Skip to main content

SignTool errors and solutions

The following errors may occur while signing with Signtool.

Unexpected internal error

Error message

SignTool Error: An unexpected internal error has occurred.
Error information: "Error: SignerSign() failed." (-2147024885 / 0x8007000B)

Problem

This error can occur for various reasons. For more information, check the event log.

Solution

Follow the instructions below to view the event log:

  1. Run:

    Eventvwr.msc

  2. Open Event Viewer (Local).

  3. Navigate to: Applications and Services Logs > Microsoft > Windows > AppxPackagingOM > Microsoft-Windows-AppxPackaging/Operational.

  4. Find the most recent error event.

  5. Match the corresponding error value to the description below:

    Event ID

    Example event string

    Solution

    150

    error 0x8007000B: The app manifest publisher name (CN=Contoso) must match the subject name of the signing certificate (CN=Contoso, C=US).

    The app manifest publisher name must exactly match the subject name of the signing.

    151

    error 0x8007000B: The signature hash method specified (SHA512) must match the hash method used in the app package block map (SHA256).

    The hashAlgorithm specified in the /fd parameter is incorrect. Rerun SignTool using hashAlgorithm that matches the app package block map (used to create the app package).

    152

    error 0x8007000B: The app package contents must validate against its block map.

    The app package is corrupt and needs to be rebuilt to generate a new block map. For more about creating an app package, see Create an app package with the MakeAppx.exe tool.

Unexpected internal error

Error message

SignTool Error: An unexpected internal error has occurred.
Error information: "Error: SignerSign() failed." (-2147024885 / 0x80080206)

Problem

If the error code starts with 0x8008, such as 0x80080206 (APPX_E_CORRUPT_CONTENT), the package being signed is invalid.

Solution

Rebuild the package and run SignTool again.

Invalid parameter

Error message

invalid parameter (0x80080057)

Problem

You are unable to sign Portable Executable (PE) files such as .exe and .sys that are larger than 4 GB, using SignTool on Windows.

Solution

Sign PE files that are smaller than 4 GB. Due to the backward compatibility risks, neither backports nor a permanent fix are currently possible. However, this issue is being investigated.

Incorrect internal hash

Problem

Although .cat files larger that 4 GB are usually signable, the internal hash that's generated may not be accurate.

Solution

Sign .cat files that are smaller than 4 GB. Due to the backward compatibility risks, neither backports nor a permanent fix are currently possible. However, this issue is being investigated.

Certificate chain could not be built during verification

Error message

SignTool Error: WinVerifyTrust returned error: 0x800B010A
        A certificate chain could not be built to a trusted root authority.

Problem

This error message occurs when using a private trust for generating the certificate used in the sign operation and the root and intermediate certificates are not imported into the Windows agent’s certificate store.

Solution

Solve this by using a public trust or importing the private trust root CA certificate and intermediate issuing CA certificate from the DigiCert ONE portal into the Windows agent’s certificate store. The root CA certificate must be imported into “Trusted Root Certification Authorities” store for the trust chain to work.

No certificates were found matching the given criteria error while signing

Error message

SignTool Error: No certificates were found that met all the given criteria.

Problem

This error message occurs when the KSP is not configured properly.

Solution

  1. Verify the KSP is set up properly, using the command:

    certutil.exe -csp "DigiCert Software Trust Manager KSP" -key -user

  2. Make sure that the environment variables supplied to the pipeline are correct.

  3. Ensure the certificates are synced with local Certificate store if you are using a thumbprint to sign. If the certificate with the thumbprint is not present in the local certificate store, you will get this error. Use the smksp_cert_sync.exe tool to sync certificates from DigiCert​​®​​ Software Trust Manager to agent certificate store.

Note

Make sure the environment variables are defined before you run cert sync.

Unexpected internal errors

Error message

SignTool Error: An unexpected internal error has occurred.

Problem

This error message is a general error message and can occur due to various reasons.

Solution

Check the DigiCert​​®​​ Software Trust Manager KSP log file at .signingmanager\logs\smksp.log. This will provide you with more details on why the operation failed. The Home directory on Windows is usually at C:\Users\<User Name>

: