signtool with certificate stored in local computer

Question

I cant get signtool to find my certificate. The pfx file works for signing, i've checked that by specifying the pfx file directly together with the password. But due to other people having access to the code repository i really dont want to store the certificate + password there.

That's why I've installed the pfx (from symantec) on the build server (as local computer, not per user) in "trusted root certification authorities". This is because Jenkins is started with the local system account.

This is what i'm trying at the moment:

signtool sign /v /sm /s Root /n <thename> /t http://timestamp.digicert.com <thefile>

/sm / s Root - this should tell signtool to switch to the "local machine" store, right? and Root should specify "trusted root certification authorities"?

/n - here i'm using the "Issued to" value from the certificate, which is the company name.

I'm met by the following error:

"SignTool Error: No certificates were found that met all the given criteria."

I have plowed through so many links today, trying to find out what i'm doing wrong. i've I've checked with mmc with a snap-in for certificates on the local computer and the certificate is resiging in "trusted root certification authorities".

Answer 1

Try this command:

signtool sign /v /sm /s My /n <thename> /t http://timestamp.digicert.com <thefile>

You did well to use /sm option but when you added /s Root you said that signtool should look in Computer store but in Root authorities. You could also skip /s parameter because /s My is the default.

For more information see documentation of signtool.