The meaning of life is to explore the world

Code Signing Certificate

Posted on Feb 29, 2024 By Jason Liu

There’s an industry wide change of where to store the private key of a code signing certificate. Most if not all CAs have adopted and announced this change, e.g. DigiCert: https://knowledge.digicert.com/generalinformation/new-private-key-storage-requirement-for-standard-code-signing-certificates-november-2022.html

One common solution is to store the private key on CA’s HSM and use their cloud based solution for signing. Generally we should never give others our private keys. But in this particular case we can if the key is only used to sign codes and not for other purposes such as encryption, because the certificate of this key is granted by CA whose legitimacy is controlled by itself anyway.

There’s a long guide for this cloud based signing solution including CI/CD integration if you’re using DigiCert: https://docs.digicert.com/en/digicert-keylocker/get-started.html But there’re some points to be aware of:

1.smksp_registrar.exe register errors:

BCryptRegisterProvider failed with error code 0xc0000022
BCryptAddContextFunction failed with error code 0xc0000022
BCryptAddContextFunctionProvider failed with error code 0xc0000022

solution:
  smctl credentials save <API key> <Client authentication certificate password>

2.smctl healthcheck failure:

Your client certificate path or password is incorrect. You will not be able to complete specific actions (such as sign, generate keypairs and approve releases) until these credentials are corrected.

solution:
  Don’t use set command to set variables, instead, manually set it up in “environment variables”

set SM_HOST=https://clientauth.one.digicert.com
set SM_CLIENT_CERT_FILE=C:\my_path\Certificate_pkcs12.p12

3.”Azure pipeline cannot get thumbprint from local cert store” error:
cause:
  Azure Pipelines Agent (OrgName.AgentPoolName.AgentName) windows service cannot get the powershell result
solution:
  1. Make sure certificates are synced to key store by smksp_cert_sync.exe and certmgr.msc
  2. Don’t use windows service, instead, use run.cmd in the agent
  3. Granting any permission to a certificate in “certlm.msc” won’t work

4.”Cannot find certificate” error:

##[error]C:\Program Files\Microsoft Visual Studio\2022\Enterprise\MSBuild\Microsoft\VisualStudio\v17.0\OfficeTools\Microsoft.VisualStudio.Tools.Office.targets(164,9): Error : Cannot find the certificate that matches the project system thumbprint.  To sign the application and deployment manifests, open the Project Designer, click the Signing page tab, select an existing certificate, and try again.

solution:
  Don’t use MS-hosted agent, use self-hosted agent that has access to local certificate store. Remove codes below:

jobs:
  - job:
    pool:
      vmImage: "windows-latest"

5.”internal consistency” error:

##[error]C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Microsoft\VisualStudio\v16.0\OfficeTools\Microsoft.VisualStudio.Tools.Office.targets(328,9): Error MSB3482: An error occurred while signing: An internal consistency check failed.

solution:

  • upgrade SignTool.exe to that in Windows-10 SDK

  • make sure early steps are set up properly

    from:
      winsdksetup.exe (there’s an MSI installer for SignTool)
      C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64\signtool.exe
    check:
      Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\ClickOnce\SignTool
    to:
      C:\Program Files (x86)\Microsoft SDKs\ClickOnce\SignTool\