Why does signtool.exe only find certificate when run as admin?
Similar to what @Baget said, I'd compare the certificates on your machine to that of your colleague who can successfully run the SignTool.exe command without the elevation token. Here's a chunk of PowerShell to assist you:
get-childitem -Path Cert:\ | foreach-object ({
$location = $_.Location
foreach($store in $_.StoreNames.Keys) {
get-childitem -Path "Cert:\$location\$store" | foreach-object ({
$thumb = $($_.ThumbPrint)
$issuer = $($_.Issuer)
if ($issuer -eq "CN=EXAMPLE, DC=EXAMPLE, DC=EXAMPLE, DC=EXAMPLE") {
write-host "$location $store $issuer"
}
})
}
})
Bear in mind that the output of the above may differ slightly if you run as a normal user and 'run as admin'.
Finally, do you and your colleague have the same UAC settings?
I ran into this today and here is how I am now able to run signtool.exe via command line without elevating to admin.
- Run 'mmc' and add the 'Certificates' snap-in
- Select the correct key store location
- (mine is in Local Computer so I select 'Computer account' here)
- Find and select the certificate
- Right click on the certificate, select All Tasks > Manage Private Keys...
- In the 'Permissions for private keys' dialog, Add your user account and then give yourself 'Full Control'. You will now be able to sign using a normal command prompt.
- Note: If you use a build machine, do the above steps for the account that performs the builds.