Question

Azure Trusted Signing, SignTool error, 'Error information: "Error: SignerSign() failed." (-2147024846/0x80070032)'

I am unable to get the signtool certificate signing to work in Windows PowerShell with the Azure trusted signing. I have verified that the correct dlib and json files exist and are properly referenced as environmental variables in my command:

.\signtool sign /v /debug /fd SHA256 /tr "http://timestamp.acs.microsoft.com" /td SHA256 /dlib %ACS_DLIB% /dmdf %ACS_JSON% "<my file to be signed>.msi"

The complete output of this command is:

The following certificates were considered:
    Issued to: --
    Issued by: --
    Expires:   Sat Apr 05 06:20:17 2025
    SHA1 hash: some-hash0

    Issued to: A
    Issued by: A
    Expires:   Sun Mar 14 13:41:25 2123
    SHA1 hash: some-hash1

After EKU filter, 1 certs were left.
After expiry filter, 1 certs were left.
The following certificate was selected:
    Issued to: --
    Issued by: --
    Expires:   Sat Apr 05 06:20:17 2025
    SHA1 hash: some-hash0

Done Adding Additional Store
SignTool Error: An unexpected internal error has occurred.
Error information: "Error: SignerSign() failed." (-2147024846/0x80070032)

In search results and forum posts, I have not found a similar error code. I have looked through the Event Viewer, as suggested by some, but no 'Error' events exist to provide more context. The only related information I've found was on the Azure Support solutions which states:

If you get a SignerSign() failed error and you are signing an .appx/.appxbundle/.msix/.msixbundle double check that the Publisher name in the manifest file matches the name on the signing certificate.

However, I have changed the Publisher name on my .msi file to every given 'name' from Azure with no luck. I have no way of checking for which 'name' it refers to.

(I tried many times to post this to the Azure Q&A, but it was deleted every time for just mentioning certificates...)

 2  80  2
1 Jan 1970

Solution

 0

This error is because SignTool is not invoking Trusted Signing dlib: Please double check you have the latest and supported version of Windows SDK and latest dlib from here: https://learn.microsoft.com/en-us/azure/trusted-signing/how-to-signing-integrations and double check the command: & "\x64\signtool.exe" sign /v /debug /fd SHA256 /tr "http://timestamp.acs.microsoft.com" /td SHA256 /dlib "\x64\Azure.CodeSigning.Dlib.dll" /dmdf "\metadata.json" 

2024-07-11
amazeblaze