The documentation for authenticode signing
- Windows Authenticode Portable Executable Signature Format (
.docx
đź•—)
says that the PKCS #7 SignedData structure...
...contains the signer certificate and any intermediate certificates, but typically does not contain the root certificate.
However, as I discovered in a bit of a 'DOH!' moment, signtool.exe must be able to find the certificates to include them.
The leaf certificate is provided on the command line. But the identification of the remaining certificates up the chain does not include where to find the certificates. signtool does check the system certificate store, so if they are found there, they are added to the binary. If they are not found, signtool only puts the leaf certificate into the signed binary.
Note that if the intermediate certificates are not in the signed binary, but are in the system certificate store of the system checking the signature, the binary will still pass verification, because the chain can be resolved.
Also note that the exclusion of the root from the signed binary makes sense, given that the root must independently be on the system checking the signature for it to be trusted, so it would be ignored anyway. (The only real benefit to including the root in the binary would be if someone wanted to import the root cert manually, which is almost always a very bad idea.)