How to include entire certification path when signing code with signtool?
If you use Thawte then download their primaryca.cer
.
Download to file primaryca.cer
and sign your file with:
signtool sign /f certificate.pfx /p PASSWORD /ac primaryca.cer APP.exe.
Should work.
Use /ac
and pass the filename of the .cer
in which your certificate is rooted (for Verisign it was called MSCV-VSClass3.cer last time I checked when signing kernel code or other special code).
signtool.exe sign /v /f "Avatar.pfx"
/ac "Thawte Code Signing CA - G2.cer"
-t "http://timestamp.verisign.com/scripts/timstamp.dll" app.exe
This should be given by your CA. Usually MS offers bundles for the various CAs it accepts within Windows.
See:
- Windows root certificate program members ð
- Cross-Certificates for Kernel Mode Code Signing ð
Either way, to my knowledge this is only required for kernel code and very specific other things (e.g. Windows Security Center).