Windows 10: SignTool Error: No certificates were found that met all the given criteria.

[logidelic]

• Version: 18.5.1

• Target: Windows 10 default

Trying to sign my app (with a DigiCert Code Signing Certificate), I'm currently getting the following error:

electron-builder 18.5.1
Rebuilding native production dependencies for win32:x64
Packaging for win32 x64 using electron 1.6.10 to dist\win-unpacked
Signing appy.exe (certificate subject name: "MyCorp, Inc.")
Error: Exit code: 1. Command failed: C:\Users\duder\AppData\Local\electron-builder\cache\winCodeSign\winCodeSign-1.7.0\windows-10\x64\signtool.exe sign /t http://timestamp.verisign.com/scripts/timstamp.dll /n MyCorp, Inc. /d appy C:\Users\duder\dev\MyCorp\apps\kiosk\dist\win-unpacked\appy.exe
SignTool Error: No certificates were found that met all the given criteria.

My package.json specifies the cert as follows:

    "win": {
      "certificateSubjectName": "MyCorp, Inc.",
      "publisherName": "MyCorp, Inc.",
      "certificateFile": "c:/Users/duder/dev/MyCorp/apps/certs/MyCorp_code.p12",
      "certificatePassword": "ohnoyoudont"
    }

I've also tried specifying the cert/pass in the CSC_LINK/CSC_KEY_PASSWORD environment variables.

Any help would be appreciated.

[MariaDima]

Can you retry with **file://**c:/Users/duder/dev/MyCorp/apps/certs/MyCorp_code.p12?
First only with the CSC_LINK/CSC_KEY_PASSWORD environment variables.

[logidelic]

Thanks for the suggestion. Unfortunately it doesn't seem to change anything.

One thing I find suspicious is that I don't see the cert filename on the signtool command-line in my original post. Am I right in thinking that it should be there?

[develar]

Please ensure that p12 file contains not only cert but private Key also. Try to install execute command in the terminal directly.

[logidelic]

I was finally able to get this working by removing the entire "win" section from my packages.json (i.e. certificateSubjectName & publisherName). This is surprising since the docs make it sound like these fields are required and it turns out I needed to not have them. :)

[develar]

since the docs make it sound like these fields are required

Why? How can be improved?

[logidelic]

The doc says:

certificateSubjectName String - The name of the subject of the signing certificate. Required only for EV Code Signing and works only on Windows.

In my case I am indeed doing EV Code Signing, so the doc is suggesting that the field is required. Instead, it was actually causing my problem (though I don't know why).

For publisherName, now that I've re-read the docs, it seems clear that it's not required (unless someone edited the docs out from under me :) ).

Thanks.

[develar]

Hmmm, for EV cert it is required since EV cert is not available as file, but you state that you have a file?

[logidelic]

Agh, you are totally correct. I got the type of cert name confused. Sorry for wasting your time. I guess there is still the question of why including the info caused a problem..

[HabibulHH]

i am using this code block to sign in , i am also getting the same error

"build":{
"appId":"imshealth.com",
"productName":"paddsreportportal",
"icon" : "build/portal.ico",
"asar": false,
"win":{
"certificateFile":"build/wildcard_production_imsglobal_com.pfx",
"certificatePassword":"DR83%#s*5"
}
SignTool Error: No certificates were found that met all the given criteria.

[surensaluka]

Hi, I had a similar issue due to a domain account change. Take a look at here

[jolamar]

Turns out my private key was missing. I downloaded my crt from another computer. Ended up having to create a new crt from the computer I was using.

[gtamas]

I'm getting this error too. @develar @logidelic @jolamar

Version: 21.2.0

I'm running Windows 10 in Parallels Pro and am using a self-signed certificate which I imported into:

• Root Certificated Authorities
• Trusted Publishers
• Trusted People

I can sign the appx if I remove the the "win" segment from config. Electron builder reports success. However, if I check the resulting appx file in windows inspector, the "Digital Signatures" tab is missing from "Properties" panel.

If the "win" section is present, the build fails and I get the "No certificates..." error.

My config:

  win: {
                    icon: './public/icons/icon.ico',
                    artifactName: '${productName}-${version}-win64.${ext}',
                    publisherName: 'Me',
                    certificateSubjectName: 'Me',
                    target: [
                        {
                            target: 'nsis',
                            arch: ['x64', 'ia32'],
                        },
                        {
                            target: 'appx',
                            arch: ['x64'],
                        },

                    ],
                },
                appx: {
                    identityName: 'App',
                    displayName: 'App',
                    publisher: 'CN=something',
                    publisherDisplayName: 'Me',
                    languages: [
                        'en_US',
                        'hu_HU'
                    ],
                    addAutoLaunchExtension: true,
                    setBuildNumber: true,
                    backgroundColor: 'lightGray'
                },

The certificate is fine. I can run this in powershell:

Set-AuthenticodeSignature -FilePath '.\some.file' -Certificate $cert

and it works. And if I inspect that file, it has "Digital Signatures" panel.

I generated the certificate like this:

$cert = New-SelfSignedCertificate -Subject "Me" -Type CodeSigningCert -CertStoreLocation cert:\LocalMachine\My

$CertPassword = ConvertTo-SecureString -String "foo" -Force -AsPlainText

Export-PfxCertificate -Cert cert:\LocalMachine\My\someid -FilePath cert.pfx -Password $CertPassword

What's wrong? Why does electron builder report success when the resulting file is actually not signed according to windows.

Thanks in advance!