Why does signtool.exe only find certificate when run as admin?

Similar to what @Baget said, I'd compare the certificates on your machine to that of your colleague who can successfully run the SignTool.exe command without the elevation token. Here's a chunk of PowerShell to assist you:

get-childitem -Path Cert:\ | foreach-object ({
    $location = $_.Location
    foreach($store in $_.StoreNames.Keys) {         
        get-childitem -Path "Cert:\$location\$store" | foreach-object ({
            $thumb = $($_.ThumbPrint)
            $issuer = $($_.Issuer)

            if ($issuer -eq "CN=EXAMPLE, DC=EXAMPLE, DC=EXAMPLE, DC=EXAMPLE") {
                write-host "$location $store $issuer"
            }
        })
    }
})

Bear in mind that the output of the above may differ slightly if you run as a normal user and 'run as admin'.

Finally, do you and your colleague have the same UAC settings?


I ran into this today and here is how I am now able to run signtool.exe via command line without elevating to admin.

  • Run 'mmc' and add the 'Certificates' snap-in
  • Select the correct key store location
    • (mine is in Local Computer so I select 'Computer account' here)
  • Find and select the certificate
  • Right click on the certificate, select All Tasks > Manage Private Keys...

enter image description here

  • In the 'Permissions for private keys' dialog, Add your user account and then give yourself 'Full Control'. You will now be able to sign using a normal command prompt.

Managing Certificate Permissions

  • Note: If you use a build machine, do the above steps for the account that performs the builds.