I am unable to get the signtool
certificate signing to work in Windows PowerShell with the Azure trusted signing. I have verified that the correct dlib
and json
files exist and are properly referenced as environmental variables in my command:
.signtool sign /v /debug /fd SHA256 /tr "http://timestamp.acs.microsoft.com" /td SHA256 /dlib %ACS_DLIB% /dmdf %ACS_JSON% "<my file to be signed>.msi"
The complete output of this command is:
The following certificates were considered:
Issued to: --
Issued by: --
Expires: Sat Apr 05 06:20:17 2025
SHA1 hash: some-hash0
Issued to: A
Issued by: A
Expires: Sun Mar 14 13:41:25 2123
SHA1 hash: some-hash1
After EKU filter, 1 certs were left.
After expiry filter, 1 certs were left.
The following certificate was selected:
Issued to: --
Issued by: --
Expires: Sat Apr 05 06:20:17 2025
SHA1 hash: some-hash0
Done Adding Additional Store
SignTool Error: An unexpected internal error has occurred.
Error information: "Error: SignerSign() failed." (-2147024846/0x80070032)
In search results and forum posts, I have not found a similar error code. I have looked through the Event Viewer, as suggested by some, but no ‘Error’ events exist to provide more context. The only related information I’ve found was on the Azure Support solutions which states:
If you get a
SignerSign()
failed error and you are signing an .appx/.appxbundle/.msix/.msixbundle double check that the Publisher name in the manifest file matches the name on the signing certificate.
However, I have changed the Publisher name on my .msi file to every given ‘name’ from Azure with no luck. I have no way of checking for which ‘name’ it refers to.
(I tried many times to post this to the Azure Q&A, but it was deleted every time for just mentioning certificates…)
2
Answers
This error is because SignTool is not invoking Trusted Signing dlib:
Please double check you have the latest and supported version of Windows SDK and latest dlib from here: https://learn.microsoft.com/en-us/azure/trusted-signing/how-to-signing-integrations
and double check the command: & "x64signtool.exe" sign /v /debug /fd SHA256 /tr "http://timestamp.acs.microsoft.com" /td SHA256 /dlib "x64Azure.CodeSigning.Dlib.dll" /dmdf "metadata.json"
Also, check the following, the details under 403: https://learn.microsoft.com/en-us/azure/trusted-signing/faq#common-error-codes-and-mitigations