Wednesday, 27 July 2016

Use signtool to sign from specific certificate from token

Hi viewer, i was trying to sign a cab file using sign tool and that is why i used following command

C:\Program Files (x86)\Windows Kits\8.1\bin\x64>signtool sign /tr /td SHA256 "c:\mykey\"

Let me tell you complete scenario while i had single certificate in token it was working properly. And i was receiving messages like this
one Adding Additional Store
successfully signed: c:\mykey\

But once i had multiple code signing certificate and i was getting error like this.

SignTool Error: Multiple certificates were found that meet all the given
        criteria. Use the /a option to allow SignTool to choose the best
        certificate automatically or use the /sha1 option with the hash of the
        desired certificate.
The following certificates meet all given criteria:
    Issued to: Laxman Kumar
    Issued by: E-MUDRA
    Expires:   Sat Jul 07 17:05:47 2018
    SHA1 hash: EB0A6E5DF7BD2BA683CE1E6B8C718F8D53978DDC

    Issued by: COMODO RSA Code Signing CA
    Expires:   Sun Feb 05 05:29:59 2017

I spent few time to explore how to choose particular certificate to sign and i got solution.
I used following command and that worked for me perfectly.

C:\Program Files (x86)\Windows Kits\8.1\bin\x64>signtool sign /sha1 "63GHGHGHGHJHGJHGJGGHHGHG20EA0071353ED3A9" /tr /td SHA256 "c:\mykey\"
Done Adding Additional Store
Successfully signed: c:\mykey\

Thanks Microsoft having page like this.
/sha1  Hash:  Specifies the SHA1 hash of the signing certificate. The SHA1 hash is commonly specified when multiple certificates satisfy the criteria specified by the remaining switches.