Jump to content
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble

MSFN is made available via donations, subscriptions and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. Alternatively, register and become a site sponsor/subscriber and ads will be disabled automatically. 


Recommended Posts

Posted (edited)

Lately, I've been trying to figure out how to code sign something (either something I've written or an installer I make out of a script).  I've read a lot of material that says a lot of different things, with different commands and the like, so it's been confusing trying to figure out the right tools and the right commands to get a good result. 

I figured out I could use the verify command of signtool.exe to check things.  I get this error, which reflects what I see under the Digital signatures tab of the file properties as well:

SignTool Error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

Unfortunately, I haven't and I'm not seeing anything indicating what I'm doing wrong or a step I'm leaving out.  Here's what I'm doing to create my certificate files...

Quote

makecert.exe -sv MyPrivateKeyFile.pvk -r -n "cn=(my signer name)" MyCertificateFile.cer ^
             -b 04/01/2018 -e 04/01/2019 -$ individual -a sha512
cert2spc.exe MyCertificateFile.cer MyCertificateFile.spc
pvk2pfx.exe -pvk MyPrivateKeyFile.pvk -spc MyCertificateFile.spc -pfx MyCertificateFile.pfx -pi (test password)

and what I'm signing my file with:

Quote

signtool.exe sign /d "Description" /du "Me.Com" ^
     /f MyCertificateFile.pfx /p test /v ^
     /t http://timestamp.verisign.com/scripts/timstamp.dll %1

I figured out that I needed to "install the certificate" from another error I was getting.  My understanding is doing this locally, I still have to have something for it to compare against to get the fullest result I can expect.  Then too, I probably won't get the fullest result without having a paid certificate at a public provider...

Could anyone show me what I'm doing wrong and walk me through what to expect?  I might just be doing something wrong, but I may not be understanding something correctly too.  At least give me an idea of what this looks like done correctly?

Edited by Glenn9999

Share this post


Link to post
Share on other sites

I am not sure to understand the issue.

If you install locally the Certificate the executable should be signed locally (and locally only) exactly like when using a "public" (and "paid") certificate will be *everywhere*.

Can you try only doing EXACTLY what is here?

https://msdn.microsoft.com/en-us/library/windows/desktop/jj835832(v=vs.85).aspx

jaclaz

Share this post


Link to post
Share on other sites
17 hours ago, jaclaz said:

Can you try only doing EXACTLY what is here?

Same result.

Share this post


Link to post
Share on other sites
20 hours ago, Glenn9999 said:

Same result.

Hmmm.

Allow me to doubt that. (in the sense that using a completely different set of instructions, while it may well produce something "flawed", it is probable that the result would come out as differently flawed).

Maybe it is an issue with versions of the OS and tools used? :dubbio:

jaclaz

Share this post


Link to post
Share on other sites
13 hours ago, jaclaz said:

Maybe it is an issue with versions of the OS and tools used? :dubbio:

I've tried this enough myself using different pages and variations (I usually do that when I post anything).  I asked the question the way I did, because I have to think I'm missing some kind of step along the way.  Like if I have to put the same information in the manifest that's in the certificate when I compile something, or the like.  Hard to know when you just start out and try to learn something without knowing what the proper result should look like.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×