So I am signing a binary using signtool from the Windows SDK 8.1:
"C:\Program Files (x86)\Windows Kits\8.1\bin\x64\signtool.exe" sign /a /i Symantec /ac C:\utils\MSCV-VSClass3.cer /ph /t "http://timestamp.verisign.com/scripts/timstamp.dll" "foo.exe"
Done Adding Additional Store
Successfully signed: foo.exe
"C:\Program Files (x86)\Windows Kits\8.1\bin\x64\signtool.exe" sign /a /i Symantec /ac C:\utils\MSCV-VSClass3.cer /ph /fd sha256 /tr "http://timestamp.geotrust.com/tsa" /td sha256 /as "foo.exe"
Done Adding Additional Store
Successfully signed: foo.exe
When I look at it in the file properties, I can see the correct result.
However, when I use verify
with this very signtool
I get, depending on the passed parameter:
"C:\Program Files (x86)\Windows Kits\8.1\bin\x64\signtool.exe" verify /all "foo.exe"
File: foo.exe
Index Algorithm Timestamp
========================================
SignTool Error: A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.
SignTool Error: A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.
With /pa
and /pa /all
I can see both timestamps:
"C:\Program Files (x86)\Windows Kits\8.1\bin\x64\signtool.exe" verify /pa "foo.exe"
File: foo.exe
Index Algorithm Timestamp
========================================
0 sha1 Authenticode
Successfully verified: foo.exe
"C:\Program Files (x86)\Windows Kits\8.1\bin\x64\signtool.exe" verify /pa /all "foo.exe"
File: foo.exe
Index Algorithm Timestamp
========================================
0 sha1 Authenticode
1 sha256 RFC3161
but when trying to use /kp
to verify against the kernel signing policy, signtool
refuses to run that along with /all
:
"C:\Program Files (x86)\Windows Kits\8.1\bin\x64\signtool.exe" verify /kp /all "foo.exe"
SignTool Error: The /all option is incompatible with the /kp option.
So I have two questions:
/kp
and /all
don't work together)?signtool verify
twice, once with /pa /all
and once with /kp
to see all timestamps and verify against the kernel signing policy?I've recently stumbled upon the same issue with /kp
and /all
, and completely by chance discovered that the order of arguments is important. If I specify /kp /all
, I get The /all option is incompatible with the /kp option
. But if I pass /all /kp
, verification works smoothly: it enumerates all signatures in the file and checks them all.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With