I am trying to sign my assemblies and setup files during project build using SignTool.exe. Following this answer I wanted to use the /sha1 option so that I don't need to specify the certificate password. However, when I do this I am getting an "Invalid SHA1 hash format" error. I have tried both from an MSBuild Exec task, from a Visual Studio Developer Command prompt and from a batch file all with the same error.
The command I'm trying is (obviously with a different key):
signtool.exe sign /a /sha1 1234567890abcdef1234567890abcdef12345678 /tr http://timestamp.comodoca.com /td SHA256 /v Setup.msi
I think my certificate is installed correctly and the SHA1 key is correct as it works with the SignFile MSBuild task correctly. I'd just use that but I also need to be able to sign my installer files which aren't built with MSBuild and hence need to be signed from a batch script.
So what could be the problem and how do I fix it?
Stupid mistake and I can't believe it took so long to realise. I had an extra space character before the thumbprint string which was the cause of the error.
Even after fixing that though I then got another error:
No certificates were found that met all the given criteria.
Running the command again with the /debug option listed all of the certificates it attempted to use and
After Hash filter, 0 certs were left.
The hash SHA1 hash for the certificate I wanted to use was exactly the same as I specified with the only exception being that the hash was all in upper-case letters. So tried the command again with the hash in all upper-case letters and... it worked.
As I haven't seen this requirement documented anywhere I thought I'd provide the answer here.