Code signing failing -- SOLVED!

[SimonMatthews]

I got a new Code Signing certificate (from Sectigo), on a YubiKey dongle.

I have followed the instructions here:
https://www.advancedinstaller.com/user- ... gning.html

We don't have an EV certificate, but I don't think that should make a difference.

However, at the point of signing (we are running this in a script), I get:
Detecting MSI incompatible resources
ERROR: Digital signature. Digital certificate selected for signing has expired! Please replace it with a valid SHA256 certificate.
WARNING: Digital signature. Digital certificate selected for signing is of SHA1 type. This might work but is not officially supported by Windows, a SHA256 certificate is recommended.

There are no other certificates on the build system. I have checked that the exported certificate is the correct one and is valid (copied it to a Linux system and got the text using OpenSSL).

See attachment for my setup.

Any ideas?

[SimonMatthews]

I finally solved the problem.

To use the Sectigo certificate, I needed to install some intermediate certificates.

The error message about an expired certificate was entirely wrong and, in my opinion, a bug in the signing tools. I don't know if this bad error message comes directly from SignTool.exe or elsewhere.

[Catalin]

Hello Simon,

Thank you very much for your followup on this and for sharing your solution with us!

I am glad to hear everything is working as expected now.

Regarding the error message, I think it is coming from signtool as that's what we're using for signing purposes.

Best regards,
Catalin