How do I use signtool.exe correctly in hudson running as a service?

hudson code-signing authenticode
Tim picture Tim · Apr 23, 2010 · Viewed 10.5k times · Source

I just purchased a code signing cert (MS authenticode) from THAWTE and have installed it apparently on my build machine. I am logged in as a user and when I open a cmd prompt I can sign EXEs using the cert with signtool.exe.

Unfortunately this same command line does not work in the hudson process that is running on the machine.

the error message I get is:

SignTool Error: No certificates were found that met all the given criteria.

I presume this is because the hudson service is running under a different account than the account that I ran signtool.exe from and from the account I used to get the cert from thawte.

So, my question is: How do I fix this problem? I thought i was going to download a file from thawte, but instead it just used IE somehow to install the cert in the user's cache magically. I probably want to export (or whatever the correct term is) to a file that I can store/save or use on any other machine.

How do i do that and how do I call signtool correctly with either the file or the cert from another user in the system/services account?

Answer

Will Bickford picture Will Bickford · Nov 17, 2011

Taken from signtool sign -h output:

/s <name>   Specify the Store to open when searching for the cert. The default
is the "MY" Store.
/sm         Open a Machine store instead of a User store.

Getting this to work is a bit of a pain... I was able to get it to work by adding the certificates to the local machine store and using the /sm switch.

The /s switch allows you to select which pre-defined store to use. Unfortunately I can't find any documentation that lists what the available options actually are (@Microsoft signtool maintainer: please document this!). An additional complication is that it is hard to determine which store Hudson provides access to - it isn't the local security hudson account as you might expect.

Note: The "Personal" store listed in mmc views is the "MY" store when accessed from signtool.

Thankfully the /sm switch provides us with a get-out-of-jail-free card. Unfortunately this would be a security risk if your build server runs jobs for multiple organizations or departments. In my case it is only used by my group, so this doesn't bother me.

Related questions

Error - trustAnchors parameter must be non-empty

I'm trying to configure my e-mail on Jenkins/Hudson, and I constantly receive the error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty I've seen a good amount of information online about the error, but I have not gotten …

Read More
What is the JUnit XML format specification that Hudson supports?

I have Hudson as continuous integration server and I want to use option 'Publish JUnit test result report'. But I don't use xUnit tools for testing, instead of that i have shell scripts which run tests and return results in …

Read More
How to choose between Hudson and Jenkins?

It took me an hour or so to work out Hudson has only branched recently (Jan/2011) I have no idea how rapid the change of each branch is now, but more importantly, what is the direction each branch is taking …

Read More