This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 11%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
I followed the instructions here to sign my dll locally using the the certificate from my Azure Trusted Signing account. It kept looking at local certificates, instead of pulling from my Azure account. I did do az login before running signtool. The signtool version is from C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x64\signtool.exe
Am I missing anything?
signtool sign /v /debug /fd SHA256 /tr "http://timestamp.acs.microsoft.com" /td SHA256 /dlib "dlib\bin\x64\Azure.CodeSigning.Dlib.dll" /dmdf "metadata.json" "O:\path\to\file.dll"
The following certificates were considered:
Issued to: ...
Issued by: ...
Expires: Mon Aug 18 08:18:42 2025
SHA1 hash: ...
Issued to: ...
Issued by: ...
Expires: Sat Aug 17 17:51:07 2024
SHA1 hash: ...
After EKU filter, 10 certs were left.
After expiry filter, 9 certs were left.
The following certificates have been found to be suitable for signing:
Issued to: ...
Issued by: ...
Expires: Mon Aug 18 08:18:42 2025
SHA1 hash: ...
Issued to: ...
Issued by: ...
Expires: Sat Aug 17 17:51:07 2024
SHA1 hash: ...
SignTool Error: Multiple certificates were found that meet all the given
criteria. Use the /a option to allow SignTool to choose the best
certificate automatically or use the /sha1 option with the hash of the
desired certificate.
The following certificates meet all given criteria:
Issued to: ...
Issued by: ...
Expires: Mon Aug 18 08:18:42 2025
SHA1 hash: ...
Issued to: ...
Issued by: ...
Expires: Sat Aug 04 12:37:58 2068
SHA1 hash: ...
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
@TDao I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.
Issue: I followed the instructions here to sign my dll locally using the the certificate from my Azure Trusted Signing account. It kept looking at local certificates, instead of pulling from my Azure account. I did do az login before running signtool. The signtool version is from C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x64\signtool.exe
Resolution: Resolved by @TDao
I got it working. Looks like when signing locally and use az login to authenticate, signtool expect certain tenant and subscription to be set as well. As long as I ran the following 2 commands, I was able to sign just fine after that, without the /sha1 or /a options.
az login --tenant <tenant_id>
az account set --subscription <sub_id>
This seems not very intuitive since signtool should have been able to determine from my the metadata to find the corresponding tenant and subscription that have the expected signing account and profile.
If you have any other questions or are still running into more issues, please let me know. Thank you again for your time and patience throughout this issue.
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
It seems like there is an issue with SignTool considering multiple certificates that meet the given criteria. This can occur if there are multiple valid certificates available on your system.
The error message suggests two possible solutions:
/a option to allow SignTool to choose the best certificate automatically./sha1 option with the hash of the desired certificate.Here’s how you might modify your command:
signtool sign /a /v /debug /fd SHA256 /tr "http://timestamp.acs.microsoft.com" /td SHA256 /dlib "dlib\bin\x64\Azure.CodeSigning.Dlib.dll" /dmdf "metadata.json" "O:\
or
signtool sign /sha1 YOUR_CERTIFICATE_HASH /v /debug /fd SHA256 /tr "http://timestamp.acs.microsoft.com" /td SHA256 /dlib "dlib\bin\x64\Azure.CodeSigning.Dlib.dll" /dmdf "metadata.json" "O:\
Replace YOUR_CERTIFICATE_HASH with the SHA1 hash of the certificate you want to use.
If you’re still experiencing issues, please check the Trusted Signing role, account name, and certificate profile name in your metadata.json. Also, ensure that your authentication method is functioning correctly.
https://learn.microsoft.com/en-us/azure/trusted-signing/faq
https://learn.microsoft.com/en-us/azure/trusted-signing/concept-trusted-signing-cert-management
https://learn.microsoft.com/en-us/azure/app-service/troubleshoot-domain-ssl-certificates
How would I know which hash is for the trusted signing account? There were 10 of them. If I ran with /a option, it automatically picked an Adobe cert, so I had to go with /sha1 option. However there were 10 of them. These 2 are the closest I can think of:
Issued to: trust_9c232eea...
Issued by: trust_9c232eea...
Expires: Sat Jun 07 10:52:26 2025
SHA1 hash: 7F755...
Issued to: 9c232eea...
Issued by: 9c232eea...
Expires: Sat Jun 07 10:52:26 2025
SHA1 hash: 35DE7...
where Issued to and Issued by are almost the same for both certs. The only different is the "trust_" prefix.
I tried with both regardless, but it gave me this error: Error information: "Error: SignerSign() failed." (-2147024846/0x80070032)
I looked up the error from the link you provided and it says this about the error: Ensure that you're using the latest version of SignTool.
I'm on Windows 10, and using the signtool from C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x64\signtool.exe, which appears to be the latest on my machine.
updates: I installed the latest Win 11 SDK and use C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64\signtool.exe to sign, but still getting the same error.
Ok I got it working. Looks like when signing locally and use az login to authenticate, signtool expect certain tenant and subscription to be set as well. As long as I ran the following 2 commands, I was able to sign just fine after that, without the /sha1 or /a options.
az login --tenant <tenant_id>
az account set --subscription <sub_id>
This seems not very intuitive since signtool should have been able to determine from my the metadata to find the corresponding tenant and subscription that have the expected signing account and profile.