Few month ago a was able to successfully sign CAB file with test certificate I have created on my server. Here are the steps I have taken:
makecert.exe -sv "Demo.pvk" -n "CN=Demo Company,[email protected]" "Demo.cer"
cert2spc.exe "Demo.cer" "Demo.spc"
pvk2pfx.exe -pvk "Demo.pvk" -pi "pvk_password" -spc "Demo.spc" -pfx "Demo.pfx" -po "pfx_password"
signtool.exe sign /f "Demo.pfx" /p "pfx_password" /v "D:\Setup.cab"
All the steps are successfull except the last one with signtool that returns: "The signer's certificate is not valid for signing". I have done the research on web about this error but nothing did actualy solved my problem. This error is usualy created because pfx has expired but this is not the case here. I have successfully imported certificate to local cert store and checked it's validity.
Why I am not able to sign CAB with my pfx any more even if I recreate it? Is there some windows update responsible for this change?
I am open to suggestions for any other way to sign CAB with pfx using command prompt.
I have managed to crack this nut and signed CAB with test certificate.
First I have changed makecert call by adding -r parameter that stands for self-signing:
makecert.exe -sv "Demo.pvk" -n "CN=Gregor Primar SP,[email protected]" "Demo.cer" -r
Next step was creating pfx using makecert not pvk2pfx any more:
makecert -sk GpSolutionsKey -iv "Demo.pvk" -n "CN=Gregor Primar SP" -ic "Demo.cer" -sr currentuser -ss my -sky signature -pe
This also imports pfx to user cert store (-sr currentuser).
Then I have opened mmc and add Certificates snap-inn (my user account). Selected personal certificate and exported to disc.
The last step was signing using following command:
signtool.exe sign /f "Demo.pfx" /p "pfx_password" /v "d:\Setup.cab"
And Setup.cab was successfully signed with Demo.pfx!