Signtool.exe succeeds but zero signatures are added to the file

3
votes

I'm writing a custom CNG provider (Key Storage Provider) to allow signing using our private HSM API in Signtool.exe I implemented the APIs in my CNG provider and successfully installed in my Windows 10 system.

Command:

signtool.exe sign /v /debug /f cert.cer /csp "Sample Key Storage Provider" /k "keyid" /t http://timestamp.digicert.com /fd sha256 helloworld.exe

Signtool.exe succeeds with return code 0 but ends up adding no signatures to the file.

Verify Output:

signtool.exe verify /v /pa helloworld.exe

Verifying: helloworld.exe
Signature Index: 0 (Primary Signature)
Hash of file (sha256): 3338A11DDAB9CBB7B39E65C30F235C2DF8EDE17BB5BE759A3213D25EC286F390

Signing Certificate Chain:
    Issued to: Sample Certificate Authority
    Issued by: Sample Certificate Authority
    Expires:   Fri Feb 07 21:37:36 2070
    SHA1 hash: 2B5B37DADFCBD018BDB2789176A69708FFCA25E0

        Issued to: Sample test certificate
        Issued by: Sample Certificate Authority
        Expires:   Thu May 28 13:40:10 2020
        SHA1 hash: A679DF5E89B9C23E57E89AEB434CA98230F52DC3

The signature is timestamped: Sun Mar 29 16:44:01 2020
Timestamp Verified by:
    Issued to: DigiCert Assured ID Root CA
    Issued by: DigiCert Assured ID Root CA
    Expires:   Sun Nov 09 17:00:00 2031
    SHA1 hash: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43

        Issued to: DigiCert SHA2 Assured ID Timestamping CA
        Issued by: DigiCert Assured ID Root CA
        Expires:   Tue Jan 07 05:00:00 2031
        SHA1 hash: 3BA63A6E4841355772DEBEF9CDCF4D5AF353A297

            Issued to: TIMESTAMP-SHA256-2019-10-15
            Issued by: DigiCert SHA2 Assured ID Timestamping CA
            Expires:   Wed Oct 16 17:00:00 2030
            SHA1 hash: 0325BD505EDA96302DC22F4FA01E4C28BE2834C5

SignTool Error: No signature found.

Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1

However, when i look at the Digital Signatures tab in the file properties, it does show an entry. When i select the entry it say "no signature was present in the subject".

What am i missing here?

1
windowscryptographysigntoolcngauthenticode
Did you ever figure this out? I'm having the same issue.Bill Tudor
@BillTudor Yes. The rootcause was that i was not writing the signature as part of pbSignature (see docs.microsoft.com/en-us/windows/win32/api/ncrypt/…). Instead, i was providing a new memory address for the signature. Signtool could have complained that i was returning a new address instead of writing the signature, but it did not.GAR
Thanks for taking the time to reply. My cert provider needed to issue another cert to resolve the issue.Bill Tudor

1 Answers

0
votes
signtool.exe sign 
   /v 
   /debug 
   /f cert.cer 
   /csp "Sample Key Storage Provider" 
   /k "keyid" 
   /t http://timestamp.digicert.com 
   /fd sha256 
   helloworld.exe

The documentation says when using /f SignCertFile:

  • if the file is a .pfx, you must use /p to specify the password
  • if the file does not contain private keys, you must specify
    • /csp CSPName
    • /kc PrivKeyContainerName

I see you do specify /csp:

/csp "Sample Key Storage Provider"

But you don't specify /kc .

I do see you specify /k - which is nothing.