The documentation for the /s switch is vague. It doesn't specify any of the other options other than "My" and to be perfectly honest, that's nowhere near intuitive naming for the option. Are the other options documented anywhere? – Shiv May 06 '22 at 12:07