Signtool unable to load signing certificate

Michael Hathaway 21 Reputation points
2023-07-04T15:17:20.48+00:00

Hi Folks,

I am trying to use Signtool from the Windows SDK, however, with one of my Code Signing Certificates I am getting the following

Done Adding Additional Store

GetKeyProperty

GetKeyProperty

SignTool Error: An error occurred while attempting to load the signing certificate from: c:\code\test.exe

The cert is installed in CAPI, it has Code Signing as an extended key usage, and I am specifying the cert name in the command to sign, I can use the same command to sign using a PFX I imported for testing.

Does anyone know what GetKeyProperty is doing, is there a way to view the advanced key properties via CAPI, I have not found a certutil command that will dump these attributes, so far the working and non-working certs are identical, they come from the same CA, the only difference is the working ones were generated by certreq and the non-working one was generated by a 3rd party tool, could the keyspec come into play, if so, how do I view it to check?

Here is the command I am using to sign the code

SignTool" sign /debug /fd SHA256 /n "Lab Code Signing 1" /td SHA256 c:\code\test.exe

TIA

Mike

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,912 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,806 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. 2023-09-20T07:45:01.32+00:00

    Hello

    The GetKeyProperty error you’re encountering with SignTool is likely due to an issue with the certificate you’re trying to use. The GetKeyProperty function is part of the Windows Cryptographic API (CAPI) and is used to retrieve properties of a key. In this case, it seems that SignTool is having trouble loading the signing certificate from the specified location.

    The KeySpec property of a certificate specifies whether a private key associated with a certificate can be used for signing, encryption, or both. An incorrect KeySpec value can cause errors. For instance, a KeySpec value of 1 (AT_KEYEXCHANGE) can be used for signing and encryption, while a value of 2 (AT_SIGNATURE) is only used for signing.

    You can check the KeySpec value of your certificate using the certutil command-line tool. Here’s an example command: certutil –v –store my. This command dumps the certificate information to the screen. Under CERT_KEY_PROV_INFO_PROP_ID, look for KeySpec.

    If you find that the KeySpec value is incorrect, you may need to generate a new certificate with the correct KeySpec value. If you’re using a third-party tool to generate your certificates, make sure it’s configured correctly to generate certificates with the appropriate KeySpec value.

    If you continue to encounter issues, it may be helpful to compare the working and non-working certificates in more detail or consult with the provider of your third-party tool for further assistance.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.