I just purchased a code signing cert (MS authenticode) from THAWTE and have installed it apparently on my build machine. I am logged in as a user and when I open a cmd prompt I can sign EXEs using the cert with signtool.exe.
Unfortunately this same command line does not work in the hudson process that is running on the machine.
the error message I get is:
SignTool Error: No certificates were found that met all the given criteria.
I presume this is because the hudson service is running under a different account than the account that I ran signtool.exe from and from the account I used to get the cert from thawte.
So, my question is: How do I fix this problem? I thought i was going to download a file from thawte, but instead it just used IE somehow to install the cert in the user's cache magically. I probably want to export (or whatever the correct term is) to a file that I can store/save or use on any other machine.
How do i do that and how do I call signtool correctly with either the file or the cert from another user in the system/services account?
SignTool is a command-line tool that digitally signs files, verifies the signatures in files, and timestamps files. For information about why signing files is important, see Introduction to Code Signing.
In Visual Studio components list find "Universal Windows App Development Tools", open the list of sub-items and select "Windows 10 SDK (10.0. 10240)". As josant already wrote - when the installation finishes you will find the SignTool.exe in the folders: x86 -> c:\Program Files (x86)\Windows Kits\10\bin\x86.
Under HTTPS/SSL, click Manage certificates. In the Certificates window, on the Personal tab, double-click the code signing certificate that you just installed. If you have multiple code signing certificates, use the expiration date to determine which certificate is the correct one.
The signtool can be located by navigating to the directory %ProgramFiles(x86)%\Windows Kits\10\bin and searching for signtool .
Taken from signtool sign -h
output:
/s <name> Specify the Store to open when searching for the cert. The default
is the "MY" Store.
/sm Open a Machine store instead of a User store.
Getting this to work is a bit of a pain... I was able to get it to work by adding the certificates to the local machine store and using the /sm switch.
The /s switch allows you to select which pre-defined store to use. Unfortunately I can't find any documentation that lists what the available options actually are (@Microsoft signtool maintainer: please document this!). An additional complication is that it is hard to determine which store Hudson provides access to - it isn't the local security hudson account as you might expect.
Note: The "Personal" store listed in mmc views is the "MY" store when accessed from signtool.
Thankfully the /sm switch provides us with a get-out-of-jail-free card. Unfortunately this would be a security risk if your build server runs jobs for multiple organizations or departments. In my case it is only used by my group, so this doesn't bother me.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With