Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Signing with EV certificate results in "SignTool Error: No signature found."

See original GitHub issue

Version: 22.10.5

Electron Version: 9.0.0
Electron Type (current, beta, nightly): current
Which version of electron-updater are you using (if applicable)?: 4.3.8

Target: Windows

Hi!

We’re trying to sign using an EV Cert on a Yubi Key.

While building, the signing appears successful but checking the output after the build finishes results in an error.

Build Log extract

  • executing       file=powershell.exe args=Get-ChildItem -Recurse Cert: -CodeSigningCert | Select-Object -Property Subject,PSParentPath,Thumbprint | ConvertTo-Json -Compress
  • executed        file=powershell.exe stdout=
                      {"Subject":"OID.1.3.6.1.4.1.311.60.2.1.3=GB, OID.2.5.4.15=Private Organization, CN=Findie Development Limited, SERIALNUMBER=09384486, O=Findie Development Limited, L=London, C=GB","PSParentPath":"Microsoft.PowerSh
ell.Security\\Certificate::CurrentUser\\My","Thumbprint":"F1A971DD61C0485EF9CE962AB9DFCBF29517FE1E"}

  • auto-detect certificate store  store=My PSParentPath=Microsoft.PowerShell.Security\Certificate::CurrentUser\My
  • auto-detect using of LocalMachine store

....

  • signing         file=out\TinyVid-win-0.14.4.exe subject=OID.1.3.6.1.4.1.311.60.2.1.3=GB, OID.2.5.4.15=Private Organization, CN=Findie Development Limited, SERIALNUMBER=09384486, O=Findie Development Limited, L=London, C=GB thumbpri
nt=F1A971DD61C0485EF9CE962AB9DFCBF29517FE1E store=My user=current user
 
....

  • executing       file=C:\Users\Stefan\AppData\Local\electron-builder\Cache\winCodeSign\winCodeSign-2.6.0\windows-10\x64\signtool.exe args=sign /tr http://timestamp.digicert.com /sha1 F1A971DD61C0485EF9CE962AB9DFCBF29517FE1E /s My /f
d sha256 /td sha256 /d TinyVid /as /debug C:\Users\Stefan\Desktop\QuickTrim-master\out\TinyVid-win-0.14.4.exe env={}
  • executed        file=C:\Users\Stefan\AppData\Local\electron-builder\Cache\winCodeSign\winCodeSign-2.6.0\windows-10\x64\signtool.exe stdout=

                      The following certificates were considered:
                          Issued to: Findie Development Limited
                          Issued by: SSL.com EV Code Signing Intermediate CA RSA R3
                          Expires:   Fri Apr 29 23:51:29 2022
                          SHA1 hash: F1A971DD61C0485EF9CE962AB9DFCBF29517FE1E

                      After EKU filter, 1 certs were left.
                      After expiry filter, 1 certs were left.
                      After Hash filter, 1 certs were left.
                      After Private Key filter, 1 certs were left.
                      The following certificate was selected:
                          Issued to: Findie Development Limited
                          Issued by: SSL.com EV Code Signing Intermediate CA RSA R3
                          Expires:   Fri Apr 29 23:51:29 2022
                          SHA1 hash: F1A971DD61C0485EF9CE962AB9DFCBF29517FE1E

                      Done Adding Additional Store
                      Successfully signed: C:\Users\Stefan\Desktop\QuickTrim-master\out\TinyVid-win-0.14.4.exe

                      Number of files successfully Signed: 1
                      Number of warnings: 0
                      Number of errors: 0

Verifying the signature: signtool.exe verify /debug /pa C:\Users\Stefan\Desktop\QuickTrim-master\out\TinyVid-win-0.14.4.exe

Verifying: C:\Users\Stefan\Desktop\QuickTrim-master\out\TinyVid-win-0.14.4.exe

Signature Index: 0 (Primary Signature)
Hash of file (sha1): 45B356293E6237C387EE4C84E3CE1688CCC2E6BC

Signing Certificate Chain:
    Issued to: SSL.com EV Root Certification Authority RSA R2
    Issued by: SSL.com EV Root Certification Authority RSA R2
    Expires:   Fri May 30 21:14:37 2042
    SHA1 hash: 743AF0529BD032A0F44A83CDD4BAA97B7C2EC49A

        Issued to: SSL.com EV Code Signing Intermediate CA RSA R3
        Issued by: SSL.com EV Root Certification Authority RSA R2
        Expires:   Wed Mar 22 20:44:23 2034
        SHA1 hash: D2953DBA95086FEB5805BEFC41283CA64C397DF5

            Issued to: Findie Development Limited
            Issued by: SSL.com EV Code Signing Intermediate CA RSA R3
            Expires:   Fri Apr 29 23:51:29 2022
            SHA1 hash: F1A971DD61C0485EF9CE962AB9DFCBF29517FE1E

The signature is timestamped: Wed Apr 14 16:11:32 2021
Timestamp Verified by:
    Issued to: DigiCert Assured ID Root CA
    Issued by: DigiCert Assured ID Root CA
    Expires:   Mon Nov 10 03:00:00 2031
    SHA1 hash: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43

        Issued to: DigiCert SHA2 Assured ID Timestamping CA
        Issued by: DigiCert Assured ID Root CA
        Expires:   Tue Jan 07 15:00:00 2031
        SHA1 hash: 3BA63A6E4841355772DEBEF9CDCF4D5AF353A297

            Issued to: DigiCert Timestamp 2021
            Issued by: DigiCert SHA2 Assured ID Timestamping CA
            Expires:   Mon Jan 06 03:00:00 2031
            SHA1 hash: E1D782A8E191BEEF6BCA1691B5AAB494A6249BF3

SignTool Error: No signature found.

Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1

Part of the build config

    "win": {
      "target": [
        "dir",
        "nsis"
      ],
      "icon": "icon.ico",
      "extraFiles": [
        "bin/windows-64"
      ],
      "certificateSubjectName": "Findie Development Limited"
    },
    "nsis": {
      "oneClick": false,
      "installerIcon": "icon.ico",
      "uninstallerIcon": "icon.ico",
      "allowToChangeInstallationDirectory": true
    },

Can you point us in a direction that may resolve our issue?

Issue Analytics

State:
Created 2 years ago
Comments:6

Top GitHub Comments

1reaction

ahadcovecommented, Nov 4, 2021

Closing this as it appears to be an issue between signtool.exe and the physical key configuration.

hey, what was the issue here. I think we’re running into the same issue as you, but we haven’t found a solution yet

Our physical yubikey model was incapable of holding EV certificates for signing

Oh wow, did you have the 5 NFC? And which one did you end up getting?

Yes, it was the 5 NFC model and I believe we should have gotten the FIPS model. We settled on using an online signer provided by the EV certificate issuer, while our physical key is on its way from them.

Example here https://www.yubico.com/works-with-yubikey/catalog/ssl-manager/

Wow thank you. You just saved me from pulling out my hair. Just ordered the fips, hopefully this solves this once and for all

0reactions

legraphistacommented, Nov 4, 2021

Closing this as it appears to be an issue between signtool.exe and the physical key configuration.

hey, what was the issue here. I think we’re running into the same issue as you, but we haven’t found a solution yet

Our physical yubikey model was incapable of holding EV certificates for signing

Oh wow, did you have the 5 NFC? And which one did you end up getting?

Yes, it was the 5 NFC model and I believe we should have gotten the FIPS model. We settled on using an online signer provided by the EV certificate issuer, while our physical key is on its way from them.

Example here https://www.yubico.com/works-with-yubikey/catalog/ssl-manager/

Top Results From Across the Web

Signtool error: No certificates were found that met all given ...

In Visual Studio, right click on project in solution explorer. Select properties. Select Signing in properties window. Click "Create Test Certificate....".

Signtool no certificates found - Microsoft Q&A

To See if the certificate is expired or not, open project properties and go to Signing in Left menu. You might need to...

Using Your Code Signing Certificate - SSL.com

How to use your OV or EV code signing certificate with Microsoft's SignTool and SSL.com's SSL Manager application.

Sign Authenticode files with SignTool on Windows

There are multiple ways to sign a file with signtool: using a certificate and ... Signature verification may show errors during test signing...

Frequently Asked Questions about Digital Signature

When the target machine has no internet connection and Windows Installer fails to verify online the digital signature. Since Windows installation is unable...