Why I get "The specified PFX password is not correct" when trying to sign application with signtool?

Question

I followed this link to sign my exe application.

• I installed SDK tool on Windows 7,

• run C:\Program Files\Microsoft SDKs\Windows\v6.1\Bin>makecert.exe -sv App-O.pvk -n "CN=MY DIGITAL KEY" App-O.cer

Dialog opened to provide password:

I wrote password : 'fess'

new window opened:

I entered: 'fess'

#Succeeded

files App-O.cer and App-O.pvk creaded.

now I generate pfx:

pvk2pfx.exe -pvk App-O.pvk -spc App-O.cer -pfx App-O.pfx

Dialog opened to provide password:

i pasted 'fess'

file pfx created.

Now i run signtool:

 C:\Program Files\Microsoft SDKs\Windows\v6.1\Bin>signtool.exe sign /f "App-O.pfx" /p fess "C:\Output\setup.exe"

Here I got the error:

SignTool Error: The specified PFX password is not correct.

Number of files successfully Signed: 0
Number of warnings: 0
Number of errors: 1

What did I miss?

BTW, the same error I get from CMD shell of Windows SDK.

Thanks,

Answer 1

There are a couple of problems.

First of all you are using self-signed certificate, so you should define it explicitly by adding -r key to makecert command or you'll get an error "The signer's certificate is not valid for signing" at sign step.

Next, at this step

signtool.exe sign /f "App-O.pfx" /p fess "C:\Output\setup.exe"

you are trying to open pfx using password "fess". But you actually didn't set any password for pfx file. To do it you should add -po key to pfx creation command.

After that you can sign your application.

So the correct process will be:

makecert.exe -sv App-O.pvk -n "CN=MY DIGITAL KEY" App-O.cer -r

pvk2pfx.exe -pvk App-O.pvk -spc App-O.cer -pfx App-O.pfx -po fess

signtool.exe sign /f "App-O.pfx" /p fess "C:\Output\setup.exe"

Here is some useful links:

• How to create certificate: http://msdn.microsoft.com/en-us/library/ff699202.aspx
• pvk2pfx command keys: http://msdn.microsoft.com/en-us/library/windows/hardware/ff550672%28v=vs.85%29.aspx
• signtool command keys: http://msdn.microsoft.com/en-us/library/windows/desktop/aa387764%28v=vs.85%29.aspx
• How to sign a file: http://msdn.microsoft.com/en-us/library/windows/desktop/aa388170%28v=vs.85%29.aspx

Answer 2

Just stumbled accross this question when receiving a similar error with a DigiCert code signing certificate just on some machines.

Turns out I had selected SHA256 encryption instead of TripleDES-SHA1 when exporting the certificate and one of our build machines is still running Windows Server 2012 R2. This OS is obviously not capable of decrypting the certificate then, resulting in the same (irritating in this case) error message.

UPDATE: The same behaviour also occurs on Azure Devops classic pipelines using Hosted VS2017 pipeline and a DigiCert certificate.

The new YAML pipelines work with the SHA256

Answer 3

You just need to add -pi parameter (password of your pvk file) like that:

pvk2pfx.exe -pvk App-O.pvk -pi fess -spc App-O.cer -pfx App-O.pfx -po fess -f