Unable to sign code with code-signing certificate

3

We purchased the Microsoft Authenticode certificate from Thawte. Now I have it in a PFX file. I try the following:

D:\sign>signtool sign /f ./cert/cert.pfx /p mypass /t http://timestamp.verisign.com/scripts/timstamp.dll "mySetup.exe"
Done Adding Additional Store
Successfully signed and timestamped: mySetup.exe

But when I run mySetup.exe, it runs like unsigned, and shows "Unknown Publishier". When I verify the EXE file with SignTool, I get following.

D:\sign>SignTool verify mySetup.exe
SignTool Error: WinVerifyTrust returned error: 0x800B010A
SignTool Error: File not valid: mySetup.exe

Number of errors: 1

What is wrong?

code-signing
authenticode
signtool
asked on Stack Overflow Feb 22, 2012 by WindBridges • edited Jan 8, 2013 by Peter Mortensen

1 Answer

0

It may be related to the fact that Thawte uses an Intermediate Certificate for signing. They consider this to be within best practices, which I won't argue one way or the other.

From an end user standpoint, however, this can lead to complications. This is a known issue with VSTO (Visual Studio Tools for Office) solutions using ClickOnce, and may be what is affecting you here.

The solution for dealing with this is, sadly, that you will need to add the appropriate Intermediate CA's cert to all end user machines:

Resolution

The workaround to this issue is to include the Intermediate Certificate Authorities’ certificate on all end user machines where the application will be installed. As of now the issue is reported only with the handling of Thawte certificate and would require that Thawte intermediate certificate be installed on the end users machine.

Thawte provides links to the appropriate CA certs for their Intermediate Certificates

answered on Stack Overflow Jan 8, 2013 by taswyn

User contributions licensed under CC BY-SA 3.0