Search code examples
windowsdigital-signaturesigntool

Signtool PKCS7 Detached Signature fails with Error: pkcs7 sign

I have an issue with creating a detached PKCS#7 signature of a Zip file using windows' signtool.exe.

I manage to sign an exe file with an embedded signature, but am struggling with the command to detach sign the Zip file. I may be missing something obvious ...

PS C:\somewhere> Get-ChildItem -path cert:\LocalMachine\My


   PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\My

Thumbprint         Subject
----------         -------
0ABCD...01234      CN=my-signing-cert.example.com, OU=(obfuscated), O=(obfuscated)...



PS C:\somewhere> & "C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x64\signtool.exe" sign /debug /v /tr http://timestamp.digicert.com /fd sha256 /sha1 0ABCD...01234 /sm /p7ce DetachedSignedData /p7co 1.2.840.113549.1.7.2 /p7 "C:\somewhere\test-tiny-zip-file.zip.sig" "C:\somewhere\test-zip-file.zip"


The following certificates were considered:
    Issued to: my-signing-cert.example.com
    Issued by: my-ca-cert.example.com
    Expires:   Wed Mar 23 15:33:34 2022
    SHA1 hash: 0ABCD...01234

After EKU filter, 1 certs were left.
After expiry filter, 1 certs were left.
After Hash filter, 1 certs were left.
After Private Key filter, 1 certs were left.
The following certificate was selected:
    Issued to: my-signing-cert.example.com
    Issued by: my-ca-cert.example.com
    Expires:   Wed Mar 23 15:33:34 2022
    SHA1 hash: 0ABCD...01234

Done Adding Additional Store
SignTool Error: An unexpected internal error has occurred.
Error information: "Error: pkcs7 sign." (-2147024893/0x80070003)
Solution

  • The issue is in the /p7 parameter. It takes a path to a folder, not to a file.

    /p7 Path Specifies that a Public Key Cryptography Standards (PKCS) #7 file is produced for each specified content file. PKCS #7 files are named path\filename.p7.

    Additionally:

    • the parameter /p7ce can have either of these 2 values: DetachedSignedData and pkcs7DetachedSignedData for a detached signature.
    • the parameter /p7co takes the value 1.2.840.113549.1.7.2 which maps to the RSA Signing RFC.
    
& "C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x64\signtool.exe" `
    sign /debug /v /tr http://timestamp.digicert.com `
    /fd sha256 /sha1 0ABCD...01234 /sm /p7ce DetachedSignedData `
    /p7co 1.2.840.113549.1.7.2 /p7 "C:\somewhere\" `
    "C:\somewhere\test-zip-file.zip"