SignTool errors and solutions
The following errors may occur while signing with Signtool.
Unexpected internal error
Error message
SignTool Error: An unexpected internal error has occurred. Error information: "Error: SignerSign() failed." (-2147024885 / 0x8007000B)
Problem
This error can occur for various reasons. For more information, check the event log.
Solution
Follow the instructions below to view the event log:
Run:
Eventvwr.msc
Open Event Viewer (Local).
Navigate to: Applications and Services Logs > Microsoft > Windows > AppxPackagingOM > Microsoft-Windows-AppxPackaging/Operational.
Find the most recent error event.
Match the corresponding error value to the description below:
Event ID
Example event string
Solution
150
error 0x8007000B: The app manifest publisher name (CN=Contoso) must match the subject name of the signing certificate (CN=Contoso, C=US).
The app manifest publisher name must exactly match the subject name of the signing.
151
error 0x8007000B: The signature hash method specified (SHA512) must match the hash method used in the app package block map (SHA256).
The hashAlgorithm specified in the /fd parameter is incorrect. Rerun SignTool using hashAlgorithm that matches the app package block map (used to create the app package).
152
error 0x8007000B: The app package contents must validate against its block map.
The app package is corrupt and needs to be rebuilt to generate a new block map. For more about creating an app package, see Create an app package with the MakeAppx.exe tool.
Unexpected internal error
Error message
SignTool Error: An unexpected internal error has occurred. Error information: "Error: SignerSign() failed." (-2147024885 / 0x80080206)
Problem
If the error code starts with 0x8008, such as 0x80080206 (APPX_E_CORRUPT_CONTENT), the package being signed is invalid.
Solution
Rebuild the package and run SignTool again.
Invalid parameter
Error message
invalid parameter (0x80080057)
Problem
You are unable to sign Portable Executable (PE) files such as .exe and .sys that are larger than 4 GB, using SignTool on Windows.
Solution
Sign PE files that are smaller than 4 GB. Due to the backward compatibility risks, neither backports nor a permanent fix are currently possible. However, this issue is being investigated.
Incorrect internal hash
Problem
Although .cat files larger that 4 GB are usually signable, the internal hash that's generated may not be accurate.
Solution
Sign .cat files that are smaller than 4 GB. Due to the backward compatibility risks, neither backports nor a permanent fix are currently possible. However, this issue is being investigated.
Certificate chain could not be built during verification
Error message
SignTool Error: WinVerifyTrust returned error: 0x800B010A A certificate chain could not be built to a trusted root authority.
Problem
This error message occurs when using a private trust for generating the certificate used in the sign operation and the root and intermediate certificates are not imported into the Windows agent’s certificate store.
Solution
Solve this by using a public trust or importing the private trust root CA certificate and intermediate issuing CA certificate from the DigiCert ONE portal into the Windows agent’s certificate store. The root CA certificate must be imported into “Trusted Root Certification Authorities” store for the trust chain to work.
No certificates were found matching the given criteria error while signing
Error message
SignTool Error: No certificates were found that met all the given criteria.
Problem
This error message occurs when the KSP is not configured properly.
Solution
KSPが正しくセットアップされていることを確認します(説明は本文書に前述されています)。
certutil.exe -csp "DigiCert Software Trust Manager KSP" -key -user
パイプラインに供給されている環境変数が正しいことを確認します。
署名にサムプリントを使用している場合、証明書がローカルの証明書ストアに同期されていることを確認してください。サムプリントを使用した証明書がローカルの証明書ストアに存在しない場合、このエラーが表示されます。smksp_cert_sync.exe ツールを使用して、STMからエージェント証明書ストアに証明書を同期します。
注記
証明書同期を実行する前に、環境変数が定義されていることを確認してください。
Unexpected internal errors
Error message
SignTool Error: An unexpected internal error has occurred.
Problem
This error message is a general error message and can occur due to various reasons.
Solution
Check the DigiCert® KeyLocker KSP log file at .signingmanager\logs\smksp.log. This will provide you with more details on why the operation failed. The Home directory on Windows is usually at C:\Users\<User Name>