locked
Append signature block using signtool RRS feed

  • Question

  • I successfully signed using signtool.exe which is part of Windows sdk.

    signtool sign /fd sha256 /a /f lost.pfx <filename>

    I am able to see the file name signed however I attempted the /ac option of signtool which adds additional entries to signature block. So I used following syntax however resulted in error:

    signtool sign /fd sha256 /a /ac lots1.pfx <filename>. Is this a proper usage? If not what would be the proper usage of this switch.

    Additional question is the file being signed as a typical PE format file, so I am not sure signing twice with different certificate is allowed? Thanks,

    Tuesday, May 27, 2014 10:58 PM

Answers

  • I've never had a need to use the AC syntax before, but in the lab I was able to get it to work. You are missing the filename for the AC option to work with as well as the switch to indicate which cert is the primary signing cert (/f).

    signtool sign /fd sha256 /a /ac second.cer /f lots1.pfx <filename>


    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years.

    • Marked as answer by Amy Wang_ Monday, June 9, 2014 2:02 AM
    Wednesday, May 28, 2014 5:14 AM

All replies

  • I've never had a need to use the AC syntax before, but in the lab I was able to get it to work. You are missing the filename for the AC option to work with as well as the switch to indicate which cert is the primary signing cert (/f).

    signtool sign /fd sha256 /a /ac second.cer /f lots1.pfx <filename>


    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years.

    • Marked as answer by Amy Wang_ Monday, June 9, 2014 2:02 AM
    Wednesday, May 28, 2014 5:14 AM
  • Thanks this syntax works. But looks like more work ahead of me. The signing completed successfully however its certificate area still contain one certificate. Comparing the certificate only the one specified with the /f was there. 

    Also when verifying the signed file with verify /ph switch, threw out this error:

    Signtool error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. 

    FILE is not stamped

    Number of files successfully verified: 0

    number of warnings: 0

    number of errors 1:

    Still looking what is the issue here. However I still see this error when signing without additional file (/ac) so this error does not seem to be specific to /ac switch. It just appears, there is still one certificate in the file after signing. 


    • Edited by G_XPE Wednesday, May 28, 2014 6:25 PM
    Wednesday, May 28, 2014 6:21 PM
  • What exactly are you trying to achieve by using more than one certificate?

    The /PH error is most likely because you are using a self-signed certificate or one that is untrusted.


    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years.

    Wednesday, May 28, 2014 9:19 PM
  • Hi,

    Do you need further assistances on this issue by now?

    If yes, please feel free to let us know.

    Have a nice day!

    Amy
    Friday, May 30, 2014 2:12 AM