Signing with EV certificate results in "SignTool Error: No signature found."
See original GitHub issue- Version: 22.10.5
-
Electron Version: 9.0.0
-
Electron Type (current, beta, nightly): current
-
Which version of electron-updater are you using (if applicable)?: 4.3.8
- Target: Windows
Hi!
We’re trying to sign using an EV Cert on a Yubi Key.
While building, the signing appears successful but checking the output after the build finishes results in an error.
Build Log extract
• executing file=powershell.exe args=Get-ChildItem -Recurse Cert: -CodeSigningCert | Select-Object -Property Subject,PSParentPath,Thumbprint | ConvertTo-Json -Compress
• executed file=powershell.exe stdout=
{"Subject":"OID.1.3.6.1.4.1.311.60.2.1.3=GB, OID.2.5.4.15=Private Organization, CN=Findie Development Limited, SERIALNUMBER=09384486, O=Findie Development Limited, L=London, C=GB","PSParentPath":"Microsoft.PowerSh
ell.Security\\Certificate::CurrentUser\\My","Thumbprint":"F1A971DD61C0485EF9CE962AB9DFCBF29517FE1E"}
• auto-detect certificate store store=My PSParentPath=Microsoft.PowerShell.Security\Certificate::CurrentUser\My
• auto-detect using of LocalMachine store
....
• signing file=out\TinyVid-win-0.14.4.exe subject=OID.1.3.6.1.4.1.311.60.2.1.3=GB, OID.2.5.4.15=Private Organization, CN=Findie Development Limited, SERIALNUMBER=09384486, O=Findie Development Limited, L=London, C=GB thumbpri
nt=F1A971DD61C0485EF9CE962AB9DFCBF29517FE1E store=My user=current user
....
• executing file=C:\Users\Stefan\AppData\Local\electron-builder\Cache\winCodeSign\winCodeSign-2.6.0\windows-10\x64\signtool.exe args=sign /tr http://timestamp.digicert.com /sha1 F1A971DD61C0485EF9CE962AB9DFCBF29517FE1E /s My /f
d sha256 /td sha256 /d TinyVid /as /debug C:\Users\Stefan\Desktop\QuickTrim-master\out\TinyVid-win-0.14.4.exe env={}
• executed file=C:\Users\Stefan\AppData\Local\electron-builder\Cache\winCodeSign\winCodeSign-2.6.0\windows-10\x64\signtool.exe stdout=
The following certificates were considered:
Issued to: Findie Development Limited
Issued by: SSL.com EV Code Signing Intermediate CA RSA R3
Expires: Fri Apr 29 23:51:29 2022
SHA1 hash: F1A971DD61C0485EF9CE962AB9DFCBF29517FE1E
After EKU filter, 1 certs were left.
After expiry filter, 1 certs were left.
After Hash filter, 1 certs were left.
After Private Key filter, 1 certs were left.
The following certificate was selected:
Issued to: Findie Development Limited
Issued by: SSL.com EV Code Signing Intermediate CA RSA R3
Expires: Fri Apr 29 23:51:29 2022
SHA1 hash: F1A971DD61C0485EF9CE962AB9DFCBF29517FE1E
Done Adding Additional Store
Successfully signed: C:\Users\Stefan\Desktop\QuickTrim-master\out\TinyVid-win-0.14.4.exe
Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0
Verifying the signature: signtool.exe verify /debug /pa C:\Users\Stefan\Desktop\QuickTrim-master\out\TinyVid-win-0.14.4.exe
Verifying: C:\Users\Stefan\Desktop\QuickTrim-master\out\TinyVid-win-0.14.4.exe
Signature Index: 0 (Primary Signature)
Hash of file (sha1): 45B356293E6237C387EE4C84E3CE1688CCC2E6BC
Signing Certificate Chain:
Issued to: SSL.com EV Root Certification Authority RSA R2
Issued by: SSL.com EV Root Certification Authority RSA R2
Expires: Fri May 30 21:14:37 2042
SHA1 hash: 743AF0529BD032A0F44A83CDD4BAA97B7C2EC49A
Issued to: SSL.com EV Code Signing Intermediate CA RSA R3
Issued by: SSL.com EV Root Certification Authority RSA R2
Expires: Wed Mar 22 20:44:23 2034
SHA1 hash: D2953DBA95086FEB5805BEFC41283CA64C397DF5
Issued to: Findie Development Limited
Issued by: SSL.com EV Code Signing Intermediate CA RSA R3
Expires: Fri Apr 29 23:51:29 2022
SHA1 hash: F1A971DD61C0485EF9CE962AB9DFCBF29517FE1E
The signature is timestamped: Wed Apr 14 16:11:32 2021
Timestamp Verified by:
Issued to: DigiCert Assured ID Root CA
Issued by: DigiCert Assured ID Root CA
Expires: Mon Nov 10 03:00:00 2031
SHA1 hash: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
Issued to: DigiCert SHA2 Assured ID Timestamping CA
Issued by: DigiCert Assured ID Root CA
Expires: Tue Jan 07 15:00:00 2031
SHA1 hash: 3BA63A6E4841355772DEBEF9CDCF4D5AF353A297
Issued to: DigiCert Timestamp 2021
Issued by: DigiCert SHA2 Assured ID Timestamping CA
Expires: Mon Jan 06 03:00:00 2031
SHA1 hash: E1D782A8E191BEEF6BCA1691B5AAB494A6249BF3
SignTool Error: No signature found.
Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1
Part of the build config
"win": {
"target": [
"dir",
"nsis"
],
"icon": "icon.ico",
"extraFiles": [
"bin/windows-64"
],
"certificateSubjectName": "Findie Development Limited"
},
"nsis": {
"oneClick": false,
"installerIcon": "icon.ico",
"uninstallerIcon": "icon.ico",
"allowToChangeInstallationDirectory": true
},
Can you point us in a direction that may resolve our issue?
Issue Analytics
- State:
- Created 2 years ago
- Comments:6
Top Results From Across the Web
Signtool error: No certificates were found that met all given ...
In Visual Studio, right click on project in solution explorer. Select properties. Select Signing in properties window. Click "Create Test Certificate....".
Read more >Signtool no certificates found - Microsoft Q&A
To See if the certificate is expired or not, open project properties and go to Signing in Left menu. You might need to...
Read more >Using Your Code Signing Certificate - SSL.com
How to use your OV or EV code signing certificate with Microsoft's SignTool and SSL.com's SSL Manager application.
Read more >Sign Authenticode files with SignTool on Windows
There are multiple ways to sign a file with signtool: using a certificate and ... Signature verification may show errors during test signing...
Read more >Frequently Asked Questions about Digital Signature
When the target machine has no internet connection and Windows Installer fails to verify online the digital signature. Since Windows installation is unable...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Wow thank you. You just saved me from pulling out my hair. Just ordered the fips, hopefully this solves this once and for all
Yes, it was the 5 NFC model and I believe we should have gotten the FIPS model. We settled on using an online signer provided by the EV certificate issuer, while our physical key is on its way from them.
Example here https://www.yubico.com/works-with-yubikey/catalog/ssl-manager/