Signtool sign /di does not work in Windows 11 SDK

chuckkir 21 Reputation points
2022-02-04T14:50:07.09+00:00

SIgntool.exe in the 22000 SDK does not work. It both requires a signing algorithm and requires no signing algorithm.

"c:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x64\signtool.exe" sign /di a b
SignTool Error: No file digest algorithm specified. Please specify the digest algorithm with the /fd flag. Using /fd SHA256 is recommended and more secure than SHA1. Calling signtool with /fd sha1 is equivalent to the previous behavior. In order to select the hash algorithm used in the signing certificate's signature, use the /fd certHash option.

"c:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x64\signtool.exe" sign /di a /fd SHA256 b
SignTool Error: The /di option is incompatible with the /fd option.

Windows 11
Windows 11
A Microsoft operating system designed for productivity, creativity, and ease of use.
8,290 questions
Accepted answer
  1. Carlos Lopez 86 Reputation points Microsoft Employee
    2022-03-02T22:20:41.697+00:00

    Beginning with Signtool version 10.0.20348.0, you'll find that you'll receive the following error when you don't include the /fd option when using /di :
    SignTool Error: No file digest algorithm specified. Please specify the digest algorithm with the /fd flag. Using /fd SHA256 is recommended and more secure than SHA1. Calling signtool with /fd sha1 is equivalent to the previous behavior. In order to select the hash algorithm used in the signing certificate's signature, use the /fd certHash option.

    To avoid this error, there is a new flag /fdws that suppresses the error and allows you to continue.

    The updated command in this case would be:
    "c:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x64\signtool.exe" sign /fdws /di a b

    2 people found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 39,396 Reputation points
    2022-02-07T08:25:13.33+00:00

    Hello ChuckKirschman

    You can't use both together, but you need to follow a process for signing, for instance:

    1.Create the digest on the client: signtool.exe sign /f cert /fd sha256 /dg . MyFile.dll
    2.Send MyFile.dll.dig digest to our signing server.
    3.Sign digest on the signing server: signtool.exe sign /f cert /fd sha256 /ds MyFile.dll.dig
    4.Send the signature MyFile.dll.dig.signed back to the client.
    5.Create signature on the client: signtool.exe sign /di .MyFile.dll

    --If the reply is helpful, please Upvote and Accept as answer--