SignTool Error

[lukas-fichtner]

• Version: 20.20.4

• Target: windows / squirrel

I want to sign my code with my own cert (now accepted by windows, it means no security warning from Smart Screen, so I don't need a verified cert at the moment).

This is not my first code sign and therefore I was very surprised when I got this error:
"SignTool Error: The specified private key container was not found."
(winCodeSign version: 2.1.0). I've been using an older electron builder version for a long time now and think there was a change.

Anybody have any idea what that might be?
For your information, in the package.json certificateFile and certificate Password are defined and have not been changed since the last successful code sign. Cert's information is also recognized and output correctly: http://prntscr.com/k5tq1z

[develar]

Please set env DEBUG=electron-builder and attach log of the terminal output.
https://www.electron.build/#debug

I've been using an older electron builder version for a long time now

Which one?

[lukas-fichtner]

I tested it now on the old version too without success :(

Here is the Error Code: http://prntscr.com/k68jif
(the same error on the winCodeSign version 2.1.0 and the newest electron-builder)
Here is my build config: http://prntscr.com/k68k69

Or did you need something else?
Thanks for any help

[develar]

Are you sure that cert is not It expired?

[lukas-fichtner]

No its not expired, look here again: https://prnt.sc/k5tq1z

[richard-ive-m4]

I am having the same issue.

I was successfully able to built and sign two weeks ago. Came to pick up my project today and unfortunately, it's no longer working.

Same comment on the certificate expiry: it's brand new and does not expire until 2020.

[richard-ive-m4]

So, I can't explain why, but commenting out this line

electron-builder/packages/electron-builder-lib/src/windowsCodeSign.ts

Line 215 in e7ff5e8

args.push(isWin ? "/fd" : "-h", options.hash)

fixes the issue for NSIS builds.

[develar]

@richard-ive-m4 Please do not comment this line, it is critically important. Please try to set rfc3161TimeStampServer option:

"build": {
  "win": {
    "rfc3161TimeStampServer": "http://timestamp.comodoca.com/rfc3161"
  }
}

Does it help?

[lukas-fichtner]

No, it doesn't work on me.

[richard-ive-m4]

Nope, didn't work I'm afraid.

I can see that it has correctly changed the timestamp server in the debug message, but I still get "SignTool Error: The specified private key container was not found."

Can you explain why /fd is so important?

[develar]

What is your windows version?

[richard-ive-m4]

ver

Microsoft Windows [Version 10.0.17134.165]

[develar]

Without /fd your app will be signed only with SHA1 — but this digest algo is compromised and deprecated.

[develar]

Do you use latest electron-builder?

[lukas-fichtner]

yes I updated electron-builder today, win10 pro version 10.0.17134

[develar]

Ok... I have no clue anymore... @Xedon420 I your config I see that you use Squirrel.Windows, @richard-ive-m4 but you use NSIS, right?

[richard-ive-m4]

Yes.

I'm running

Windows

10.0.17134.165

electron-builder

>npm ls electron-builder
[email protected] D:\users\richard\dev\netcourier-quick-ship
`-- [email protected]

[richard-ive-m4]

"build": {
"win": {
"rfc3161TimeStampServer": "http://timestamp.comodoca.com/rfc3161",
"target": [
{
"target": "nsis",
"arch": [
"x64",
"ia32"
]
}
],

[lukas-fichtner]

Squirrel:
http://prntscr.com/k7mlya

[lukas-fichtner]

or do you need something else? @develar

[develar]

Please try electron-builder 20.23.0 signtool updated latest win 10 sdk 10.0.17134.0 Maybe it will help.

[lukas-fichtner]

I'm sorry didn't work out again. (the same error)

electron-builder at 20.23.0 and downloaded the winCodeSign tool to version 2.2.0

[richard-ive-m4]

It now fails during the inital download of signtool

To ensure your native dependencies are always matched electron version, simply add script `"postinstall": "electron-builder install-app-deps" to your `package.json`
  • writing effective config file=dist\builder-effective-config.yaml
  • rebuilding native production dependencies platform=win32 arch=x64
  • packaging       platform=win32 arch=x64 electron=2.0.5 appOutDir=dist\win-unpacked
  • rebuilding native production dependencies platform=win32 arch=ia32
  • packaging       platform=win32 arch=ia32 electron=2.0.5 appOutDir=dist\win-ia32-unpacked
  • building        target=nsis file=dist\NetCourier Quick Ship Setup 0.0.17.exe archs=x64, ia32 oneClick=false
  • signing         file=dist\win-ia32-unpacked\resources\elevate.exe certificateFile=D:\users\richard\dev\netcourier-quick-ship\metafour-codesign.pfx
  • signing         file=dist\win-unpacked\resources\elevate.exe certificateFile=D:\users\richard\dev\netcourier-quick-ship\metafour-codesign.pfx
  • downloading               path=C:\Users\Richard\AppData\Local\electron-builder\cache\winCodeSign\winCodeSign-2.2.0 url=https://github.com/electron-userland/electron-builder-binaries/releases/download/winCodeSign-2.2.0/winCodeSign-2.2.0.7z
  • downloading               parts=1 size=4.6 MB url=https://github-production-release-asset-2e65be.s3.amazonaws.com/65527128/3e14fe7e-8a02-11e8-9080-ff33360f54cd?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20180717%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20180717T192252Z&X-Amz-Expires=300&X-Amz-Signature=6801dfe10703e2c73790d29037f353a76f80de22d9b87f918a9f4d579c256ffc&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment%3B%20filename%3DwinCodeSign-2.2.0.7z&response-content-type=application%2Foctet-stream
Error: Exit code: 1. Command failed: C:\Users\Richard\AppData\Local\electron-builder\cache\winCodeSign\winCodeSign-2.2.0\windows-10\x64\signtool.exe sign /tr http://timestamp.comodoca.com/rfc3161 /f D:\users\richard\dev\netcourier-quick-ship\metafour-codesign.pfx /fd sha256 /td sha256 /d NetCourier Quick Ship /du https://github.com/richard-ive-m4/netcourier-quick-ship /as /p b2a2 /debug D:\users\richard\dev\netcourier-quick-ship\dist\win-unpacked\resources\elevate.exe
SignTool Error: The specified private key container was not found.


The following certificates were considered:
    Issued to: XXXX.
    Issued by: thawte SHA256 Code Signing CA
    Expires:   Thu Jul 09 00:59:59 2020
    SHA1 hash: 1241412

    Issued to: thawte Primary Root CA
    Issued by: thawte Primary Root CA
    Expires:   Thu Jul 17 00:59:59 2036
    SHA1 hash: 124124

    Issued to: thawte SHA256 Code Signing CA
    Issued by: thawte Primary Root CA
    Expires:   Sun Dec 10 00:59:59 2023
    SHA1 hash: 1241244

After EKU filter, 3 certs were left.
After expiry filter, 3 certs were left.
After Private Key filter, 1 certs were left.
The following certificate was selected:
    Issued to: XXX
    Issued by: thawte SHA256 Code Signing CA
    Expires:   Thu Jul 09 00:59:59 2020
    SHA1 hash: 12414


The following additional certificates will be attached:
    Issued to: thawte SHA256 Code Signing CA
    Issued by: thawte Primary Root CA
    Expires:   Sun Dec 10 00:59:59 2023
    SHA1 hash: 124124

Done Adding Additional Store

SignTool Error: The specified private key container was not found.

[develar]

Will be fixed / investigated this week.

[richard-ive-m4]

Hi @develar. We you able to get to the bottom of this? Happy to help in any way I can.

[develar]

Not yet. But our CI test fails with the same error. Issue on my radar.

[lukas-fichtner]

is there now a solution to the problem?

[richard-ive-m4]

So I'm afraid this isn't overly helpful for everyone, but I have been able to sign correctly using electron-builder.

I noticed that the Windows docs (https://docs.microsoft.com/en-us/windows/desktop/seccrypto/signtool) says:

If you want to perform dual signing and make SHA256 catalogs, you must include those files and the following additional files:

Makecat.exe
Makecat.exe.manifest
Microsoft.Windows.Build.Signing.mssign32.dll.manifest
Mssign32.dll (downlevel version)
Signtool.exe
Signtool.exe.manifest

So I:

1. Downloaded Windows 10 SDK which created C:\Program Files (x86)\Windows Kits\10\bin\x64
2. Manually modified https://github.com/electron-userland/electron-builder/blob/v20.23.0/packages/electron-builder-lib/src/windowsCodeSign.ts#L275 by replacing the return with:return "C:\\Program Files (x86)\\Windows Kits\\10\\bin\\x64\\signtool.exe"
3. Ran build which worked

[develar]

@richard-ive-m4 You are hero, thanks a lot :) F*** MS :(

[lukas-fichtner]

Unfortunately the solution doesn't work for me...
I just updated the electron-builder version to 20.28.2 and wanted to build but still get the same error...

Then I downloaded the Windows SDK and tested it again with the version "10.0.17134.0", but also here the same error. Currently I have Windows 10 build 17134.228 installed

[navossoc]

I had a similar issue to yours. I have spent one day trying to figure it out.

Not sure if your problem is the exact same as mine, but in any case, here is what I did:

%USERPROFILE%\AppData\Roaming\Microsoft\Crypto\Keys
%USERPROFILE%\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX

I sorted the files by date and realized that there were three files with the same date as the day I tried to add the certificates to my storage (one for each cert).
(I'm sorry, but I can't find any relationship between the file names and the certificates like thumbprint or serial, so sorting by date was my best shot)

For some malicious reason (I call it Microsoft), when I deleted the certificates it seems that my private keys ended up staying on my system.

So, after removing the certificates on the "user certificates (mmc)" and removing the private keys on both folders, I did a reboot (just in case) and voilà, everything is working properly now.

PS: My problem was not related to this project, just with Microsoft signing tools.

[jmeinke]

Also have a look at https://stackoverflow.com/a/31138059/4549776
There were 5 (!) different signtool versions installed on the system.

Here is another solution related to a problem with codesigning using electron builder on Travis Windows builds: https://travis-ci.community/t/codesigning-on-windows/1385