Search code examples
windowscertificatecode-signingcode-signing-certificatesigntool

Why does signtool.exe only find certificate when run as admin?

I'm setting up a new development laptop, and have installed a self-issued code signing certificate. I can see it in certmgr under my Current Users's Personal Certificates.

When I try to build from the Developer Command Prompt For Visual Studio 2017 I get:
error : SignTool Error: No certificates were found that met all the given criteria.

This always worked fine on my old laptop.

I have found if I run the same build from the command prompt after starting it as admin that signtool succeeds and can find the cert.

This has happened to 3/4 colleagues when we've set up new laptops. One guy is ok and can sign without running as admin. On our old laptops we never had to run as admin.

I've tried googling to find what could be the cause because I wasn't aware that running as admin or not should have any affect over this. I haven't found any reference to this problem.

How can we use signtool.exe without running it as admin?

When not running as admin it appears to be at the Private Key filter step where the cert I'm expecting to be selected gets filtered out:

**********************************************************************
** Visual Studio 2017 Developer Command Prompt v15.9.12
** Copyright (c) 2017 Microsoft Corporation
**********************************************************************

C:\>signtool sign /v /debug /ph  /i "<issuedby>"  /fd sha256 /td sha256 "C:\TestSign.dll"

The following certificates were considered:
    Issued to: Scott Langham
    Issued by: <issuedby>
    Expires:   Sun Sep 25 09:54:55 2022
    SHA1 hash: <a_hash>

    Issued to: Scott Langham
    Issued by: <issuedby_somethingelse>
    Expires:   Wed May 13 15:51:14 2020
    SHA1 hash: <b_hash>

After EKU filter, 1 certs were left.
After expiry filter, 1 certs were left.
After Issuer Name filter, 1 certs were left.
After Private Key filter, 0 certs were left.
SignTool Error: No certificates were found that met all the given criteria.

I've ensured the version of signtool.exe I'm using is the same as the one that my colleague who has this working is using (10.0.18362.1). I've been able to spot any other differences between our systems.

Solution

  • I ran into this today and here is how I am now able to run signtool.exe via command line without elevating to admin.

    • Run 'mmc' and add the 'Certificates' snap-in
    • Select the correct key store location
      • (mine is in Local Computer so I select 'Computer account' here)
    • Find and select the certificate
    • Right click on the certificate, select All Tasks > Manage Private Keys...

    enter image description here

    • In the 'Permissions for private keys' dialog, Add your user account and then give yourself 'Full Control'. You will now be able to sign using a normal command prompt.

    Managing Certificate Permissions

    • Note: If you use a build machine, do the above steps for the account that performs the builds.