1

I'm new to code signing and I'm trying to create as secure a process for signing our code as possible. I created a .pfx file by exporting my certificate from IE and created a password for it. I'm able to sign code using the pfx file with the following command:

signtool.exe sign /f mypfx.pfx /p mypass myexetosign.exe

This works fine, so I copied signtool.exe, the pfx file, and a different executable to sign to a USB flash drive. I took the USB flash drive to a second computer and tried the same command again, but this time I get SignTool Error: The specified PFX password is not correct. I'm certain the password is correct. Is there an extra step I'm missing to move this to another machine? My ultimate goal is to do the code signing in an offline static environment.

Lonnie Odell
  • 11
  • 4

1 Answers1

0

What I've encountered is that during the export, the encryption of the pfx is SHA256 or 3DES-SHA1.

If importing on a different machine, make sure the same SDK is used, so the same encryption can be used to decrypt.

The error explains this, if you try to decrypt with the wrong encryption, garbage comes out, which could be the result of a wrong password as well

Related stackoverflow question: Why I get "The specified PFX password is not correct" when trying to sign application with signtool?

Erik Oppedijk
  • 3,496
  • 4
  • 31
  • 42