10

As part of our build system, we use signtool.exe with a certificate to sign our binaries once they've been built. Occasionally (it's hard to tell when it will strike), the signing fails:

 error MSB3073: The command "C:\Program Files\Microsoft Visual Studio 8\SDK\v2.0\bin\signtool.exe" [...] exited with code 1.

According to the MSDN, an exit code of 1 means that there was an error signing the file. I can verify that the file didn't get signed.

I've also noticed that occasionally, the timestamp portion times out with a different error message, albeit that the file still gets signed (without the timestamp).

How can I troubleshoot and fix these seemingly random, inconsistent signature failures?

The Chairman
  • 7,087
  • 2
  • 36
  • 44
ashes999
  • 9,925
  • 16
  • 73
  • 124
  • I have the same experience: signtool occasionally fails during timestamping. There seems to be no solution other than re-run signtool. – Eugene Mayevski 'Callback Feb 21 '12 at 16:27
  • @EugeneMayevski'EldoSCorp some people report updating their Windows XP certificates works, and some other weird stuff like that. I want a definitive answer, since a failed build is very serious for me. But I fear you are right. – ashes999 Feb 21 '12 at 18:08
  • 1
    Suppose your timestamping server is completely unreachable (network cable unplugged etc). How would signtool or other tool for the same purpose be able to deal with this? Of course, I wish signtool were more tolerant to failures and tried to perform timestamping once again, but you must be ready for possible timestamping failure anyway. – Eugene Mayevski 'Callback Feb 21 '12 at 18:14
  • True. Maybe the answer is to address this at a higher level, such as on the continuous integration server. I'm still hoping for a lower-level solution though. – ashes999 Feb 21 '12 at 20:27

4 Answers4

5

I strongly suspect a failing connection to the timestamp server being responsible for occasional failures. Perhaps you check your system event log for lost connections at the time in question.

The Chairman
  • 7,087
  • 2
  • 36
  • 44
  • If this is the case, how would I rectify this? I don't control the timestamp server. – ashes999 Feb 21 '12 at 20:26
  • Could be almost anything. Check your infrastructure. We once had an issue with a defective network cable. That was easy. Might be local downtime due to maintenance. Might be a problem with your Internet provider. My advice (just as Eugene Mayevski 'EldoS Corp explained): Implement a retry mechanism. Don't let assembly signing be a time critical part of your process. – The Chairman Feb 21 '12 at 21:15
  • Can you edit your answer to mention that the build process should be more robust? That's what I ended up doing. – ashes999 Mar 01 '12 at 22:17
  • Hmm, my version of `signtool` does **not** give a failure exit code when timestamping fails. In fact it pretends everything is fine, which is a *major* annoyance. – 0xC0000022L Mar 11 '13 at 15:17
2

I had the same problem. It happens because MS antimalware process MsMpEng.exe check the binary and don't let anyone access it. To solve the problem, I build binary on RAM disk and it worked.

user1309871
  • 257
  • 3
  • 11
2

I've just into this issue, on Windows 8.1, so it's not the Windows XP root certificates issue that some folks cite.

I found that the problem was caused because the .exe being signed was also running.

If you run signtool from the cmd prompt and try to sign it you will get a helpful text message telling you what is wrong (so much better than the return code 1 from CreateProcess().

Stopped the running process and was able to sign OK.

Stephen Kellett
  • 3,078
  • 1
  • 22
  • 25
1

In my case, the .pfx file in the solution was an old one. Until someone told me to replace the certificate file with the new, valid one, I continued to get "Fails with Exit Code 1" error.

Meaning, make sure that the certificate file is valid and not expired.

ilter
  • 4,030
  • 3
  • 34
  • 51