Codesigning on Windows

I’m trying to do code signing using SignTool. It seems to be some permission issues connected to this. Do the user need some extra permissions to be able to use signtool? Any suggestions on how to solve this issue? It works using the certificate on two distinct computers, so my guess is that related to the current travis windows user configuration, or am I wrong?

Command run:
C:\Users\travis\.cache\electron-builder\winCodeSign\winCodeSign-2.4.0\windows-10\x64\signtool.exe sign /t http://timestamp.verisign.com/scripts/timstamp.dll /f C:\Users\travis\AppData\Local\Temp\t-1GW6GP\0.p12 /d My App /du http://./ /p 64fe8a784f3a874213c3731744fb939fba7f8f784976f649f20298cb951e9834 (sha256 hash) /debug C:\Users\travis\build\xxx\my-app\dist\win-unpacked\My App.exe

I get the following error:

SignTool Error: An unexpected internal error has occurred.
Error information: "Error: Store::ImportCertObject() failed." (-2146893808/0x80090010)

UPDATE:
I ran the same dist command using powershell and got a bit further.

SignTool Error: No certificates were found that met all the given criteria.
The following certificates were considered:
    Issued to: My company
    Issued by: COMODO RSA Code Signing CA
    Expires:   Sat Dec 05 23:59:59 2020
    SHA1 hash: <sha hash>
    Issued to: COMODO RSA Certification Authority
    Issued by: AddTrust External CA Root
    Expires:   Sat May 30 10:48:38 2020
    SHA1 hash: <sha hash>
    Issued to: COMODO RSA Code Signing CA
    Issued by: COMODO RSA Certification Authority
    Expires:   Mon May 08 23:59:59 2028
    SHA1 hash: <sha hash>
After EKU filter, 3 certs were left.
After expiry filter, 3 certs were left.
After Private Key filter, 0 certs were left.
SignTool Error: No certificates were found that met all the given criteria.

I’ve read somewhere that this issue can be caused by not running signtool.exe in elevated mode.

Is there a way to run commands in elevated mode at the moment?

Solved. First install windows-sdk-10.0:

choco install -y windows-sdk-10.0

Then add the certificate to the Cert:/LocalMachine/My store, and use the SubjectName to retrieve the certificate from the store.

$Password = ConvertTo-SecureString -String $Env:CERT_PASSWORD -AsPlainText -Force

Import-PfxCertificate -FilePath my-cert.pfx -CertStoreLocation Cert:\LocalMachine\My -Password $Password

Start-Process -PassThru -Wait "C:\Program Files (x86)\Windows Kits\10\bin\x64\signtool.exe" -ArgumentList "sign -v -debug -sm -s My -n `"SubjectName`" -d `"Desc`" my-binary.exe"

I used a powershell script for this. Make sure to run this to be able to run unsigned powershell scripts:

powershell Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope LocalMachine

Is adding the certificate to the store required? I tried just installing “windows-sdk-10.0” by itself, but get the same error.

Does anyone know how to add the certificate to the CurrentUser store? I’m able to manually codesign using the LocalMachine store, however 3rd party packaging apps seem to expect the certificate to be in the CurrentUser store.

command run in CI:

Import-PfxCertificate -FilePath MyCert.pfx -CertStoreLocation Cert:\CurrentUser\My -Password $Password

Output:

Import-PfxCertificate : Access denied. (Exception from HRESULT: 0x80090010)
At C:\Users\travis\build\saleae\monorepo\packages\electron\scripts\install_cert_windows.ps1:4 char:1

  • Import-PfxCertificate -FilePath MyCert.pfx -CertStoreLocation Cert:\ …
  • `~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  • CategoryInfo : NotSpecified: (:slight_smile: [Import-PfxCertificate], COMException
  • FullyQualifiedErrorId : System.Runtime.InteropServices.COMException,Microsoft.CertificateServices.Commands.Impor
    tPfxCertificate
Imprint