Signtool verification issue

I got the certificate today, and exported it from Internet Explorer into a .PFX file, password-protected. No problems.

I downloaded the latest Micrsoft Dev SDK for Vista (to get the latest version of Signtool.exe). I signed a test file with the following command:

D:\Progs>signtool.exe sign /f our.pfx /p [my cert password] /t Timestamp Server And Stamping Protocols | Sectigo® Official testfile.dll

That gives the following output:


Done Adding Additional Store
Successfully signed and timestamped: testfile.dll

So, that looks fine. Then, to verify, I run:

D:\Progs>signtool.exe verify /a /v testfile.dll

that gives the following output:


Verifying: testfile.dll
Unable to verify this file using a catalog.
SHA1 hash of file: EDC32B6C13164A164CC161DC56CCC746F33546A0
SignTool Error: A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.
Signing Certificate Chain:
Issued to: UTN-USERFirst-Object
Issued by: UTN-USERFirst-Object
Expires: 7/9/2019 1:40:36 PM
SHA1 hash: E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46

Issued to: Smaller Animals Software, Inc
Issued by: UTN-USERFirst-Object
Expires: 2/16/2009 6:59:59 PM
SHA1 hash: 5E1293B0F89DBB781173DEEDDD323F87E14377ED

The signature is timestamped: 2/17/2008 3:59:04 PM
Timestamp Verified by:
Issued to: UTN-USERFirst-Object
Issued by: UTN-USERFirst-Object
Expires: 7/9/2019 1:40:36 PM
SHA1 hash: E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46

Issued to: Comodo Time Stamping Signer
Issued by: UTN-USERFirst-Object
Expires: 5/16/2010 6:59:59 PM
SHA1 hash: 95B2B8E34EB2CB768144ED07433EF0A3AFCAEEC0

SignTool Error: File not valid: testfile.dll

Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1

I’ve run the root update and installed the Comodo Code Signing CA.

Any ideas what’s going on ?

Hi,

This is a known error and is due to the fact that this command line tool supplied by Microsoft does not use a comprehensive CA certificate list for verification. You will find that the signed file that you have will function correctly and be trusted.

I am having a similar verification issue with signtool. Do you have any further information about this limitation in signtool? How about a KB article reference?

Thank you.

I noticed if I use the /pa or the /kp paramaters it will verify correctly.
Is there someone that can explain this or let me know which, if either, of these options is the “correct” way to do it?
Thanks.

Hi I am also getting the same problem.

Hi smallest, did ur problem get solved.

If solved, Please tell how u solved it.

heyyy bros … :smiley: i have a code signing pfx file but i don’t knw how to use and how to sign my exe file.
plz share me your knowledge. thz alottttttttttttt
i already installed Microsoft SDK. plz … help me :smiley: :smiley: :smiley: :smiley:

Here is what I used, your mileage may vary:
signtool sign /f mycertificate.pfx /p mypassword /t http://timestamp.verisign.com/scripts/timestamp.dll /d mycompany myactivexcontrol.cab

The verification with signtool.exe should succeed with the option /pa (instead of /a) because Comodo’s certificate cannot be used to sign Kernel mode drivers.