Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
SignTool.exe always failed with "Error: Store::ImportCertObject() failed." (-2146892987/0x80090345) on Windows 10 x64 version 1703.
710 views
Skip to first unread message
infa...@gmail.com
Aug 29, 2017, 11:26:22 AM8/29/17
to
Hello !
Since two days i've unsuccesfully try so sign a file (tried on .msi and .exe) with an .PFX certificate and known certificate passowrd.
"C:\Program Files (x86)\Windows Kits\8.1\bin\x86\signtool.exe" sign /f auth.pfx /p PASS arp.exe
Already done all the tricks like:
1. full access to All Users\Microsoft\Crypto\RSA\MachineKeys\
2. Registry key
3. Certificate import / export
4. Signing with exported .CER certificate.
What I mean, it's possible to import the .PFX certificate and export it again (with same key as /p parameter for SignTool.exe). Also it is possible to use exported .CER certificate, but not original and (re)exported .PFX certificate. I've also tried to use /n "NAME" and/or /sha1 parameters to identify signing certificate within .PFX file. Also tried /fd sha256. Nothing helps. I get allways following error:
SignTool Error: An unexpected internal error has occurred.
Error information: "Error: Store::ImportCertObject() failed." (-2146892987/0x80090345)
What is wrong?
Following a dump (without verbose -v) from CertUtil, sorry, but the output is german language:
================ Zertifikat 0 ================
=========== Verschachtelungsebene 1 anfangen ==========
Element 0:
Seriennummer: 3d78d7f9764960b2617df4f01eca862a
Aussteller: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU=(c) 2006 VeriSign, Inc. - For authorized use only, OU=VeriSign Trust Network, O=VeriSign, Inc., C=US
Nicht vor: 10.12.2013 02:00
Nicht nach: 10.12.2023 01:59
Antragsteller: CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US
Kein Stammzertifikat
Zertifikathash(sha1): 007790f6561dad89b0bcd85585762495e358f8a5
---------- Verschachtelungsebene 1 beenden ----------
Keine Informationen über den Schlüsselanbieter
Das Zertifikat und der private Schlüssel für die Entschlüsselung wurden nicht gefunden.
================ Zertifikat 1 ================
=========== Verschachtelungsebene 1 anfangen ==========
Element 1:
Seriennummer: 18dad19e267de8bb4a2158cdcc6b3b4a
Aussteller: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU=(c) 2006 VeriSign, Inc. - For authorized use only, OU=VeriSign Trust Network, O=VeriSign, Inc., C=US
Nicht vor: 08.11.2006 02:00
Nicht nach: 17.07.2036 01:59
Antragsteller: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU=(c) 2006 VeriSign, Inc. - For authorized use only, OU=VeriSign Trust Network, O=VeriSign, Inc., C=US
Signatur stimmt mit dem öffentlichen Schlüssel überein.
Stammzertifikat: Antragsteller stimmt mit Aussteller überein
Zertifikathash(sha1): 4eb6d578499b1ccf5f581ead56be3d9b6744a5e5
---------- Verschachtelungsebene 1 beenden ----------
Keine Informationen über den Schlüsselanbieter
Das Zertifikat und der private Schlüssel für die Entschlüsselung wurden nicht gefunden.
================ Zertifikat 2 ================
=========== Verschachtelungsebene 1 anfangen ==========
Element 2:
Seriennummer: 14e851a536e75744e41da278dadc383d
Aussteller: CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US
Nicht vor: 03.07.2015 02:00
Nicht nach: 02.10.2018 01:59
Antragsteller: CN=xxx, O=xxx, L=xxx, S=xxx, C=DE
Kein Stammzertifikat
Zertifikathash(sha1): 8b5ef9215999e83c38d4668605759bfe105a7766
---------- Verschachtelungsebene 1 beenden ----------
Anbieter = Microsoft Enhanced Cryptographic Provider v1.0
Verschlüsselungstest wurde durchgeführt
CertUtil: -dump-Befehl wurde erfolgreich ausgeführt.
I've also taken a look into registry, Microsoft Enhanced Cryptographic Provider v1.0 is listed under Cryptograhie->Defaults->Provider (also found a .DLL on right place), but it was not listed unter Cryptograpy->Defaults->Provider Types. More strange, unter [Type 001] was listed "Microsoft Strong Cryptographic Provider" as Name, so I changed it to "Microsoft Enhanced Cryptographic Provider v1.0" to test, but it does not help either.
So, now I hev no idea what could be wrong.
Many thanks for considering my question.
Alex
Since two days i've unsuccesfully try so sign a file (tried on .msi and .exe) with an .PFX certificate and known certificate passowrd.
"C:\Program Files (x86)\Windows Kits\8.1\bin\x86\signtool.exe" sign /f auth.pfx /p PASS arp.exe
Already done all the tricks like:
1. full access to All Users\Microsoft\Crypto\RSA\MachineKeys\
2. Registry key
3. Certificate import / export
4. Signing with exported .CER certificate.
What I mean, it's possible to import the .PFX certificate and export it again (with same key as /p parameter for SignTool.exe). Also it is possible to use exported .CER certificate, but not original and (re)exported .PFX certificate. I've also tried to use /n "NAME" and/or /sha1 parameters to identify signing certificate within .PFX file. Also tried /fd sha256. Nothing helps. I get allways following error:
SignTool Error: An unexpected internal error has occurred.
Error information: "Error: Store::ImportCertObject() failed." (-2146892987/0x80090345)
What is wrong?
Following a dump (without verbose -v) from CertUtil, sorry, but the output is german language:
================ Zertifikat 0 ================
=========== Verschachtelungsebene 1 anfangen ==========
Element 0:
Seriennummer: 3d78d7f9764960b2617df4f01eca862a
Aussteller: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU=(c) 2006 VeriSign, Inc. - For authorized use only, OU=VeriSign Trust Network, O=VeriSign, Inc., C=US
Nicht vor: 10.12.2013 02:00
Nicht nach: 10.12.2023 01:59
Antragsteller: CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US
Kein Stammzertifikat
Zertifikathash(sha1): 007790f6561dad89b0bcd85585762495e358f8a5
---------- Verschachtelungsebene 1 beenden ----------
Keine Informationen über den Schlüsselanbieter
Das Zertifikat und der private Schlüssel für die Entschlüsselung wurden nicht gefunden.
================ Zertifikat 1 ================
=========== Verschachtelungsebene 1 anfangen ==========
Element 1:
Seriennummer: 18dad19e267de8bb4a2158cdcc6b3b4a
Aussteller: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU=(c) 2006 VeriSign, Inc. - For authorized use only, OU=VeriSign Trust Network, O=VeriSign, Inc., C=US
Nicht vor: 08.11.2006 02:00
Nicht nach: 17.07.2036 01:59
Antragsteller: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU=(c) 2006 VeriSign, Inc. - For authorized use only, OU=VeriSign Trust Network, O=VeriSign, Inc., C=US
Signatur stimmt mit dem öffentlichen Schlüssel überein.
Stammzertifikat: Antragsteller stimmt mit Aussteller überein
Zertifikathash(sha1): 4eb6d578499b1ccf5f581ead56be3d9b6744a5e5
---------- Verschachtelungsebene 1 beenden ----------
Keine Informationen über den Schlüsselanbieter
Das Zertifikat und der private Schlüssel für die Entschlüsselung wurden nicht gefunden.
================ Zertifikat 2 ================
=========== Verschachtelungsebene 1 anfangen ==========
Element 2:
Seriennummer: 14e851a536e75744e41da278dadc383d
Aussteller: CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US
Nicht vor: 03.07.2015 02:00
Nicht nach: 02.10.2018 01:59
Antragsteller: CN=xxx, O=xxx, L=xxx, S=xxx, C=DE
Kein Stammzertifikat
Zertifikathash(sha1): 8b5ef9215999e83c38d4668605759bfe105a7766
---------- Verschachtelungsebene 1 beenden ----------
Anbieter = Microsoft Enhanced Cryptographic Provider v1.0
Verschlüsselungstest wurde durchgeführt
CertUtil: -dump-Befehl wurde erfolgreich ausgeführt.
I've also taken a look into registry, Microsoft Enhanced Cryptographic Provider v1.0 is listed under Cryptograhie->Defaults->Provider (also found a .DLL on right place), but it was not listed unter Cryptograpy->Defaults->Provider Types. More strange, unter [Type 001] was listed "Microsoft Strong Cryptographic Provider" as Name, so I changed it to "Microsoft Enhanced Cryptographic Provider v1.0" to test, but it does not help either.
So, now I hev no idea what could be wrong.
Many thanks for considering my question.
Alex
0 new messages