Signtool verification issue

[Guest]

[smallest]

I got the certificate today, and exported it from Internet Explorer into a .PFX file, password-protected. No problems.

I downloaded the latest Micrsoft Dev SDK for Vista (to get the latest version of Signtool.exe). I signed a test file with the following command:

D:\Progs>signtool.exe sign /f our.pfx /p [my cert password] /t http://timestamp.comodoca.com/authenticode testfile.dll

That gives the following output:

--
Done Adding Additional Store
Successfully signed and timestamped: testfile.dll
--

So, that looks fine. Then, to verify, I run:

D:\Progs>signtool.exe verify /a /v testfile.dll

that gives the following output:

--
Verifying: testfile.dll
Unable to verify this file using a catalog.
SHA1 hash of file: EDC32B6C13164A164CC161DC56CCC746F33546A0
SignTool Error: A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.
Signing Certificate Chain:
Issued to: UTN-USERFirst-Object
Issued by: UTN-USERFirst-Object
Expires: 7/9/2019 1:40:36 PM
SHA1 hash: E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46

Issued to: Smaller Animals Software, Inc
Issued by: UTN-USERFirst-Object
Expires: 2/16/2009 6:59:59 PM
SHA1 hash: 5E1293B0F89DBB781173DEEDDD323F87E14377ED

The signature is timestamped: 2/17/2008 3:59:04 PM
Timestamp Verified by:
Issued to: UTN-USERFirst-Object
Issued by: UTN-USERFirst-Object
Expires: 7/9/2019 1:40:36 PM
SHA1 hash: E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46

Issued to: Comodo Time Stamping Signer
Issued by: UTN-USERFirst-Object
Expires: 5/16/2010 6:59:59 PM
SHA1 hash: 95B2B8E34EB2CB768144ED07433EF0A3AFCAEEC0

SignTool Error: File not valid: testfile.dll

Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1
--

I've run the root update and installed the Comodo Code Signing CA.

Any ideas what's going on ?

[Anthony Nel]

Hi,

This is a known error and is due to the fact that this command line tool supplied by Microsoft does not use a comprehensive CA certificate list for verification. You will find that the signed file that you have will function correctly and be trusted.

[Darin]

I am having a similar verification issue with signtool.  Do you have any further information about this limitation in signtool?  How about a KB article reference?

Thank you.

[LucasBarlow]

I noticed if I use the /pa or the /kp paramaters it will verify correctly.
Is there someone that can explain this or let me know which, if either, of these options is the "correct" way to do it?
Thanks.

[vijayvbaskar]

Hi I am also getting the same problem.

Hi smallest,  did ur problem get solved.

If solved, Please tell how u solved it.

[MgKg]

heyyy bros ...    i have a code signing pfx file but i don't knw how to use and how to sign my exe file.
plz share me your knowledge. thz alottttttttttttt
i already installed Microsoft SDK. plz .. help me 

[tauzinger]

Here is what I used, your mileage may vary:
signtool sign /f mycertificate.pfx /p mypassword /t http://timestamp.verisign.com/scripts/timestamp.dll /d mycompany myactivexcontrol.cab

[anon2012]

I downloaded the latest Micrsoft Dev SDK for Vista (to get the latest version of Signtool.exe). [...]
to verify, I run:

D:\Progs>signtool.exe verify /a /v testfile.dll

that gives the following output:

[...]
SignTool Error: A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.

The verification with signtool.exe should succeed with the option /pa (instead of /a) because Comodo's certificate cannot be used to sign Kernel mode drivers.

[Tags:]