locked
SignTool reported an error 'An internal certificate chaining error has occurred. RRS feed

  • Question

  • I am new to code signing.

    After I swtich from the temperary test certificate to a real certificate from a CA, when I publish, I got two errors

    "Error 1 Cannot publish because a project failed to build."
    "Error 2 SignTool reported an error 'An internal certificate chaining error has occurred.
    '."

    and when I checked "Sign the assembly", when I build, it asks for a password,
    after I entered password, it says "Cannot find the certificate and private key for decryption"

    Help me.

    Thanks

    Wei
    Monday, October 17, 2005 2:52 PM

Answers

  • For Click Once Manifest Signing, you need to have the trusted chain to sign.   If you are talking about Assembly Signing - then you CAN and need to remove the chaining information to work with assembly signing.  BTW, Click Once Signing and Assembly Signing are two distinct processes and are do not need to done together. 

    Here is a good link regarding when you should sign (strong name) your assembly.

    http://msdn2.microsoft.com/en-us/library/h4fa028b(en-US,VS.80).aspx

    For Assembly Signing - to remove the chaining information you need to import the pfx file into your personal certificate store.  Open up your certificate manager (from your Start|Run type "certmgr.msc") and expand "Certificates\Personal\Certificates".  Right click on Certificates and select "All Tasks|Import".  Run through the Import Wizard and make sure you select "Mark this key as exportable" checkbox within this wizard.   Once the cert as been imported - select the certificate in the Certificate Manager - right click on it and select "All Tasks|Export".  Make sure you select option to "export private key".  On the "Export File Format" window of this export window, there will be an option to "include all certificates in the path if possible".  DO not check that option. By not checking that option you will strip out the chaining information.  Finish the wizard...  This pfx file should now be usable for assembly signing.

    For Click Once Signing - you get this "chaining error " typically when you do not have the correct issuer certificates in your Trusted Root Certificate Authorities store.  If you do not have a root certificate (typically a .cer file) from your issuer (CA), you will likely have to go to the your certificate issuer and get another one.

    Hope this helps!  I will monitor this posting to see how you are coming along.

    Robert Schoen (MS Visual Basic QA)

    Friday, November 18, 2005 4:59 PM
    Moderator
  • No worries....

    So I am assuming you still have the "chaining" error on build for the Click Once Manifest part.  You need to get the trusted root installed on that machine. 

    For the Assembly Signing - the error you were getting ("Cannot find the certificate and private key for decryption") believe that is due to the actual pfx file that you are using does have some "chaining" information.  You can re-export the pfx file from certmgr.msc snappin and not include the chaining information and this might correct that.  PFX file with chaining information can cause this problem...and we should see about addressing that at some point.

    I have to go now...but will continue trying to help you through this issue.

    Friday, October 21, 2005 10:28 PM
    Moderator

All replies

  • My first guess is that your certificates don’t chain up to a trusted root. Currently in order to sign we require the certificate to be trusted. If you didn’t receive the certificate from a root authority, but still trust it and wish to use it you can add it to your trusted store.


    If you do have a trusted certificate let me know and I can ask around.
     

    Regards,

    Patrick Baker

    Microsoft Visual Basic Deployment & Designer Team

    ------------------------------------

    This posting is provided "AS IS" with no warranties, and confers no rights.

     

    Thursday, October 20, 2005 1:04 AM
    Moderator
  • It's a certificate from Thawte. Is it a problem if I generate the pfk file in another computer using the tool in Framework 1.1?

    I generated the pfk file in computer A using the tool in Framework 1.1 SDK,

    I am using the pfk file in computer B in VS 2005 RC.
    Thursday, October 20, 2005 2:26 AM
  • It should not matter where you generate it, but I don’t quite understand what you mean when you say you generated it using the FX 1.1 tool AND that the certificate was issued from Thawte.

    Going with the Thawte angle, is the certificate marked for Code Signing? Most Thawte certificates are only for email signing unless you specifically ask for a code signing certificate.

    Another possibility is that the Certificate is enabled for code signing but the certificate has the optional KEY_USAGE and/or ENHANCED_KEY_USAGE bits set.  If that is the case you may be running into a bug that was fixed in build 50727.27. What build are you using?

     

    Regards,

    Patrick Baker

    Microsoft Visual Basic Deployment & Designer Team

    ------------------------------------

    This posting is provided "AS IS" with no warranties, and confers no rights.

     

    Thursday, October 20, 2005 4:18 PM
    Moderator
  • I got two files from Thawte, one is .pvk, the other is .spc. I could not find the pvk2pfx.exe in my developing computer A, so I went to the computer B with FX 1.1 to run the following command, **** represents my password
    "pvk2pfx -pvk c:\hcp\ca\mykey.pvk -pi **** -spc c:\hcp\ca\mycert.spc -pfx c:\hcp\ca\mypfx.pfx"

    after that, I have the .pfx file. then I try to sign my code in VS 2005 in computer A.

    Yes, the certificate I bought is a code signing certifcate, aka in thawte "Microsoft Authenticode (Multi-Purpose) Certificate"

    My VS2005 version is 50727.26,
    Where can I get 50727.27? It is not on MSDN, isn't?

    Thanks

    Thursday, October 20, 2005 4:33 PM
  • Wei - let's tackle that Click Once Manifest signing issue first...From your comments it sounds like both signing features are still not working for you.

    Click Once Manifest signing...
    Are you still getting the "chaining error" when building?  If yes, please correct this first.  On the Signing page - you can click the "More Details" button to review the certificate settings.  On the Certificate Path tab, make sure that the chaining/path is recognized.  If chaining was the only problem this should fix both the assembly and CO signing issues.

    Continuing with what Patrick mentioned, if you have EKU and/or KU settings in your certificate, these also need to be correctly set for a "code signing" certificate.  For example, if the KU value is set it must contain the "Digital Signature" setting.  If the EKU setting is set, it must contain the "Code Signing" setting.  You can check the EKU and KU setttings by looking at the "Details" tab and selecting "Show: Extensions Only" and reviewing the values for "Key Usage" and "Enhanced Key Usage".

    I will monitor this thread and see your progress.

    Thanks
    Robert Schoen  (MS Visual Basic QA)


    Friday, October 21, 2005 4:41 PM
    Moderator
  • Robert, Sorry, I did not give More Details.

    In "More Details", on the General tab, it has yellow ! mark, and says "Windows does not have enough information to verify this certificate".

    On the Certificate Path tab, it has my company's name with yellow ! mark. and at the bottom it says " The issuer of this certificate could not be found."

    Thanks
    Friday, October 21, 2005 7:43 PM
  • No worries....

    So I am assuming you still have the "chaining" error on build for the Click Once Manifest part.  You need to get the trusted root installed on that machine. 

    For the Assembly Signing - the error you were getting ("Cannot find the certificate and private key for decryption") believe that is due to the actual pfx file that you are using does have some "chaining" information.  You can re-export the pfx file from certmgr.msc snappin and not include the chaining information and this might correct that.  PFX file with chaining information can cause this problem...and we should see about addressing that at some point.

    I have to go now...but will continue trying to help you through this issue.

    Friday, October 21, 2005 10:28 PM
    Moderator
  • Robert,

    The 1st issue of signing click once manifest is solved by installing trust root in my development computer. With your instruction of installing trusted root, I went to my CA vendor's website to download the root certificate.

    You are right on 2nd issue of assembly signing, after I re-export pfx file without chaining information, I successfully signed my application.

    Thank you so much.

    Wei
    Saturday, October 22, 2005 10:02 PM
  • Cool - Glad To Help!

    There will be some docs related to signing the manifest and assembly signing via this Signing page to hopefully make this easier for folks.  The issues that you ran into are things we will have to handle better in the future...

    thanks!
    Robert Schoen (MS Visual Basic QA)
    Monday, October 24, 2005 7:03 PM
    Moderator
  • I have the same problem, can you explain more about export the file without chaining information, I dont see that anywhere.

    I still have the message Windows does not have enough information to verify this certificate
    Thursday, November 17, 2005 3:37 PM
  • For Click Once Manifest Signing, you need to have the trusted chain to sign.   If you are talking about Assembly Signing - then you CAN and need to remove the chaining information to work with assembly signing.  BTW, Click Once Signing and Assembly Signing are two distinct processes and are do not need to done together. 

    Here is a good link regarding when you should sign (strong name) your assembly.

    http://msdn2.microsoft.com/en-us/library/h4fa028b(en-US,VS.80).aspx

    For Assembly Signing - to remove the chaining information you need to import the pfx file into your personal certificate store.  Open up your certificate manager (from your Start|Run type "certmgr.msc") and expand "Certificates\Personal\Certificates".  Right click on Certificates and select "All Tasks|Import".  Run through the Import Wizard and make sure you select "Mark this key as exportable" checkbox within this wizard.   Once the cert as been imported - select the certificate in the Certificate Manager - right click on it and select "All Tasks|Export".  Make sure you select option to "export private key".  On the "Export File Format" window of this export window, there will be an option to "include all certificates in the path if possible".  DO not check that option. By not checking that option you will strip out the chaining information.  Finish the wizard...  This pfx file should now be usable for assembly signing.

    For Click Once Signing - you get this "chaining error " typically when you do not have the correct issuer certificates in your Trusted Root Certificate Authorities store.  If you do not have a root certificate (typically a .cer file) from your issuer (CA), you will likely have to go to the your certificate issuer and get another one.

    Hope this helps!  I will monitor this posting to see how you are coming along.

    Robert Schoen (MS Visual Basic QA)

    Friday, November 18, 2005 4:59 PM
    Moderator
  • Thank you, that worked for me!!!
    Friday, November 18, 2005 7:22 PM
  • Cool!  Thanks for replying with your status!

    Robert Schoen (MS Visual Basic QA)
    Monday, November 21, 2005 4:52 PM
    Moderator
  • Hi,

     

    Our application doesn’t pass test case 5 (signed files and executables) and I’m not even sure it passes test case 16 (signed clickonce manifest)

     

    For test case 5, I saw using signtool that none of our exe and dll are signed.

    For test case 16 : when I try to install the application after publishing (with clickonce) and click on the ”publisher” link to see the certificate, I get "the issuer of the certificate could not be found"

     

    So I think the certificate is not valid.

     

    Our certificate comes from GlobalSign. They gave us three files

    ·         cert_995533478.pem

    ·         exportIE.pfx

    ·         GlobalSignKey.pfx

     

    What should I do with it (our product is developed on .net 2.0 on visual studio 2005) to pass tests cases 5 and 16

     

    thanks

     

    Thursday, April 19, 2007 1:43 PM
  • moreover, in the project properties in visual studio, in the "signing" part, when i click on "more details", I can see that the certificate is valid, i d'on't have the message "the issuer of the certificate could not be found"
    Thursday, April 19, 2007 2:38 PM
  • No one has an answer ?
    Wednesday, April 25, 2007 8:17 AM
  • Hi, I am receive the same error when i try to sign a byte[] type, specifically on ComputeSignature method. 

     

    I don't understant what i need. Into the Certificates console I can see my certificate and its path. The certificate and the root authority appear be ok.

     

    I appreciate any help.

     

    regards

     

     

     

     

     

    Thursday, September 6, 2007 6:40 PM
  • I also faced the similar problem that when I tried to include the .pfx file in my VS2005 project assembly then it gave the same message "Cannot find the certificate and private key for decryption"
    and after importing/exporting then using the .pfx file resolves only the problem of importing the certificate but when I built the project and checks for signing of the setup then I finds that the product is not signed. I verified it through properties of the setup and there is no tab specifying the certificate information for the product. so it doesnt resolve the problem but creates a new problem.

     

    the solution I followed is specified at

    https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=1078

    if anybody have the reason of not signing after using this solution please help with that

    Monday, October 1, 2007 11:52 AM
  • I have a windows application project that has to be signed. I received the .spc and .pfx files from my client (he has it form Thawte). I converted these files to .pfx and by right clicking an assembly - Properties - Signing I specified the .pfx file. I forgot to mention that I used the exporting opertaion for not getting the error message.
     Everything OK with no errors. The problem is that after compiling, the assembly is not signed - the 'Digital Signature' tab when clicking 'Properties' is not present. I use VS 2008. Do I miss something? Thanks
    Tuesday, November 18, 2008 9:37 AM
  • Hi, Ihave a certificate form my faculty mail server https://webmail.etf.unsa.ba. I exported certificate using firefox and install it in Trusted Root Certification Authority. When I click on certificate path (in certmgr.msc) it shows "The issuer of this certificate cannot be found". How can I make status "This certificate is OK"? Operating system is Windows 7. Please help!
    Sunday, February 6, 2011 1:31 PM