4
votes

We got our new certificate (*.cer) file from Thawte, and i went through our standard procedures to allow it for use with code signing.

If i use our old (working) certificate:

  1. Convert certificate (.cer) into Software Publishing Certificate (.spc)

    >Cert2Spc.exe Avatar.cer Avatar.spc
    Succeeded
    
  2. Combine our private key file (*.pvk) with the SPC into a PFX:

    >pvk2pfx.exe -pvk Avatar.pvk -spc Avatar.spc -pfx Avatar.pfx -f
    

    prompts for private key file password, enter it, click OK

    enter image description here

And we're good to go; ready to use signtool.


We now have our new certificate, and i follow the same procedure:

  1. Convert certificate (.cer) into Software Publishing Certificate (.spc)

    >Cert2Spc.exe Avatar.cer Avatar.spc
    Succeeded
    
  2. Combine our private key file (*.pvk) with the SPC into a PFX:

    >pvk2pfx.exe -pvk Avatar.pvk -spc Avatar.spc -pfx Avatar.pfx -f
    

    prompts for private key file password, enter it, click OK

    enter image description here

    ERROR: Cannot find certificates that match the key.
    (Error Code = 0x80070490).
    

What's going wrong?


Notes:

  • we've used the same private key file (*.pvk) for a decade
  • this year Thawte gave us a 2-year certificate; rather than the usual 1-year
  • this year Thawte changed their signing certificate from Thawte Code Signing CA to Thawte Code Signing CA - G2
  • Google says that nobody has ever gotten the error Cannot find certificates to match the key.
  • The Windows SDK only contains two references to the error code 0x80070490:

    • Visual Foxpro for Windows header file (vfwmsgs.h):

      //
      // MessageId: E_PROP_ID_UNSUPPORTED
      //
      // MessageText:
      //
      // The specified property ID is not supported for the specified property set.%0
      //
      #define E_PROP_ID_UNSUPPORTED            ((HRESULT)0x80070490L)
      

      Which is almost certainly a red herring; Foxpro?

    • commented out code in the RSS screensaver sample (RssItem.cs)

      // "Element not found. (Exception from HRESULT: 0x80070490)"
      

      Also almost certainly a red-herring; XML?

  • decimal version of 0x80070490 is -2147023728
1

1 Answers

4
votes

Turns out that this year we were given a new private key.

Well, you're not given a private key, the certificate+key is fetched through the browser and stored in a certificate store. From there we can export a .PFX (A pfx contains a certificate and a private key).

With this PFX exported from the browser's certificate store, we can use it directly to sign code with signtool.

Note: We were actually gluttons for punishment, and went through steps:

+--[.pfx]---+     +--[.cer]---+     +--[.spc]---+           +--[.pfx]---+
|Certificate|====>|Certificate|====>|Software   |=========> |Certificate|
|    +      |     +-----------+     |Publishing |           |     +     |
|Private Key|==+       +            |Certificate|   +=====> |Private Key|
+-----------+  |                    +-----------+   |       +-----------+
               |                                    | 
               |                                    |
               |  +--[.pem]---+     +--[.pvk]---+   |
               +=>|Private Key| ==> |Private Key|===+
                  +-----------+     +-----------+

But all that route gave us was a private key file (*.pvk) that wasn't protected with a password; so signtool could run without user interaction.

But the answer to this question was: The private key doesn't match the certificate.