How to do code signing on Vista

[Mike]

I was able to sign executables with no problems on XP but I can't get
it work on Vista. I have installed the Vista SDK. But when I run
signtool to sign the exe I get:

SignTool Error: Signtool requires CAPICOM version 2.1.0.1 or higher...

Supposedly than means capicom.dll is not registered. But on trying to
register it I get:
The module "capicom.dll" was loaded but the call to DLLRegisterServer
falied with the error code 0x80070005.

Any ideas?

 

[Guest]

When you register the .dll do you do it from an elevated (administrators)
command
prompt? That is right click the Command Prompt icon and select "Run as
administrator".

 

[Mike]

When you register the .dll do you do it from an elevated (administrators)
command
prompt? That is right click the Command Prompt icon and select "Run as
administrator".

Thanks Paul that got it registered. I am logged in as admin though so
why do I have to run this command prompt as an admin as well? However
I still get the same error when trying to use signtool. But when I run
that bat file as admin it says:

No certificates were found that met all the given criteria

 

[Guest]

There is an elevated level of administrator to prevent unauthorized access to
programs, etc.

 

[Andrew McLaren]

Thanks Paul that got it registered. I am logged in as admin though so
why do I have to run this command prompt as an admin as well? However

In Vista, if you are logged in as an administrator, you still only get a
standard user token, until your privilege level is explicitly elevated to a
full administrative token. You can elevate manually by doing a "Run as
Administrator"; or, an EXE can ask for elevation in its manifest. In other
words, in Vista, just because you're logged in as administrator it doesn't
make you an administrator - you still need to be elevated for specific
actions. This is a pretty fundamantal principle of UAC.

I still get the same error when trying to use signtool. But when I run
that bat file as admin it says:

No certificates were found that met all the given criteria

There could be many causes for this error. It would depend on what
certificates you're using (eg are they supplied by Verisign, etc or is it a
certificate you made yourself?) and the exact syntax of your Signtool
command.

Overall, I'd recommend you ask in a developer-oriented forum, such as:
http://forums.microsoft.com/MSDN/ShowForum.aspx?ForumID=44&SiteID=1

Give a detailed description of your certificates and the commands you are
using.

In general terms, SignTool works fine on Vista; but it's a pretty arcane,
fiddly tool to use at the best of times.

Good luck with it.

 

[Mike]

In general terms, SignTool works fine on Vista; but it's a pretty arcane,
fiddly tool to use at the best of times.

In case anyone is interested my main problem seems to be that I did
not import the cert correctly. All you have to do is double-click the
..pfx file, enter the code signing password and follow the prompts.
Then you just run signtool (as admin) as you would on XP.

 

[Andrew McLaren]

In case anyone is interested my main problem seems to be that I did
not import the cert correctly. All you have to do is double-click the
.pfx file, enter the code signing password and follow the prompts.
Then you just run signtool (as admin) as you would on XP.

Ah-ha! Okay, cool, thanks for the update. I guess it wasn't obvious that you
are using *.pfx files to hold the all certificates. Otherwise, it would
depend on the multiple *.cer etc files which you were specifying on the
command-line. There are about 50 million different ways to use SignTool,
there's no one way "that you'd run it on XP". But the same syntax you used
on XP, should work on Vista (allowing for UAC).