How to include entire certification path when signing code with signtool?

Question

How can i include the entire certification path when signing code using signtool?

Older versions of signtool would include the entire certification path in a digital signature. As it is now if i sign an executable with signtool:

signtool.exe" sign /v /f avatar.pfx -t "http://timestamp.verisign.com/scripts/timstamp.dll" app.exe

the signature is not valid:

This is because there is no certification path:

Binaries signed with the older version of signtool worked fine:

How do i tell signcode to include the entire certification path when signing?

What is the proper way to sign a binary?

---

Update: SignTool version 6.1.7600.16385:

See also

• How can I sign an ActiveX control with a code signing certificate and be a verified publisher?
• Signing WinForms ClickOnce app with Certificate Chain
• ClickOnce: Certificate cannot be validated

Answer 1

Use /ac and pass the filename of the .cer in which your certificate is rooted (for Verisign it was called MSCV-VSClass3.cer last time I checked when signing kernel code or other special code).

signtool.exe sign /v /f "Avatar.pfx" 
      /ac "Thawte Code Signing CA - G2.cer" 
      -t "http://timestamp.verisign.com/scripts/timstamp.dll" app.exe

This should be given by your CA. Usually MS offers bundles for the various CAs it accepts within Windows.

See:

• Windows root certificate program members ^🕗
• Cross-Certificates for Kernel Mode Code Signing ^🕗

Either way, to my knowledge this is only required for kernel code and very specific other things (e.g. Windows Security Center).

Answer 2

If you use Thawte then download their primaryca.cer.

Download to file primaryca.cer and sign your file with:

signtool sign /f certificate.pfx /p PASSWORD /ac primaryca.cer APP.exe.

Should work.