Painful lessons I had to learn again and again

Since this is something I’ve stumbled over several times now and since it is discussed in Microsoft’s documentation only as if there is only the option to import it into your store, i.e. within your user account. Now, I was going to have a designated signing machine with some other precautions in place, but users allowed into that machine would also be allowed to sign code. So how do I import the certificate so it can be used for code-signing regardless of the user account? The solution is remarkably trivial:

certutil -importPFX your.pfx

instead of the canonical

certutil -user -importPFX your.pfx

that Microsoft mentions all over its documentation. After that it should work to tell signtool

signtool sign ... /sm ... file

to pick a valid code-signing certificate from the machine store (/sm) with the latest expiry date. If you prefer to control which particular certificate gets picked, make sure to pass its hash or other traits that will help signtool to figure out what you want it to do.

// Oliver

This entry was posted in EN, IT Security, Programming, Software and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *