Signtool error: No certificates were found that met all given criteria with a Windows Store App?

Question

I\'m trying to sign a Windows 8 appx package with a pfx file I have. I\'m using a command like so:

signtool.exe sign /fd sha256 /f \"key.pfx\" \"app.appx\"
<         


        

Answer 1

I'm having the same problem, reading some answers (posted here), I saw my certificate expired.

Just create a new one from my start project. Then at certificates manager deleted the expired certificate.

Now everything compiles fine.

Answer 2

Try with /debug.^1,2 As in :

signtool sign /debug /f mypfxfile.pfx /p <password> (mydllexectuable).exe

It will help you find out what is going on. You should get output like this:

The following certificates were considered:
    Issued to: <issuer>
    Issued by: <certificate authority> Class 2 Primary Intermediate Server CA
    Expires:   Sun Mar 01 14:18:23 2015
    SHA1 hash: DD0000000000000000000000000000000000D93E

    Issued to: <certificate authority> Certification Authority
    Issued by: <certificate authority> Certification Authority
    Expires:   Wed Sep 17 12:46:36 2036
    SHA1 hash: 3E0000000000000000000000000000000000000F

After EKU filter, 2 certs were left.
After expiry filter, 2 certs were left.
After Private Key filter, 0 certs were left.
SignTool Error: No certificates were found that met all the given criteria.

You can see what filter is causing your certificate to not work, or if no certificates were considered.

I changed the hashes and other info, but you should get the idea. Hope this helps.

---

¹ _{Please note: signtool is particular about where the /debug option is placed. It needs to go after the sign statement.}
² _{Also note: the /debug option only works with some versions of signtool. The WDK version has the option, whereas the Windows SDK version does not.}

Answer 3

In case anyone else runs into this: My problem ended up being that I needed to run the command prompt as administrator before using the signtool.exe app. Then everything works wonderfully.

Answer 4

With /debug, when you get this message "After Private Key filter, 0 certs were left.", one reason could be that the pfx file doesn't have the private key. When you export the installed certificate to pfx file ensure to enable the check box to also include the private key.

Answer 5

I had a similar problem my computer name had change and the certificate had expired. I was able to resolve this issue by creating a new test certificate.

In Visual Studio, right click on project in solution explorer. Select properties. Select Signing in properties window. Click "Create Test Certificate....". Enter password information for test certificate and click ok.

Answer 6

In my case I have the wrong type of certificate that I am trying to associate.
I had "Server Authentication" rather than "Code signing".
You should be able to see this in Certificate snap in the Intended Purpose section.
After that, it just work fine.