I just received my code signing eToken (the little USB dongle) for my EV code signing certificate, and I'm trying to use it to sign my code. In Windows Powershell (running as Administrator), I'm running
$signtool_path = "C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64\signtool.exe"
& $signtool_path sign /debug /n "<My Certificate Name>" /csp "eToken Base Cryptographic Provider" /k "Sectigo_20240215105611" /tr http://timestamp.sectigo.com /td SHA256 /fd SHA256 "C:\path\to\my\application\main.exe"
But it's giving me:
After EKU filter, 1 certs were left.
After expiry filter, 1 certs were left.
After Subject Name filter, 1 certs were left.
The following certificate was selected:
Issued to: <My Certificate Name>
Issued by: Sectigo Public Code Signing CA EV R36
Expires: Sat Feb 14 16:59:59 2026
SHA1 hash: <Some Hash Code>
SignTool Error: An unexpected internal error has occurred.
Error information: "Could not associate private key with certificate." (-2147024891/0x80070005)
I'm not sure how to approach this. How do I make it associate the private key with the certificate?
In the end what worked was to (in the Safenet client) import the certificate to windows (actually not 100% sure this was necessary), then look up the hash associated with the certificate (which you can see from running the original command in the question, or via the Safenet Client), and signing with the (ChatGPT-suggested) command:
& $signtool_path sign /debug /sha1 <HASH_CODE_FOR_CERTIFICATE> /tr http://timestamp.sectigo.com /td SHA256 /fd SHA256 "C:\PATH\TO\MY\BUILD\main.exe"