Signing CAB file with signtool not working any more (The signer's certificate is not valid for signing)

Question

Few month ago a was able to successfully sign CAB file with test certificate I have created on my server. Here are the steps I have taken:

makecert.exe -sv "Demo.pvk" -n "CN=Demo Company,E=demo@gmail.com" "Demo.cer"

cert2spc.exe "Demo.cer" "Demo.spc"

pvk2pfx.exe -pvk "Demo.pvk" -pi "pvk_password" -spc "Demo.spc" -pfx "Demo.pfx" -po "pfx_password"

signtool.exe sign /f "Demo.pfx" /p "pfx_password" /v "D:\Setup.cab"

All the steps are successfull except the last one with signtool that returns: "The signer's certificate is not valid for signing". I have done the research on web about this error but nothing did actualy solved my problem. This error is usualy created because pfx has expired but this is not the case here. I have successfully imported certificate to local cert store and checked it's validity.

Why I am not able to sign CAB with my pfx any more even if I recreate it? Is there some windows update responsible for this change?

I am open to suggestions for any other way to sign CAB with pfx using command prompt.

Answer 1

I have managed to crack this nut and signed CAB with test certificate.

First I have changed makecert call by adding -r parameter that stands for self-signing:

makecert.exe -sv "Demo.pvk" -n "CN=Gregor Primar SP,E=gprimar@gmail.com" "Demo.cer" -r

Next step was creating pfx using makecert not pvk2pfx any more:

makecert -sk GpSolutionsKey -iv "Demo.pvk" -n "CN=Gregor Primar SP" -ic "Demo.cer" -sr currentuser -ss my -sky signature -pe

This also imports pfx to user cert store (-sr currentuser).

Then I have opened mmc and add Certificates snap-inn (my user account). Selected personal certificate and exported to disc.

The last step was signing using following command:

signtool.exe sign /f "Demo.pfx" /p "pfx_password" /v "d:\Setup.cab"

And Setup.cab was successfully signed with Demo.pfx!

Answer 2

Almost probably that your key public size is less than 2048 bits (by default uses length= 1024 that unable the signing), 2048 bits is the minimum size required for the O.S. to able signing process, you may be check this value in the running the certmgr command line, go to the folder to contains your recently created certificate, double click in your certificate, go to details tab and verify that the key public size is greather or equal than 2048

If the size is less than 2048 you shouldbe to generate again adding the flag -len=2048 (or grather) to makevert command, also I included the -r flag

makecert -sv "mycertif.pvk" -n "CN=Totem Company" -len 2048 mycertif.cer -r

Late, use signtool to apply the sign

Works for me, good luck