5

I am signing an exe from a machine using a cer file. Then when I validate the EXE using the signtool.exe from the same machine, it succeeds. But when I try to validate it using the same .cer installed in another machine it fails with the following error.

SignTool Error: A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.

Number of errors: 1

In this other machine in which I'm trying to validate, the .cer file has been installed into the Trusted Root certificates set. But still why I am getting this error? any help would be much appreciated.

Below is how I sign the file.

makecert.exe -r -pe -ss ROOT -sky exchange -n CN=InstallerCert KubeInstallerSign.cer
AnOldSoul
  • 151
  • 1
  • 4

3 Answers3

4

A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

This message means that you signed the binary successfully and signtool could process the entire certificate chain, but the root certificate isn't trusted by the machine.

What this means, on a higher level, is that signtool knows it was signed but it doesn't know who signed it, and so it's not a very useful signature. If you're using a self-signed certificate, you can fix this by copying your certificate to the target machine and installing it there; a better solution if you want your users to trust you is to buy a code signing certificate from a reputable certification authority and sign your code using that.

Either way, this will mean that the target machine will now know who signed it and be able to verify that the signature is valid.

demize
  • 255
  • 1
  • 10
2

This is because of the verify command used, signtool verify myfile.exe. When this command is used signtool will use the Windows Driver Verification Policy. In order for the file to verify properly include the /pa switch so that SignTool uses the Default Authentication Verification Policy.

use this command:

signtool verify /pa myfile.exe

schroeder
  • 123,438
  • 55
  • 284
  • 319
Rafael Bugalho Lima
  • 21
  • 2
0

When you generated your signing key, you probably generated two key pairs (and certificates): a CA (certificate authority) key pair (which got installed in the machine's trust store), and a "leaf" key pair whose certificate is "issued" by the CA. You sign with the leaf cert, but you don't inherently trust it; you instead trust its issuer, the CA cert. You need to install the CA cert - not the leaf cert - in the trust store of any system that will try to verify the signature.

CBHacking
  • 40,303
  • 3
  • 74
  • 98