13

I've been signing compiled apps for several months and have a script that calls the Windows 10 SDK signtool. It's been working fine on two different computers and my certificate is valid. Today, I just started getting an "Unexpected internal error" with the error number listed above. I tried disabling antivirus which helped in this case but not mine.

My app is written in Delphi but I don't think that matters as this same problem was reported on Microsoft's Developer Community under Visual Studio. I had been using version 10.0.18362.0 of the SDK but after getting this error, found there's an update and tried version 10.0.19041.0 but got the same error.

Anyone else with this problem? Any suggestions?

David Cornelius
  • 437
  • 1
  • 5
  • 12

2 Answers2

33

Same here. The issue was the demise of the comodoca.com timestamp server.

I switched to using DigiCert:

"C:\Program Files (x86)\Windows Kits\10\bin\10.0.18362.0\x64\signtool.exe" sign /tr http://timestamp.digicert.com ...

UPDATE 2 (perplexed nailed it) comodoca.com actually still works fine, you just need to add a /td sha256 switch to your signtool.exe command, like this:

"C:\Program Files (x86)\Windows Kits\10\bin\10.0.18362.0\x64\signtool.exe" sign /tr http://timestamp.comodoca.com /td sha256 ...

It seems DigiCert is throttling the number of timestamps they give out anyway, so I had to switch back. BTW note that you can still use any digital cert from any cert authority, it doesn't have to be from DigiCert to use their timestamp server.

Jon R
  • 836
  • 11
  • 9
  • Thank you! That was indeed the problem! – David Cornelius Jun 03 '20 at 00:03
  • 5
    Here's more information I just found out: Need to use /?td=sha256 : https://timestamp.comodoca.com/?td=sha256 - the SHA1 server has been deprecated as of May 30, 2020 (all the SHA1 roots have now expired) – David Cornelius Jun 03 '20 at 00:44
  • Jon, could you put David's information in the answer? That solution worked for me without changing the timestamp server – Matthew Rodatus Jun 03 '20 at 14:12
  • THANK YOU! This just started happening to me too. That's 4 hours of my life Ill never get back, – Erik Schroder Jun 03 '20 at 15:48
  • Davids answer is not working for me. I tried using "http://timestamp.comodoca.com/?td=sha256" and it failed. changing it to .digicert. works. – Erik Schroder Jun 03 '20 at 15:55
  • I actually didn't try adding the "sha256" parameter but simply switched to using digitcert. I was just passing along information I found on the VS developer community forum. – David Cornelius Jun 03 '20 at 17:07
  • please have a look at the note published on Comodo (now Sectigo) knowledge based: "If you are signing several pieces of software with a script, please add a delay of 15 seconds or more between signings so that you're not hammering our servers." available here: https://support.sectigo.com/Com_KnowledgeDetailPageFaq?Id=kA01N000000zGM2 – trix Jun 04 '20 at 14:51
  • 6
    The only change needed is the use of the argument string '/td sha256' for signtool. Any suffix (such as /?td=sha256 mentioned in some of the prior comments) for timestamp.comodoca.com appears to be unnecessary. – perplexed Jun 05 '20 at 06:05
6

"C:\Program Files (x86)\Windows Kits\10\bin\10.0.18362.0\x64\signtool.exe" sign /tr http://timestamp.sectigo.com/?td=sha256 /td sha256 ....

the /?td=sha256 actually working, but recommend using their new domain name http://timestamp.sectigo.com and need add extra parameter /td sha256

Fei Xu
  • 96
  • 4