Search code examples
signtool

Signtools says "certificate is not suitable for code signing" but same setup works in another windows machine

I can't explain what happened with my VM but signtool.exe has suddently stopped working and is now complaining with "certificate is not suitable for code signing":

"C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x64\
signtool.exe" sign  /fd sha256 /t http://timestamp.digicert.com 
/f "D:\MY_AWESOME_CERT.pfx" /p MY_AWESOME_PW D:\MY_AWESOME_FILE.exe



Done Adding Additional Store
SignTool Error: The signer's certificate is not valid for signing.
SignTool Error: An error occurred while attempting to sign: D:\MY_AWESOME_FILE.exe

But running the same command in a different windows machine (same os version , same signtool.exe version and same sign key works just fine.

Can't really know whats going on here... Anyone has faced similar problem in the past? How did you solve it?

It's important to state that my certificate is a not a self signed certificate.

Solution

  • The feedback we receive from signtool is not meaningful, and the error message I encountered could have many unrelated causes.

    I decided to explore the possibility that the root certificate in my system had become corrupted or invalid for some unknown reason, and I'm glad I did.

    To do this, open the Windows Certificate Manager (Windows + R > certmgr.msc) and navigate to "Root Certificate Authorities" > Certificates.

    Click the list and press CTRL + A to select all certificates, then right-click > All Tasks > Export.

    In the export options, choose PKCS #12 (.PFX) and use the default settings. Check the "Password" option and enter your password; this is necessary if you want to restore these certificates later.

    For encryption, I left it as it was (TripleDES-SHA1), and then save the file to the file system.

    Next, I repeated the process from a Windows machine where signing was working and copied the .pfx file to my machine where signing was failing.

    Back in the certmgr.msc, I returned to the "Root Certificate Authorities" section and selected all records. Since we already have a backup, I simply pressed CTRL + A in the list and clicked the "delete" button.

    Confirm the deletion, and everything is now removed.

    Now, let's import the root certificates from our working machine. Since you've already copied the .pfx file to this machine, proceed with the import: enter image description here

    Select the .pfx file containing the root certificates from the working machine that you previously copied. Enter the password you used during the export and accept all the certificates.

    Now, it's time to test the signtool.exe command. In my case, everything is now working as expected.

    I hope this guide helps anyone else facing a similar problem.