6

I am trying to sign my assemblies and setup files during project build using SignTool.exe. Following this answer I wanted to use the /sha1 option so that I don't need to specify the certificate password. However, when I do this I am getting an "Invalid SHA1 hash format" error. I have tried both from an MSBuild Exec task, from a Visual Studio Developer Command prompt and from a batch file all with the same error.

The command I'm trying is (obviously with a different key):

signtool.exe sign /a /sha1 ‎1234567890abcdef1234567890abcdef12345678 /tr http://timestamp.comodoca.com /td SHA256 /v Setup.msi

I think my certificate is installed correctly and the SHA1 key is correct as it works with the SignFile MSBuild task correctly. I'd just use that but I also need to be able to sign my installer files which aren't built with MSBuild and hence need to be signed from a batch script.

So what could be the problem and how do I fix it?

Community
  • 1
  • 1
kjbartel
  • 10,381
  • 7
  • 45
  • 66
  • *which aren't built with MSBuild and hence need to be signed from a batch script* or, make the batch script invoke msbuild to sign the files.. – stijn Mar 01 '16 at 08:55
  • Thanks @stijn. I did consider doing that but I wanted to understand what was going wrong also. And it turns out to have been a stupid mistake on my part.... which I pretty much expected. – kjbartel Mar 01 '16 at 09:09

3 Answers3

13

I had the same problem and found out that there might be a hidden UNICODE character which causing this error. Just copy the text to a new Notepad instance and back and it will work. Alternatively, place the cursor in this location:

/sha1 <cursor>abcdefg

Then press BACKSPACE. If you have to press BACKSPACE twice to get the cursor next to the "/sha1" directive, there was an invisible character. Then just type space and you are done.

Michael Haephrati
  • 3,660
  • 1
  • 33
  • 56
3

Stupid mistake and I can't believe it took so long to realise. I had an extra space character before the thumbprint string which was the cause of the error.

Even after fixing that though I then got another error:

No certificates were found that met all the given criteria.

Running the command again with the /debug option listed all of the certificates it attempted to use and

After Hash filter, 0 certs were left.

The hash SHA1 hash for the certificate I wanted to use was exactly the same as I specified with the only exception being that the hash was all in upper-case letters. So tried the command again with the hash in all upper-case letters and... it worked.

As I haven't seen this requirement documented anywhere I thought I'd provide the answer here.

kjbartel
  • 10,381
  • 7
  • 45
  • 66
0

I solved it by providing the thumprint in the build command itself as follows:

msbuild /restore /t:Publish /p:TargetFramework=net6.0-windows10.0.19041 /p:configuration=release /p:PackageCertificateThumbprint=897C9032E6BD06D32A315173D09C93B06CBDE1B4

remove the thumbprint from .csproj it should look like this.

<PackageCertificateThumbprint></PackageCertificateThumbprint>
Jeremy Caney
  • 7,102
  • 69
  • 48
  • 77
Rohith
  • 1
  • 1
  • 4