Home/ Questions/Q 6123291
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-23T15:59:54+00:00

How can i include the entire certification path when signing code using signtool ?

  • 0

How can i include the entire certification path when signing code using signtool?

Older versions of signtool would include the entire certification path in a digital signature. As it is now if i sign an executable with signtool:

signtool.exe" sign /v /f avatar.pfx -t "http://timestamp.verisign.com/scripts/timstamp.dll" app.exe

the signature is not valid:

enter image description here

This is because there is no certification path:

enter image description here

Binaries signed with the older version of signtool worked fine:

enter image description here

How do i tell signcode to include the entire certification path when signing?

What is the proper way to sign a binary?

Update: SignTool version 6.1.7600.16385:

enter image description here

See also

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Use /ac and pass the filename of the .cer in which your certificate is rooted (for Verisign it was called MSCV-VSClass3.cer last time I checked when signing kernel code or other special code). 

    signtool.exe sign /v /f "Avatar.pfx" 
      /ac "Thawte Code Signing CA - G2.cer" 
      -t "http://timestamp.verisign.com/scripts/timstamp.dll" app.exe

    This should be given by your CA. Usually MS offers bundles for the various CAs it accepts within Windows.

    See:

    Either way, to my knowledge this is only required for kernel code and very specific other things (e.g. Windows Security Center).

    • 0