locked
Code signing failes RRS feed

  • Question

  • I'm trying to sign an installer on Vista using a test certificate. I make a bat file to automate the process from some instructions I found on MSDN. But it doesn't seem to work... I'm wondering if anyone else knows the process for test signing an installation file on vista. Here is the bat file I used:

    set name=%1
    set target=%2
    makecert.exe -r -sv %name%.pvk -n "cN=%name%" %name%.cer
    pvk2pfx.exe -pvk %name%.pvk -spc %name%.cer -pfx %name%.pfx -po password
    CertMgr.exe -add %name%.cer -s -r localMachine root
    signtool.exe sign /f %name%.pfx /p password /v %target% /t http://tsatest1.digistamp.com/TSA
    signtool.exe verify /a /v %target%

    And the error I get:

    c:\p4\quicksilver\CodeSigning>signtool.exe verify /a /v FlickrApiGen.exe

    Verifying: FlickrApiGen.exe
    Unable to verify this file using a catalog.
    SHA1 hash of file: F13C98875AC35C9A5D0B47BD600B31409CD98E46
    SignTool Error: A certificate chain processed, but terminated in a root
            certificate which is not trusted by the trust provider.
    Signing Certificate Chain:
        Issued to: foo
        Issued by: foo
        Expires:   12/31/2039 1:59:59 PM
        SHA1 hash: E53194548C57C45BB512C7F00BF9C3B4451A846D

    File is not timestamped.
    SignTool Error: File not valid: FlickrApiGen.exe

    Number of files successfully Verified: 0
    Number of warnings: 0
    Number of errors: 1

    Thanks,
    Chris
    Monday, December 10, 2007 12:43 PM

All replies

  •  

    Signtool needs the target filename to be the last argument on commandline, so use,

    signtool.exe sign /f %name%.pfx /p password /v /t http://tsatest1.digistamp.com/TSA %target%

     

    and the timestamp will be correctly added.

     

    But i still get the error 'Unable to verify this file using a catalog'

     

    Also since I am signing an activex control, the browser still says 'Unknown Publisher'. Any Ideas.

    Friday, January 11, 2008 12:49 PM