Using a pfx file to sign and verify using signtool.exe

Question

I am trying to sign one of my WIX EXEs using sign tool. When I create a certificate and install it to windows certificate store, I can easily verify the EXE using sign tool. But when I try to create a PFX file and sign it, it gets signed successfully. But when I try to verify it, it throws the below error.

SignTool Error: WinVerifyTrust returned error: 0x800B010A
    A certificate chain could not be built to a trusted root authority.

Number of errors: 1

I tried using a certificate chain and signing using the commands mentioned in the answer of https://social.msdn.microsoft.com/Forums/sqlserver/en-US/da5d1aef-5dbc-4400-8972-fef4d7139d99/where-windows-sdk-tools-like-cert2spcexe-and-pvk2pfxexe-go?forum=windowssdk. But that results in the same error as well. My requirement is to sign and verify using a PFX file using signtool. I cannot use Windows Store. Any help would be much appreciated.

Answer 1

The method described in http://msdn.microsoft.com/en-us/library/ff699202.aspx creates a self signed test certificate. A self signed test certificate is not signed by a trusted 3rd party, so you get the error "A certificate chain could not be built to a trusted root authority." when trying to verify the file signed by the certificate.

If you want to fix the error you will need to obtain a code signing certificate from a certificate authority. Usually for a fee.

When you purchase a code signing certificate, the certifying authority takes certain steps to verify your identity. If those steps are passed, the certifying authority issues you a certificate signed by their private key. Their private key is kept secret. When you verify the signed file, the verification process extracts the code signature from the signed file and validates it against one of the known public keys provided by all of the certifying authorities.