Signtool error No certificates were found that met all given criteria with a Windows Store App

Question

I m trying to sign a Windows 8 appx package with a pfx file I have  I m using a command like so   signtool exe sign  fd sha256  f  key pfx   app appx    And from this  I get      SignTool Error  No certificates were found that met all the given criteria    What  criteria  am I not meeting  This is only for testing so these are self-signed certificates  I ve tried importing the key and then signing it  but it always results in the same error  How do I fix this

User · Answer

In my case I have the wrong type of certificate that I am trying to associate.
I had "Server Authentication" rather than "Code signing".
You should be able to see this in Certificate snap in the Intended Purpose section.
After that, it just work fine.

User · Answer

I solved this by using the  sm flag to specify to look in the machine store instead of the default  which is My  Local User  store  Also  it can help to turn on debug for signtool by using  debug

User · Answer

If you do not have to sign the app  right click on your project  Project Properties - gt  Signing - gt  uncheck  Sign the ClickOnce Manifest   Also as this MS article suggests      If you are using Visual Studio 2008 and are targeting  NET 3 5 and using automatic updates  you can just change the certificate and deploy a new version

User · Answer

Please always check your certificate expiry date first because most of the certificates have an expiry date  In my case certificate has expired and I was trying to build project

User · Answer

My problem ended up being that I did not understand the signtool options  I had provided the  n option with something that did not match my certificate  When I removed that it stopped complaining

User · Answer

I had this problem and I m not entirely sure which step below made it work  but hope this helps somebody else   this is what I did    Install the downloaded certificate   crt  into certificates  I put it into    personal    store  - right click on  crt file and click Install Certificate  Run certmgr msc and export the certificate  found in whichever store you used in the 1st step  as a pfx file including private key  and extended properties  probably unnecessary  Use the exported  pfx file when signing your project Example signtool  signtool sign  f  c  mycert pfx   p mypassword  d  description   t http   timestamp verisign com scripts timstamp dll   TargetPath  where the password is the same as provided during Export

User · Answer

The criteria include account name  whose private key it is associated with   domain  company  expiration date  intended purposes  among other things    There are many different possible reasons for this error to occur  some have been listed already  Here is another tip  When importing a certificate  be sure you work with the original file received from the certificate authority  CA   or else some of the properties might be lost    Example  recently I tried to import a certificate exported from a different account on the same machine  The certificate became visible to my account but was not associated with my account  and as a result signtool refused to recognize it without explicitly providing the file name and a password  Which  when done as part of the build process and written out explicitly in a batch file or source file  may not be sufficiently secure   Importing the original CA-issued certificate solved it

User · Answer

I got the same problem in my console application development and as a quick workaround   go to project properties then   click on signing tab and uncheck  Sign the ClickOnce Manifest    Image Description       FYI You can also see this less one minute video solution  The above picture is taken form the video

User · Answer

When getting this error through Visual Studio it was because there was a signing certificate setup to match the computer it was originally developed on   You can check this by going to the project properties   signing tab and checking the certificate details   You can uncheck  Sign the ClickOnce manifests  to disable signing     If you don t want to turn this option off you will have to install the certificate

User · Answer

In case anyone else runs into this   My problem ended up being that I needed to run the command prompt as administrator before using the signtool exe app   Then everything works wonderfully

User · Answer

Try with  debug 1 2 As in     signtool sign  debug  f mypfxfile pfx  p  lt password gt   mydllexectuable  exe   It will help you find out what is going on  You should get output like this    The following certificates were considered      Issued to   lt issuer gt      Issued by   lt certificate authority gt  Class 2 Primary Intermediate Server CA     Expires    Sun Mar 01 14 18 23 2015     SHA1 hash  DD0000000000000000000000000000000000D93E      Issued to   lt certificate authority gt  Certification Authority     Issued by   lt certificate authority gt  Certification Authority     Expires    Wed Sep 17 12 46 36 2036     SHA1 hash  3E0000000000000000000000000000000000000F  After EKU filter  2 certs were left  After expiry filter  2 certs were left  After Private Key filter  0 certs were left  SignTool Error  No certificates were found that met all the given criteria    You can see what filter is causing your certificate to not work  or if no certificates were considered    I changed the hashes and other info  but you should get the idea  Hope this helps       1 Please note  signtool is particular about where the  debug option is placed   It needs to go after the sign statement   2 Also note  the  debug option only works with some versions of signtool   The WDK version has the option  whereas the Windows SDK version does not

User · Answer

Go to project properties and uncheck all fields from the Firm before init the compilation

User · Answer

Got the same issue  turned out that the private key to the certificate had no permission   To fix - open the certifacte management  find your certificate  right click -  Manage Private Keys and then in security on top be sure that your user is added and given permissions  that fixed it for me

User · Answer

I had a similar problem my computer name had change and the certificate had expired  I was able to resolve this issue by creating a new test certificate    In Visual Studio  right click on project in solution explorer  Select properties  Select Signing in properties window  Click  Create Test Certificate       Enter password information for test certificate and click ok

User · Answer

just uncheck the  Sign the click once manifests  from the signing tab in project properties it will remove the error and you can create a new one as from there

User · Answer

I m having the same problem  reading some answers  posted here   I saw my certificate expired    Just create a new one from my start project  Then at certificates manager deleted the expired certificate   Now everything compiles fine

User · Answer

I have had this issue too  tried a lot  Used SDK as well as Visual Studio signing  but everywhere I got  No certificates were found that met all the given criteria    Solution  Be aware that  if  after private key filter    0 left  shows up with option signtool sign  debug     the cause is your PC doesn t has the CA itself in the store  To solve this  install the CA first  in my case a  crt file   then run the sign again  It should work right now   Signtool only can be used with a CA which is requested   nd owned by the same PC

User · Answer

I had the same  After Private Key filter  0 certs were left  message and spent too much of my life trying to figure out what the message meant    The problem was that I had installed the certificate incorrectly in the Windows Certificate store so there was no private key associated with the code signing certificate   What I should have done was this    Using either Firefox or Internet Explorer  submit the  request to the issuer  This generates a PRIVATE KEY which is stored silently by the browser  a dialog appears for a fraction of a second in Firefox   Note that other browsers may not work  your life is too short to find out if they do  Submit the request  jump through the issuer s validation hoops and loops  sacrifice a goat  pray to the gods  submit a signed statement from your great grandparents  etc   Download the certificate   crt  and import it into the same browser  The browser now has both the private key and the certificate  Export the certificate from the browser as a Personal Information Exchange   p12  file  You will be asked to supply a password to protect this file   Keep a backup copy of the  p12 file  Run the Certificate Manager  certmgr msc   right click on the Personal certificate store  select All Tasks Import    and import the  p12 file into Windows  You will be asked for the password you used to protect the file  At this point  depending upon your security requirements  you can mark the key as exportable so you can restore a copy from the Windows store  You can also mark that a password is required before use if you want to break batch scripts   Run signtool successfully  breathe a sigh of relief  and ponder how much of your life you have wasted due to bad error messages and poor or missing documentation

User · Answer

With  debug  when you get this message  After Private Key filter  0 certs were left    one reason could be that the pfx file doesn t have the private key  When you export the installed certificate to pfx file ensure to enable the check box to also include the private key

[windows-8] Signtool error: No certificates were found that met all given criteria with a Windows Store App?

Examples related to windows-8

Examples related to windows-store-apps

Examples related to signtool

Examples related to appx