"The certificate in the signature cannot be verified" for Thawte certificate

cctor picture cctor · Mar 29, 2013 · Viewed 10.6k times · Source

I need to sign Application.exe file with the certificate that is stored in company.pfx. So, i used signtool:

signtool.exe sign /p password /f company.pfx /t http://timestamp.verisign.com/scripts/timestamp.dll /v Application.exe

The following certificate was selected:
    Issued to: Company, Inc.
    Issued by: Thawte Code Signing CA - G2
    Expires:   Wed Aug 27 02:59:59 2014
    SHA1 hash: A2A0BD7C4516BF8C88AECC3A568CE9BB5D63902D

Done Adding Additional Store
Successfully signed and timestamped: App1_old.exe

Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0

signtool said that there's no errors. But in the Digital Signature Details there's a message "The certificate in the signature cannot be verified." and there's no certification path.

In Details there's a property "Extended Error Information" that said "Revocation Status : The revocation function was unable to check revocation because the revocation server was offline."

Application.exe image

To investigate the problem i've used sigcheck (-a key) on the application and it says "Verified: A certificate chain could not be built to a trusted root authority."

Then I've imported pfx file into reporitory and it seems that the certificate is okay.

Certificate image

I've searched stackoverflow about my topic and found some links and it helps.

How to create PFX with my chain of certificates?

How can I sign an ActiveX control with a code signing certificate and be a verified publisher?

The solution is to extract certificate from pfx (using OpenSSL) and apply it using /ac argument

openssl pkcs12 -in company.pfx -out company_cl.pem -nodes -clcerts
openssl x509 -in company_cl.pem -out company_cl.cer -outform DER
signtool sign /ac company_cl.cer /p password  /f company.pfx /t http://timestamp.verisign.com/scripts/timstamp.dll /v Application.exe

The following certificate was selected:
    Issued to: Company, Inc.
    Issued by: Thawte Code Signing CA - G2
    Expires:   Wed Aug 27 02:59:59 2014
    SHA1 hash: A2A0BD7C4516BF8C88AECC3A568CE9BB5D63902D

Cross certificate chain (using machine store):
    Issued to: thawte Primary Root CA
    Issued by: thawte Primary Root CA
    Expires:   Thu Jul 17 02:59:59 2036
    SHA1 hash: 91C6D6EE3E8AC86384E548C299295C756C817B81

        Issued to: Thawte Code Signing CA - G2
        Issued by: thawte Primary Root CA
        Expires:   Sat Feb 08 02:59:59 2020
        SHA1 hash: 808D62642B7D1C4A9A83FD667F7A2A9D243FB1C7

            Issued to: Company, Inc.
            Issued by: Thawte Code Signing CA - G2
            Expires:   Wed Aug 27 02:59:59 2014
            SHA1 hash: A2A0BD7C4516BF8C88AECC3A568CE9BB5D63902D

Done Adding Additional Store
Successfully signed and timestamped: Application.exe

Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0

Now the message in Digital Security Details is "The digital signature is OK."

But I cannot understand why I need use /ac argument. Does anyone have any ideas?


Edited.

I've verified first version of the application (without /ac) with Application.exe and it gives me more information:

signtool.exe verify /v /kp Application.exe

Verifying: Application.exe
Hash of file (sha1): 5CBB228F4F206C65AAC829ACF40C297F291FE0A7

Signing Certificate Chain:
    Issued to: Company, Inc.
    Issued by: Thawte Code Signing CA - G2
    Expires:   Wed Aug 27 02:59:59 2014
    SHA1 hash: A2A0BD7C4516BF8C88AECC3A568CE9BB5D63902D

The signature is timestamped: Fri Mar 29 18:42:56 2013
Timestamp Verified by:
    Issued to: Thawte Timestamping CA
    Issued by: Thawte Timestamping CA
    Expires:   Fri Jan 01 02:59:59 2021
    SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656

        Issued to: Symantec Time Stamping Services CA - G2
        Issued by: Thawte Timestamping CA
        Expires:   Thu Dec 31 02:59:59 2020
        SHA1 hash: 6C07453FFDDA08B83707C09B82FB3D15F35336B1

            Issued to: Symantec Time Stamping Services Signer - G4
            Issued by: Symantec Time Stamping Services CA - G2
            Expires:   Wed Dec 30 02:59:59 2020
            SHA1 hash: 65439929B67973EB192D6FF243E6767ADF0834E4

SignTool Error: WinVerifyTrust returned error: 0x800B010A
        A certificate chain could not be built to a trusted root authority.

Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1

"A certificate chain could not be built to a trusted root authority." But why?

Answer

cctor picture cctor · Mar 29, 2013

I've found an article about signing files using Thawte's certificate: http://codingexpedition.wordpress.com/2011/04/21/thawte-code-signing-pfx/

It seems that /ac signtool option is always required. So, i've extracted Thawte certificates into .cer file and apply it with /ac parameter.

openssl pkcs12 -in company.pfx -out company_ca.pem -nokeys -cacerts
openssl x509 -in company_ca.pem -out company_ca.cer -outform DER
signtool sign /ac company_ca.cer /p password /f company.pfx /t timeserver /v Application.exe

And it works fine!