SignTool errors and solutions
The following errors may occur while signing with Signtool.
Unexpected internal error
Error message
SignTool Error: An unexpected internal error has occurred. Error information: "Error: SignerSign() failed." (-2147024885 / 0x8007000B)
Problem
This error can occur for various reasons. For more information, check the event log.
Solution
Follow the instructions below to view the event log:
Run:
Eventvwr.msc
Open Event Viewer (Local).
Navigate to: Applications and Services Logs > Microsoft > Windows > AppxPackagingOM > Microsoft-Windows-AppxPackaging/Operational.
Find the most recent error event.
Match the corresponding error value to the description below:
Event ID
Example event string
Solution
150
error 0x8007000B: The app manifest publisher name (CN=Contoso) must match the subject name of the signing certificate (CN=Contoso, C=US).
The app manifest publisher name must exactly match the subject name of the signing.
151
error 0x8007000B: The signature hash method specified (SHA512) must match the hash method used in the app package block map (SHA256).
The hashAlgorithm specified in the /fd parameter is incorrect. Rerun SignTool using hashAlgorithm that matches the app package block map (used to create the app package).
152
error 0x8007000B: The app package contents must validate against its block map.
The app package is corrupt and needs to be rebuilt to generate a new block map. For more about creating an app package, see Create an app package with the MakeAppx.exe tool.
Unexpected internal error
Error message
SignTool Error: An unexpected internal error has occurred. Error information: "Error: SignerSign() failed." (-2147024885 / 0x80080206)
Problem
If the error code starts with 0x8008, such as 0x80080206 (APPX_E_CORRUPT_CONTENT), the package being signed is invalid.
Solution
Rebuild the package and run SignTool again.
Invalid parameter
Error message
invalid parameter (0x80080057)
Problem
You are unable to sign Portable Executable (PE) files such as .exe and .sys that are larger than 4 GB, using SignTool on Windows.
Solution
Sign PE files that are smaller than 4 GB. Due to the backward compatibility risks, neither backports nor a permanent fix are currently possible. However, this issue is being investigated.
Incorrect internal hash
Problem
Although .cat files larger that 4 GB are usually signable, the internal hash that's generated may not be accurate.
Solution
Sign .cat files that are smaller than 4 GB. Due to the backward compatibility risks, neither backports nor a permanent fix are currently possible. However, this issue is being investigated.
Certificate chain could not be built during verification
Error message
SignTool Error: WinVerifyTrust returned error: 0x800B010A A certificate chain could not be built to a trusted root authority.
Problem
This error message occurs when using a private trust for generating the certificate used in the sign operation and the root and intermediate certificates are not imported into the Windows agent’s certificate store.
Solution
Solve this by using a public trust or importing the private trust root CA certificate and intermediate issuing CA certificate from the DigiCert ONE portal into the Windows agent’s certificate store. The root CA certificate must be imported into “Trusted Root Certification Authorities” store for the trust chain to work.
No certificates were found matching the given criteria error while signing
Error message
SignTool Error: No certificates were found that met all the given criteria.
Problem
This error message occurs when the KSP is not configured properly.
Solution
Verify the KSP is set up properly, using the command:
certutil.exe -csp "DigiCert Software Trust Manager KSP" -key -user
Make sure that the environment variables supplied to the pipeline are correct.
Ensure the certificates are synced with local Certificate store if you are using a thumbprint to sign. If the certificate with the thumbprint is not present in the local certificate store, you will get this error. Use the smksp_cert_sync.exe tool to sync certificates from DigiCert® KeyLocker to agent certificate store.
참고
Make sure the environment variables are defined before you run cert sync.
Unexpected internal errors
Error message
SignTool Error: An unexpected internal error has occurred.
Problem
This error message is a general error message and can occur due to various reasons.
Solution
Check the DigiCert® KeyLocker KSP log file at .signingmanager\logs\smksp.log. This will provide you with more details on why the operation failed. The Home directory on Windows is usually at C:\Users\<User Name>