Why does signtool.exe only find certificate when run as admin?
I ran into this today and here is how I am now able to run signtool.exe via command line without elevating to admin.
- Run 'mmc' and add the 'Certificates' snap-in
- Select the correct key store location
- (mine is in Local Computer so I select 'Computer account' here)
- Find and select the certificate
- Right click on the certificate, select All Tasks > Manage Private Keys...
- In the 'Permissions for private keys' dialog, Add your user account and then give yourself 'Full Control'. You will now be able to sign using a normal command prompt.
- Note: If you use a build machine, do the above steps for the account that performs the builds.
Similar to what @Baget said, I'd compare the certificates on your machine to that of your colleague who can successfully run the SignTool.exe command without the elevation token. Here's a chunk of PowerShell to assist you:
get-childitem -Path Cert:\ | foreach-object ({ $location = $_.Location foreach($store in $_.StoreNames.Keys) { get-childitem -Path "Cert:\$location\$store" | foreach-object ({ $thumb = $($_.ThumbPrint) $issuer = $($_.Issuer) if ($issuer -eq "CN=EXAMPLE, DC=EXAMPLE, DC=EXAMPLE, DC=EXAMPLE") { write-host "$location $store $issuer" } }) }})
Bear in mind that the output of the above may differ slightly if you run as a normal user and 'run as admin'.
Finally, do you and your colleague have the same UAC settings?
I found myself in a similar situation with signtool, it refused to work with an admin user but does work as actual Administrator.
In my case, I am not actually importing the certificate into the certificate store, but using a .pkcs12
file exported from a comodo certificate in firefox, so this makes things even stranger, as no permissions on any keys in the store are involved.
I tried granting myself permissions on some server key, but that did nothing.
I hope someone finds a solution to this problem.
In the meantime, I am signing my exe with osslsigncode
instead, which works perfectly.
I extracted the exe and dependent dlls from the msys2 mingw64 build, here is a zip of everything in case it is of use to anyone, just extract it to a directory and put it in your PATH
.
http://cachemiss.com/files/osslsigncode.zip
To extract this program yourself from an msys2 installation, you can use this command:
pacman --noconfirm -S mingw-w64-x86_64-osslsigncodecd /mingw64/binmkdir ~/osslsigncodecp osslsigncode.exe $(ldd osslsigncode.exe | sed -n 's,^.*\(/mingw64/[^ ]*\).*,\1,p' | sort -u) ~/osslsigncode/cdzip -9r osslsigncode.zip osslsigncode
I am using this in Visual Studio cmake builds with no issue.