I try to use signtool from MS to sign the hash of an executable file with an external tool.
Unfortunately the option /di to inject the sign hash doesn't work.
There is no error message, but when I check the properties of the file there is the message "no signature was present in the subject", the cert is present but not the signature it seems.
I have followed vcsjones.dev on Custom Keys with Authenticode Signing from the post How to embed hash in exe file with signtool.exe.
signtool sign /dg "C:\scratch\dir" /fd SHA256 /f public-cert.cer notepad.exesigntool sign /di "C:\scratch\dir" notepad.exeI think the problem is from the signature returned by my external tool but there is no specification of the MS signature format like header, DER encoding, RFC, etc.. (the authenticode specification document from MS for PE file give the whole structure signature but not the signature itself).
I try different permutation since 3 weeks now, any help will be so much appreciated.
The solution is to add the SHA header to the digest before signing it. The digest provided by Signtools does not contain this header, even though it is necessary for the signature to be recognized by Signtools.
It should be documented ...