Re: Signtool doesn't add entire chain when signing files

The last point about you having your own root here is important. Typically, you only need to ensure that the intermediate certificates are included in the signature so that the client can build a chain to the root. The root needs to be installed as a trusted root certificate on the client in order for the client to trust the certificate.

So, for your self-signed root certificate, have you deployed that root certificate to all the clients that need to trust this signed object? That functionality is not included in a code signing operation. The client still has to trust the certificate. Given that you don't have any intermediate certificates, it doesn't matter or not whether they are included in the signature so it should not matter if there is any difference between the wizard mode and the command line tool mode.

It DOES seem like the wizard allows you to include the root in the signature while the command line doesn't do that for some reason, but it should not be important that the root is there anyway. The root needs to be installed on the client as a trusted root and having it included in the signature or not doesn't really buy you anything.

The thing I'm confused about at this point is how you are planning to get the root distributed to your target clients. That is basically what you are paying for when you buy a commercial certificate and is what you get by setting up an enterprise CA in a domain-based environment (roots are distributed by domain policy). When you have your own root cert, you are left to your own devices in terms of how to get the clients to trust it.

Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
"djBo" <rory.slegtenhorst@xxxxxxxxx> wrote in message news:ba208b45-507a-4016-9ce4-97d4b8bac876@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On Oct 2, 4:20 am, "Joe Kaplan"
<joseph.e.kap...@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:
The defaults for signtool to sign include the intermediate certificates when
I call it. What options are you providing. I think there are options to
override this behavior but if the intermediate certificates are available
locally, I've always found that they are included.

it does when I use it in Wizard mode.
I call the signtool as follows:

signtool.exe sign -n "Digital Software" /d "File Description" /du
""; /t "
timstamp.dll" somefile.dll

I have tried this with the root ca en sign cert installed in both
localMachine AND currentUser.
It doesn't matter much.

After I signed the file in this exact way, I check the chain by
removing both root ca and sign cert from my machine.
I then open the properties of the file and see the digital
certificates tab to open the certificate.

When I sign from the command line, the message states:
The certificate in the signature cannot be verified.

Opening the certificate, I can also see the root ca isn't there.

When I sign using the wizard, the message states:
A certificate chain is processes, but terminated in a root certificate
which is not trusted by the trust provider.

Opening the certificate, I can see the root ca is actually present but
only untrusted (as it isn't installed).

According to the help file on MSDN and the help from the /? option,
there seems to be NO command line option for the chain to add.
When using the wizard (in custom mode) there is actually THREE options
1. Include entire chain EXCEPT root ca
2. Include entire chain (default)
3. Include only signing cert

PS... just a side note:
There are NO intermediate certificates to add. I have created a self-
signed root ca, and used that to sign a software certificate (for this
specific purpose).
And eventhough I'm "supposed to" use VeriSign/Thatwe signed
certificates, it doesn't explain the difference between the wizard
mode and the command line.

I am hoping the option is available in a non-disclosed command line
parameter, but I doubt it very much.

Thanks in advance for any assistance,