Signtool error: No certificates were found that met all given criteria with a Windows Store App?

Question

I\'m trying to sign a Windows 8 appx package with a pfx file I have. I\'m using a command like so:

signtool.exe sign /fd sha256 /f \"key.pfx\" \"app.appx\"
<         


        

Answer 1

I had this problem and I'm not entirely sure which step below made it work, but hope this helps somebody else...this is what I did:

• Install the downloaded certificate (.crt) into certificates (I put it into “personal” store) - right click on .crt file and click Install Certificate.
• Run certmgr.msc and export the certificate (found in whichever store you used in the 1st step) as a pfx file including private key, and extended properties (probably unnecessary)
• Use the exported .pfx file when signing your project
• Example signtool: signtool sign /f "c:\mycert.pfx" /p mypassword /d "description" /t http://timestamp.verisign.com/scripts/timstamp.dll $(TargetPath)
  where the password is the same as provided during Export

Answer 2

The criteria include account name (whose private key it is associated with), domain, company, expiration date, intended purposes, among other things.

There are many different possible reasons for this error to occur, some have been listed already. Here is another tip: When importing a certificate, be sure you work with the original file received from the certificate authority (CA), or else some of the properties might be lost.

Example: recently I tried to import a certificate exported from a different account on the same machine. The certificate became visible to my account but was not associated with my account, and as a result signtool refused to recognize it without explicitly providing the file name and a password. Which, when done as part of the build process and written out explicitly in a batch file or source file, may not be sufficiently secure. (Importing the original CA-issued certificate solved it.)

Answer 3

Please always check your certificate expiry date first because most of the certificates have an expiry date. In my case certificate has expired and I was trying to build project.

Answer 4

I solved this by using the /sm flag to specify to look in the machine store instead of the default, which is My (Local User) store. Also, it can help to turn on debug for signtool by using /debug.

Answer 5

I have had this issue too, tried a lot. Used SDK as well as Visual Studio signing, but everywhere I got "No certificates were found that met all the given criteria".

Solution: Be aware that, if "after private key filter": '0 left' shows up with option signtool sign /debug..., the cause is your PC doesn't has the CA itself in the store. To solve this, install the CA first (in my case a .crt file), then run the sign again. It should work right now!

Signtool only can be used with a CA which is requested ánd owned by the same PC.

Answer 6

If you do not have to sign the app, right click on your project

Project Properties -> Signing -> uncheck "Sign the ClickOnce Manifest"

Also as this MS article suggests,

If you are using Visual Studio 2008 and are targeting .NET 3.5 and using automatic updates, you can just change the certificate and deploy a new version,