Signtool within a windowsservercore-ltsc2019 container failing when using /fd SHA256

Jamieh77 1 Reputation point


We have a system which Authenticode signs files such as .DLL, .EXE, etc. We use SA256 hashing when adding the certificate with signtool with the following command line:

signtool.exe sign /debug /fd SHA256 /sm /sha1 .

Putting this into a Windows container, using windowsservercore-ltsc2019 running on a Windows Server 2019 node, signtool fails with 0xC0000225.

Error code 0xC0000225, as far as I can see, is to do with not being able to find a system file.

If we use signtool.exe sign /debug /fd SHA1 /sm /sha1 this works and successfully signs, however, we don't want to use a SHA1 hash.

Has anyone else encountered this issue, or is aware of a patch to the Microsoft image windowsservercore-ltsc2019 that we can apply to fix this issue?

Note: We have tried with windowsservercore-ltsc2022, this works with the /fd SHA256, we are not currently in a position that we can use this 2022 node image.

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,321 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
11,692 questions
.NET Runtime
.NET Runtime
.NET: Microsoft Technologies based on the .NET software framework.Runtime: An environment required to run apps that aren't compiled to machine language.
1,100 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Limitless Technology 39,156 Reputation points

    Hi there,

    You need to check the option EV code signing. The name suggests that it only applies to EV certificates, but it appears that it also applies to ones with SHA2 digests.

    Also note, that you have to follow the below steps

    -Quit the application (from TNA aka "system tray")
    -Start the application elevated from its program folder
    -Check the checkbox
    -Hit the OK button and reboot.

    After reboot check if there are any entries underneath HKLM\SYSTEM\CurrentControlSet\Control\Cryptography\Providers


    --If the reply is helpful, please Upvote and Accept it as an answer–