When trying to digitally sign an executable, an error occurs in the digital signature when using Windows SDK 7 for Windows 7.

The signtool.exe under Windows SDK 7 is a larger executable, but I have assumed that it should work okay.

I choose to digitally sign using a batch file that works well under Windows SDK for Xp. The batch file method works better because the APMS executable is only an interface to an 8Gb software repository -- it's too hard to compile an output using the APMS build method.

signtool.exe sign /f f:\Docs\Backup\Code_DigitalCert_key\original\class icit.pfx /p mypassword /t http://timestamp.verisign.com/scripts/timstamp.dll f:\classic\cd_root\autorun.exe

The batch file under Windows 7 reads like this:

signtool.exe sign /f X:\Docs\Backup\Code_DigitalCert_key\original\class icit.pfx /p mypassword /t http://timestamp.verisign.com/scripts/timstamp.dll x:\classic\cd_root\autorun.exe

Now even though, under the Windows 7, this actually signs the exe file, when checking the digital signature, it appears to be unable to validate the digital signature.

I'd be very interested if anyone else has experienced anything like this.

Thanks in advance.

John

Hello,

unless the syntax was changed for signtool.exe in the newer version, I don't think that you can sign and timestamp a file in a single operation.

I have seen that there is a limit for the file size that can be successfully signed or verified, however I have not yet found a document explaining what is happening. I know that signing large files may not produce an error message during the operation, but often the certificate can't be verified later. I assume you are signing a large file?

Ulrich

We are signing, using a batch file, a 2Mb autoruns.exe APMS-created executable. In a Windows Xp environment, the batch file works fine to both digitally sign and date-stamp the exe.

The problem is that this process doesn't execute properly when it happens under Windows 7 SDK; even though the signing process appears to progress normally, the result is that the digital signature "cannot be verified" when checking it via right-click "Properties > Digital Signature".

Again, I appreciate any comments on this issue.

(One thing I haven't tried is to next time digitally sign the exe with the Windows 7 firewall disabled, ensuring that the timestamp request isn't hindered in any way).

Cheers,

John

what is the folder location of the exe you are signing and does the signing tool have permission to edit files in that directory, is the batch run as admin

im guessing its a UAC problem, but i could be wrong

Even I was struggling with this issue...!....but figured out that the new signtool (part of win 7 sdk) is kinda different compared to previous ones.....I could solve the issue by providing a cross certificate....

Export a .cer from the pfx.... in the signtool command specify this certificate by the "-ac" option...

Read this for more info :
http://download.microsoft.com/download/7/E/7/7E7662CF-CBEA-470B-A97E-CE7CE0D98DC2/AppInit_Win7.docx

Thanks for sharing this. To date, this issue still remained unresolved. I'll look into it right away!