I have some troubles signing my code using Windows 7/Signtool.exe, and I am seeking some advice/clarification how to deal with the following issue: when I try to sign a .exe code file on Windows 7, using signtool and the /as option, signtool won't work, it complains about me trying to use some unsupported option. Signing without /as works on Windows 7, and signing with /as works on Windows 8.1 and Windows 10.
Has anyone who is signing using /as on WIndows 7 gotten signtool to work?
Why would anyone want to use /as, if he has only one signature on a file?
I was advised to sign my .exe files, mainly to make Windows warnings about unknown origin of software go away, and did so for many years without thinking too much about it. I used signtool and a customer provided pfx file, and was fine. The software is sold to customers worldwide, and needs to run on Windows XP and up. Inexperienced users might be boethered by a warning that a software was potenitally dangerous, that's why signing was implemented years ago.
Recently the pfx file expired. Along with an new and valid certificate (by Verisign/Geotrust) I was given instructions that the new file now (suppored?required?enforced/&used?) sha256, and I need to use the following command line to sign my code:
"signtool.exe" sign /n "..." /d "..." /du "..." /as /fd sha256 /tr "http://timestamp.geotrust.com/tsa" "<.exe file name>"
I imported the new pfx into my certificate store, deleted the old one (which was expired anyway) and gave it a try, but on my development machine (Windows 7 x64) this gave me an error message from signtool:
SignTool Error: A required function is not present.
This error likely means that you are running SignTool on an OS that
does not support the options you've specified.
I tried it on a Windows 8.1 machine, and the command worked. My customer tried on his Windows 10 machine, and it worked too.
By trial and error I found that the /as option is causing the problem, if I omit it, I can sign on WIndows 7 as well. Seems the message is leading the right way, but when I read the docs at Microsoft (https://msdn.microsoft.com/de-de/library/8s9b9yaz%28v=vs.110%29.aspx#sign) there isn't any statement anywhere that the /as option is OS version dependent. So I suspect there is probably something else which needs an update, but since I have installed the latest .net Framework (4.5.1), and no other dependency is listed, what else could I update? Moving my development platform to Windows 8 or Windows 10 isn't something I like to do right now as well.
I thought about simply omitting the /as option. It seems to deal with multiple signatures appended to one file. If I follow my customer's requirement, he wants only one signature (the sha256 variant, using the new certificate) on the code anyway.
When I brought this up, my customer responded that he was given the sample signtool code line by some techie from where he bought the certificate. On his test machine (Windows 10), he found it working. He didn't care if I omit the option, if I guarantee that doing this has no adverse effects. I don't see any, since like I explained there is one signature on the files only, so an option which appends another one is, in my opinion, superfluous.
I am not 100% sure, however.
The windows 7 sdk does not have the /as option. You have to move up to Win 8.1 or better.
signtool sign /?
Should show all the options.