signtool failure "No certificates were found that met all the given criteria" RRS feed

  • Question

  • I am using signtool.exe with Symantec EV code signing USB token.

    Signing works fine from command line ("administrator") and from service ("nt authority\system"). When I try to run service under account "administrator" then signtool fails. Why "administrator" account command line works and service doesn't ?

    C:\Windows\system32>"c:\Program Files (x86)\Windows Kits\8.0\bin\x64\signtool.exe" sign /v /debug /fd sha256 /tr example.exe 

    The following certificates were considered:
        Issued to: ???
        Issued by: Symantec Class 3 Extended Validation Code Signing CA - G2
        Expires:   Thu May 10 02:59:59 2018
        SHA1 hash: ???

    After EKU filter, 1 certs were left.
    After expiry filter, 1 certs were left.
    After Private Key filter, 0 certs were left.
    SignTool Error: No certificates were found that met all the given criteria. 

    I also compared certificate files and they seem to be different:



    • Edited by narvakeemik Thursday, May 12, 2016 12:46 PM
    Thursday, May 12, 2016 8:57 AM

All replies

  • I have the same problem after getting a new certificate from Symantec with a SHA256 hash.
    Friday, July 8, 2016 8:08 PM
  • I've met the same problem. As far as I could understand, it happens because the SafeNet client is working in an interactive GUI session to show the token authentication dialog when necessary. Service account work in a different session and does not "see" the token certificate imported by the SafeNet into the local store.

    I could not find a proper solution for that, and just had to make sure all tools that use the certificate run in the same session as SafeNet.

    Monday, July 11, 2016 3:00 PM