How do I use signtool.exe correctly in hudson running as a service?

Tim picture Tim · Apr 23, 2010 · Viewed 10.5k times · Source

I just purchased a code signing cert (MS authenticode) from THAWTE and have installed it apparently on my build machine. I am logged in as a user and when I open a cmd prompt I can sign EXEs using the cert with signtool.exe.

Unfortunately this same command line does not work in the hudson process that is running on the machine.

the error message I get is:

SignTool Error: No certificates were found that met all the given criteria.

I presume this is because the hudson service is running under a different account than the account that I ran signtool.exe from and from the account I used to get the cert from thawte.

So, my question is: How do I fix this problem? I thought i was going to download a file from thawte, but instead it just used IE somehow to install the cert in the user's cache magically. I probably want to export (or whatever the correct term is) to a file that I can store/save or use on any other machine.

How do i do that and how do I call signtool correctly with either the file or the cert from another user in the system/services account?

Answer

Will Bickford picture Will Bickford · Nov 17, 2011

Taken from signtool sign -h output:

/s <name>   Specify the Store to open when searching for the cert. The default
is the "MY" Store.
/sm         Open a Machine store instead of a User store.

Getting this to work is a bit of a pain... I was able to get it to work by adding the certificates to the local machine store and using the /sm switch.

The /s switch allows you to select which pre-defined store to use. Unfortunately I can't find any documentation that lists what the available options actually are (@Microsoft signtool maintainer: please document this!). An additional complication is that it is hard to determine which store Hudson provides access to - it isn't the local security hudson account as you might expect.

Note: The "Personal" store listed in mmc views is the "MY" store when accessed from signtool.

Thankfully the /sm switch provides us with a get-out-of-jail-free card. Unfortunately this would be a security risk if your build server runs jobs for multiple organizations or departments. In my case it is only used by my group, so this doesn't bother me.