Signed executables are not trusted by Windows

[thommcgrath]

I can't believe I didn't notice for months, but the signatures are not being trusted by Windows. If I sign the executable with signtool using the same certificate, the signature is trusted, so it's not the certificate to blame. The only difference I can find between the two is "digest encryption algorithm" is sha256ECDSA with osslsigncode, and ECC with signtool.

My signing command is:

osslsigncode.exe sign -pkcs11module "C:\Program Files\Yubico\Yubico PIV Tool\bin\libykcs11.dll" -pkcs11engine "%script_path%\pkcs11.dll" -pass "%pass%" -ts "http://timestamp.sectigo.com" -key "pkcs11:id=%%01" -certs "%script_path%\certificate.crt" -n "%name%" -i "%url%" -in "%in_file%" -out "%out_file%" -nolegacy

I've tried adding-h sha256 and different -n values, but haven't found anything that works. osslsigncode reports success and Windows shows a signature added. But it's not actually trusted.

I'm not sure what else to look at, but that digest encryption algorithm difference is standing out as the most likely problem.

[olszomal]

I tried replicating this, but I couldn't - it works for me.

1. Generate a self-signed certificate for the elliptic curve prime256v1:

openssl ecparam -name prime256v1 -genkey -noout -out ecdsa_private_key.pem
openssl req -new -key ecdsa_private_key.pem -out ecdsa_csr.pem
openssl x509 -req -days 365 -in ecdsa_csr.pem -signkey ecdsa_private_key.pem -out ecdsa_cert.pem -sha256

Verify the certificate details:

openssl x509 -in ecdsa_cert.pem -text -noout

Sample output:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            50:dd:63:cc:8c:5a:bc:7a:34:c8:c7:f0:2f:c4:46:80:4b:c6:48:27
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: C=XX, L=Default City, O=Default Company Ltd
        Validity
            Not Before: Dec 31 10:58:21 2024 GMT
            Not After : Dec 31 10:58:21 2025 GMT
        Subject: C=XX, L=Default City, O=Default Company Ltd
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:50:f2:03:b6:ac:fc:e7:9d:c5:08:50:8a:fe:16:
                    62:2a:bc:2e:95:16:0f:2f:d7:97:12:35:b5:f5:b8:
                    ea:22:77:ac:3f:6a:56:fb:62:84:a0:f9:bf:1a:60:
                    8c:be:14:8c:61:dc:3e:14:3f:27:2c:aa:0f:d2:67:
                    df:b8:f3:57:76
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                50:5C:41:E8:8A:05:FE:32:A2:25:4D:02:FE:64:DF:95:71:A4:E2:FE
    Signature Algorithm: ecdsa-with-SHA256
    Signature Value:
        30:45:02:20:58:8e:ed:24:16:fc:7b:e2:a9:66:8d:c5:ce:68:
        77:24:f8:fd:a4:16:28:10:d9:e6:f8:03:a0:4c:e4:3a:38:aa:
        02:21:00:92:53:0d:ad:9d:e4:01:13:d0:08:a9:a1:52:6e:8a:
        93:4d:6d:01:dd:93:c7:8f:dd:3f:2d:98:a8:7f:b7:e5:e9

2. Use osslsigncode to sign an executable file:

osslsigncode sign -in unsigned.exe -out signed.exe -certs ecdsa_cert.p12 -key ecdsa_private_key.pem
Succeeded

3. Verify the signature using osslsigncode:

osslsigncode verify -in signed.exe -CAfile ecdsa_cert.pem
(...)
Succeeded

4. Add the test certificate to the Trusted Root Certification Authorities store.

5. Verify the signature using signtool:

signtool verify /v /pa signed.exe

Verifying: signed.exe

Signature Index: 0 (Primary Signature)
Hash of file (sha256): 2D2C7B382C8163A419B9FF214A7B651C33F9EA43335907F11377290C5158A7A4

Signing Certificate Chain:
    Issued to: Default Company Ltd
    Issued by: Default Company Ltd
    Expires:   Wed Dec 31 09:21:00 2025
    SHA1 hash: 3B201A5052A1803268968BC3270BA70EC416050F

File is not timestamped.


Successfully verified: signed.exe

Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0

The digest encryption algorithm, such as ecdsa-with-SHA256, is defined in the signer info structure by the OpenSSL function PKCS7_add_signature(). It does not appear to impact your issue directly. Ensure that you provide a complete and correct certificate chain, including all required intermediate and root certificates, to avoid verification failures.

[thommcgrath]

If you try to run the exe as admin, does Windows show the publisher information? signtool would claim successful verification, but the Windows UAC prompt would shown unknown publisher.

Edit: Not using a self-signed certificate.

[olszomal]

Yes, Windows shows the publisher information in the UAC prompt. I can view certificate details, including the issuer, by clicking on "More info" in the prompt.

[thommcgrath]

Hmm. Well I'm out of ideas then. I have moved away from osslsigncode anyway due to this issue.

[mtrojnar]

We were unable to reproduce this issue.

[rasa]

@olszomal @thommcgrath @mtrojnar It appears I'm seeing the same issue. On Windows 11, using

osslsigncode 2.7, using:
        OpenSSL 3.1.2 1 Aug 2023 (Library: OpenSSL 3.1.2 1 Aug 2023)
        libcurl/8.2.1-DEV Schannel zlib/1.2.13

and C:\Program Files (x86)\Windows Kits\10\bin\10.0.26100.0\x64\signtool.exe (10.0.26100.0.1742),
here's what I'm getting:

> osslsigncode sign -certs cert.pem -key priv.key -pass ex -verbose -in unsigned.exe -out signed.exe
Unable to load provider: legacy
Warning: Legacy mode disabled
Succeeded

> osslsigncode verify -in signed.exe -CAfile Certera_CABundle.crt
PE checksum   : 00E874D7

Message digest algorithm  : SHA256
Current message digest    : 9905F80D57C5820A43D96F2FC0C9293CD07CA073138E4A2BE0687CC1BA4DCACF
Calculated message digest : 9905F80D57C5820A43D96F2FC0C9293CD07CA073138E4A2BE0687CC1BA4DCACF

Signature Index: 0  (Primary Signature)
Signer's certificate:
        Signer #0:
                Subject: /C=US/ST=Oregon/O=Ross R. Smith/CN=Ross R. Smith
                Issuer : /C=US/O=Certera/CN=Certera Code Signing CA
                Serial : 2935DCAE06BE50AED7C6B49462A72C7A
                Certificate expiration date:
                        notBefore : Feb 19 00:00:00 2023 GMT
                        notAfter : Feb 12 23:59:59 2026 GMT

Number of certificates: 1
        Signer #0:
                Subject: /C=US/ST=Oregon/O=Ross R. Smith/CN=Ross R. Smith
                Issuer : /C=US/O=Certera/CN=Certera Code Signing CA
                Serial : 2935DCAE06BE50AED7C6B49462A72C7A
                Certificate expiration date:
                        notBefore : Feb 19 00:00:00 2023 GMT
                        notAfter : Feb 12 23:59:59 2026 GMT

Message digest algorithm: SHA256

Authenticated attributes:
        Signing time: Jan  4 18:12:25 2025 GMT
        Microsoft Individual Code Signing purpose
        Message digest: 43A117B430D375A5F668A5C599AD187FBBA46329A2D434A33728F765A2791588

CAfile: ..\Certera_CABundle.crt

Timestamp is not available

CRL distribution point: http://Certera.crl.sectigo.com/CerteraCodeSigningCA.crl
Connecting to http://Certera.crl.sectigo.com/CerteraCodeSigningCA.crl
Signature CRL verification: ok
Signature verification: ok

Number of verified signatures: 1
Succeeded

> "C:\Program Files (x86)\Windows Kits\10\bin\10.0.26100.0\x64\signtool.exe" verify /v signed.exe

Verifying: signed.exe

Signature Index: 0 (Primary Signature)
Hash of file (sha256): 9905F80D57C5820A43D96F2FC0C9293CD07CA073138E4A2BE0687CC1BA4DCACF

Signing Certificate Chain:
    Issued to: AAA Certificate Services
    Issued by: AAA Certificate Services
    Expires:   Sun Dec 31 15:59:59 2028
    SHA1 hash: D1EB23A46D17D68FD92564C2F1F1601764D8E349

        Issued to: USERTrust RSA Certification Authority
        Issued by: AAA Certificate Services
        Expires:   Sun Dec 31 15:59:59 2028
        SHA1 hash: D89E3BD43D5D909B47A18977AA9D5CE36CEE184C

            Issued to: Certera Code Signing CA
            Issued by: USERTrust RSA Certification Authority
            Expires:   Mon Sep 06 15:59:59 2032
            SHA1 hash: 4E6EFBA5EBA3775B9A6473D2F07E9A0B9AA81283

                Issued to: Ross R. Smith
                Issued by: Certera Code Signing CA
                Expires:   Thu Feb 12 15:59:59 2026
                SHA1 hash: 4A07C4211BD75F354D810FB015619718B2848FA6

File is not timestamped.

SignTool Error: A certificate chain processed, but terminated in a root
        certificate which is not trusted by the trust provider.

Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1

But Sysinternal's sigcheck is happy with the signature:

> sigcheck signed.exe

Sigcheck v2.90 - File version and signature viewer
Copyright (C) 2004-2022 Mark Russinovich
Sysinternals - www.sysinternals.com

..\signed.exe:
        Verified:       Signed
        Signing date:   10:16 AM 1/4/2025
        Publisher:      Ross R. Smith
        Company:        n/a
        Description:    n/a
        Product:        n/a
        Prod version:   n/a
        File version:   n/a
        MachineType:    64-bit

And so is Explorer:

so this seems more like a signtool bug than a osslsigncode bug, imho.

Or are users expected to import something into the cert store for signtool to report success?

[rasa]

Also, when I log in as a user who is only a member of the "Guest" group, and run the exe in a non-admin Command Prompt window, I don't see a UAC popup, it just runs. The UAC slider in settings is at it's highest level (always notify). So when would I expect to see a UAC popup?

[thommcgrath]

I believe (though I could be mistaken) that signtool is the only one actually verifying the certificate against the trusted roots. The others are just verifying the chain. Thus the signtool error "A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider."

But at the end of the day, what really matters is Explorer as that is what end users will see. If the end user sees an "unknown publisher" warning, something is wrong.

My solution was to use scsigntool instead. I'm not sure what your goal is though. My reason for using osslsigncode was to automate signing so I don't have to enter my Yubikey PIN for each of the dozens of files per build.

[rasa]

@thommcgrath https://medium.com/@joshualipson/ev-code-certificates-automated-builds-for-windows-6100fb8e8be6 says signtool's "hidden/undocumented [options] /csp and /kc" ... "lets you tell signtool.exe to use the private key available on the token without requiring user inputted passwords!"

I don't know if that is referring to both PINs and passwords, or just passwords, but worth a try, eh?

[mtrojnar]

1. A lot has changed since osslsigncode 2.7... Could you try osslsigncode 2.9?
2. Authenticode signatures without timestamps are quite unusual. Is there a good reason for not timestamping your signature?
3. Could you enclose a signed executable (a hello word would be good enough), so that we can investigate your singnature and your certificate chain?

[thommcgrath]

Any of these Windows downloads used my old untrusted signing technique. The link will expire in 30 days. http://usebeacon.app/download?build=20301306&expires=1738624765&token=I5_MvBtQKmkwxXk8YXPv4xY5U3OAC7INIeVIFYNy_uuVk_Q3iJPb4snuNy3XthwMWn7BuRwTcgXAWCWnEn-ZsA

Edit: Oh and I was already using 2.9.

[rasa]

1. A lot has changed since osslsigncode 2.7... Could you try osslsigncode 2.9?

@mtrojnar Sorry, I should have used 2.9, I just installed what scoop provided, and it was out of date (which I fixed here). I will grab 2.9, retest, and update this thread with the results.

2. Authenticode signatures without timestamps are quite unusual. Is there a good reason for not timestamping your signature?

I tried with and without, but both failed signtool, so I left it out in my writeup.

3. Could you enclose a signed executable (a hello word would be good enough), so that we can investigate your signature and your certificate chain?

Will do. I purchased mine from signmycode.com in 2023, right before the crazy price jump. Perhaps it's wonky.

[rasa]

@mtrojnar Here's the attachment you requested: hello-osslsigncode-signed.exe.zip
it's

package main

import "fmt"

func main() {
	fmt.Println("Hello world!")
}

compiled but not upx'd, then signed by osslsigncode 2.9 per below.

Well, either signtool is buggy, or I got sold crap, as even signtool fails to verify it's own signature.

signtool's sha1 run:

z:\ >copy hello.exe hello-signtool-sha1-signed.exe
        1 file(s) copied.

z:\ >signtool sign /fd sha1 /f z:\ross-smith-ii-code-signing-certificate.pfx /p ex ^
  /t http://timestamp.digicert.com hello-signtool-sha1-signed.exe
Done Adding Additional Store
Successfully signed: hello-signtool-sha1-signed.exe

z:\ >signtool verify hello-signtool-sha1-signed.exe
File: hello-signtool-sha1-signed.exe
Index  Algorithm  Timestamp
========================================
SignTool Error: A certificate chain processed, but terminated in a root
        certificate which is not trusted by the trust provider.

Number of errors: 1

z:\ >sigcheck -i hello-signtool-sha1-signed.exe

Sigcheck v2.90 - File version and signature viewer
Copyright (C) 2004-2022 Mark Russinovich
Sysinternals - www.sysinternals.com

z:\hello-signtool-sha1-signed.exe:
        Verified:       Signed
        Link date:      4:00 PM 12/31/1969
        Signing date:   5:25 PM 1/4/2025
        Catalog:        z:\hello-signtool-sha1-signed.exe
        Signers:
           Ross R. Smith
                Cert Status:    Valid
                Valid Usage:    Code Signing
                Cert Issuer:    Certera Code Signing CA
                Serial Number:  29 35 DC AE 06 BE 50 AE D7 C6 B4 94 62 A7 2C 7A
                Thumbprint:     4A07C4211BD75F354D810FB015619718B2848FA6
                Algorithm:      sha384RSA
                Valid from:     4:00 PM 2/18/2023
                Valid to:       3:59 PM 2/12/2026
           Certera Code Signing CA
                Cert Status:    Valid
                Valid Usage:    Code Signing
                Cert Issuer:    USERTrust RSA Certification Authority
                Serial Number:  21 66 F0 8A 51 EB FC AB CC 8F 44 30 91 A9 4B 0E
                Thumbprint:     4E6EFBA5EBA3775B9A6473D2F07E9A0B9AA81283
                Algorithm:      sha384RSA
                Valid from:     4:00 PM 9/6/2022
                Valid to:       3:59 PM 9/6/2032
           USERTrust RSA Certification Authority
                Cert Status:    Valid
                Valid Usage:    All
                Cert Issuer:    AAA Certificate Services
                Serial Number:  39 72 44 3A F9 22 B7 51 D7 D3 6C 10 DD 31 35 95
                Thumbprint:     D89E3BD43D5D909B47A18977AA9D5CE36CEE184C
                Algorithm:      sha384RSA
                Valid from:     4:00 PM 3/11/2019
                Valid to:       3:59 PM 12/31/2028
           Sectigo (AAA)
                Cert Status:    Valid
                Valid Usage:    Client Auth, Code Signing, EFS, Email Protection, IPSEC Tunnel, IPSEC User, Server Auth, Timestamp Signing
                Cert Issuer:    AAA Certificate Services
                Serial Number:  01
                Thumbprint:     D1EB23A46D17D68FD92564C2F1F1601764D8E349
                Algorithm:      sha1RSA
                Valid from:     4:00 PM 12/31/2003
                Valid to:       3:59 PM 12/31/2028
        Counter Signers:
           DigiCert Timestamp 2024
                Cert Status:    Valid
                Valid Usage:    Timestamp Signing
                Cert Issuer:    DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA
                Serial Number:  0B AE 66 BC 5A BA 7F 95 87 C6 F9 E9 04 E3 33 04
                Thumbprint:     DBD385EE62DBD23E7BE4F67148508724D5865B45
                Algorithm:      sha256RSA
                Valid from:     4:00 PM 9/25/2024
                Valid to:       3:59 PM 11/25/2035
           DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA
                Cert Status:    Valid
                Valid Usage:    Timestamp Signing
                Cert Issuer:    DigiCert Trusted Root G4
                Serial Number:  07 36 37 B7 24 54 7C D8 47 AC FD 28 66 2A 5E 5B
                Thumbprint:     B6C8AF834D4E53B673C76872AA8C950C7C54DF5F
                Algorithm:      sha256RSA
                Valid from:     4:00 PM 3/22/2022
                Valid to:       3:59 PM 3/22/2037
           DigiCert Trusted Root G4
                Cert Status:    Valid
                Valid Usage:    All
                Cert Issuer:    DigiCert Assured ID Root CA
                Serial Number:  0E 9B 18 8E F9 D0 2D E7 EF DB 50 E2 08 40 18 5A
                Thumbprint:     A99D5B79E9F1CDA59CDAB6373169D5353F5874C6
                Algorithm:      sha384RSA
                Valid from:     4:00 PM 7/31/2022
                Valid to:       3:59 PM 11/9/2031
           DigiCert
                Cert Status:    Valid
                Valid Usage:    Client Auth, Code Signing, Email Protection, Server Auth, Timestamp Signing
                Cert Issuer:    DigiCert Assured ID Root CA
                Serial Number:  0C E7 E0 E5 17 D8 46 FE 8F E5 60 FC 1B F0 30 39
                Thumbprint:     0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
                Algorithm:      sha1RSA
                Valid from:     4:00 PM 11/9/2006
                Valid to:       4:00 PM 11/9/2031
        Company:        n/a
        Description:    n/a
        Product:        n/a
        Prod version:   n/a
        File version:   n/a
        MachineType:    64-bit

osslsigncode's run:

z:\ >osslsigncode -v
osslsigncode 2.9, using:
        OpenSSL 3.1.2 1 Aug 2023 (Library: OpenSSL 3.1.2 1 Aug 2023)
No default -CAfile location detected

Please send bug-reports to Michal.Trojnara@stunnel.org

z:\ >osslsigncode sign -certs z:\ross-smith-ii-code-signing-certificate.pem ^
  -key z:\ross-smith-ii-code-signing-private.key -pass ex ^
  -t http://timestamp.digicert.com -in hello.exe -out hello-osslsigncode-signed.exe
Unable to load provider: legacy
Warning: Legacy mode disabled
Connecting to http://timestamp.digicert.com
Succeeded

z:\ >signtool verify hello-osslsigncode-signed.exe
File: hello-osslsigncode-signed.exe
Index  Algorithm  Timestamp
========================================
SignTool Error: A certificate chain processed, but terminated in a root
        certificate which is not trusted by the trust provider.

Number of errors: 1

z:\ >osslsigncode verify -CAfile z:\Certera_CABundle.crt  hello-osslsigncode-signed.exe
PE checksum   : 0022F340

Signature Index: 0  (Primary Signature)

Message digest algorithm  : SHA256
Current message digest    : E84DEE2A44715BA6863CFB37D1640199BD740FBCD721C39C14192A89E24BABA7
Calculated message digest : E84DEE2A44715BA6863CFB37D1640199BD740FBCD721C39C14192A89E24BABA7

Signer's certificate:
        ------------------
        Signer #0:
                Subject: /C=US/ST=Oregon/O=Ross R. Smith/CN=Ross R. Smith
                Issuer : /C=US/O=Certera/CN=Certera Code Signing CA
                Serial : 2935DCAE06BE50AED7C6B49462A72C7A
                Certificate expiration date:
                        notBefore : Feb 19 00:00:00 2023 GMT
                        notAfter : Feb 12 23:59:59 2026 GMT

Message digest algorithm: SHA256

Authenticated attributes:
        Signing time: Jan  5 01:47:26 2025 GMT
        Microsoft Individual Code Signing purpose
        Message digest: ECB505000EC9A054599FE5133AB942DCA0465C800E153DDE4B47611266ADED6C

Countersignatures:
        Timestamp time: Jan  5 01:47:26 2025 GMT
        Signing time: Jan  5 01:47:26 2025 GMT
        Hash Algorithm: sha256
        Issuer: /C=US/O=DigiCert, Inc./CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA
        Serial: 0BAE66BC5ABA7F9587C6F9E904E33304

CAfile: z:\Certera_CABundle.crt
Use the "-TSA-CAfile" option to add the Time-Stamp Authority certificates bundle to verify the Timestamp Server.

Timestamp Server Signature verification: failed
Signing certificate chain verified using:
        ------------------
        Signer #3:
                Subject: /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services
                Issuer : /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services
                Serial : 01
                Certificate expiration date:
                        notBefore : Jan  1 00:00:00 2004 GMT
                        notAfter : Dec 31 23:59:59 2028 GMT

        ------------------
        Signer #2:
                Subject: /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
                Issuer : /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services
                Serial : 3972443AF922B751D7D36C10DD313595
                Certificate expiration date:
                        notBefore : Mar 12 00:00:00 2019 GMT
                        notAfter : Dec 31 23:59:59 2028 GMT

        ------------------
        Signer #1:
                Subject: /C=US/O=Certera/CN=Certera Code Signing CA
                Issuer : /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
                Serial : 2166F08A51EBFCABCC8F443091A94B0E
                Certificate expiration date:
                        notBefore : Sep  7 00:00:00 2022 GMT
                        notAfter : Sep  6 23:59:59 2032 GMT

        ------------------
        Signer #0:
                Subject: /C=US/ST=Oregon/O=Ross R. Smith/CN=Ross R. Smith
                Issuer : /C=US/O=Certera/CN=Certera Code Signing CA
                Serial : 2935DCAE06BE50AED7C6B49462A72C7A
                Certificate expiration date:
                        notBefore : Feb 19 00:00:00 2023 GMT
                        notAfter : Feb 12 23:59:59 2026 GMT

CRL distribution point: http://Certera.crl.sectigo.com/CerteraCodeSigningCA.crl
Connecting to http://Certera.crl.sectigo.com/CerteraCodeSigningCA.crl

Certificate Revocation List verified using:
        ------------------
        Signer #3:
                Subject: /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services
                Issuer : /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services
                Serial : 01
                Certificate expiration date:
                        notBefore : Jan  1 00:00:00 2004 GMT
                        notAfter : Dec 31 23:59:59 2028 GMT

        ------------------
        Signer #2:
                Subject: /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
                Issuer : /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services
                Serial : 3972443AF922B751D7D36C10DD313595
                Certificate expiration date:
                        notBefore : Mar 12 00:00:00 2019 GMT
                        notAfter : Dec 31 23:59:59 2028 GMT

        ------------------
        Signer #1:
                Subject: /C=US/O=Certera/CN=Certera Code Signing CA
                Issuer : /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
                Serial : 2166F08A51EBFCABCC8F443091A94B0E
                Certificate expiration date:
                        notBefore : Sep  7 00:00:00 2022 GMT
                        notAfter : Sep  6 23:59:59 2032 GMT

        ------------------
        Signer #0:
                Subject: /C=US/ST=Oregon/O=Ross R. Smith/CN=Ross R. Smith
                Issuer : /C=US/O=Certera/CN=Certera Code Signing CA
                Serial : 2935DCAE06BE50AED7C6B49462A72C7A
                Certificate expiration date:
                        notBefore : Feb 19 00:00:00 2023 GMT
                        notAfter : Feb 12 23:59:59 2026 GMT

Signature CRL verification: ok
Signature verification: ok

Number of verified signatures: 1
Succeeded

z:\ >sigcheck -i hello-osslsigncode-signed.exe

Sigcheck v2.90 - File version and signature viewer
Copyright (C) 2004-2022 Mark Russinovich
Sysinternals - www.sysinternals.com

z:\hello-osslsigncode-signed.exe:
        Verified:       Signed
        Link date:      4:00 PM 12/31/1969
        Signing date:   5:47 PM 1/4/2025
        Catalog:        z:\hello-osslsigncode-signed.exe
        Signers:
           Ross R. Smith
                Cert Status:    Valid
                Valid Usage:    Code Signing
                Cert Issuer:    Certera Code Signing CA
                Serial Number:  29 35 DC AE 06 BE 50 AE D7 C6 B4 94 62 A7 2C 7A
                Thumbprint:     4A07C4211BD75F354D810FB015619718B2848FA6
                Algorithm:      sha384RSA
                Valid from:     4:00 PM 2/18/2023
                Valid to:       3:59 PM 2/12/2026
           Certera Code Signing CA
                Cert Status:    Valid
                Valid Usage:    Code Signing
                Cert Issuer:    USERTrust RSA Certification Authority
                Serial Number:  21 66 F0 8A 51 EB FC AB CC 8F 44 30 91 A9 4B 0E
                Thumbprint:     4E6EFBA5EBA3775B9A6473D2F07E9A0B9AA81283
                Algorithm:      sha384RSA
                Valid from:     4:00 PM 9/6/2022
                Valid to:       3:59 PM 9/6/2032
           USERTrust RSA Certification Authority
                Cert Status:    Valid
                Valid Usage:    All
                Cert Issuer:    AAA Certificate Services
                Serial Number:  39 72 44 3A F9 22 B7 51 D7 D3 6C 10 DD 31 35 95
                Thumbprint:     D89E3BD43D5D909B47A18977AA9D5CE36CEE184C
                Algorithm:      sha384RSA
                Valid from:     4:00 PM 3/11/2019
                Valid to:       3:59 PM 12/31/2028
           Sectigo (AAA)
                Cert Status:    Valid
                Valid Usage:    Client Auth, Code Signing, EFS, Email Protection, IPSEC Tunnel, IPSEC User, Server Auth, Timestamp Signing
                Cert Issuer:    AAA Certificate Services
                Serial Number:  01
                Thumbprint:     D1EB23A46D17D68FD92564C2F1F1601764D8E349
                Algorithm:      sha1RSA
                Valid from:     4:00 PM 12/31/2003
                Valid to:       3:59 PM 12/31/2028
        Counter Signers:
           DigiCert Timestamp 2024
                Cert Status:    Valid
                Valid Usage:    Timestamp Signing
                Cert Issuer:    DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA
                Serial Number:  0B AE 66 BC 5A BA 7F 95 87 C6 F9 E9 04 E3 33 04
                Thumbprint:     DBD385EE62DBD23E7BE4F67148508724D5865B45
                Algorithm:      sha256RSA
                Valid from:     4:00 PM 9/25/2024
                Valid to:       3:59 PM 11/25/2035
           DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA
                Cert Status:    Valid
                Valid Usage:    Timestamp Signing
                Cert Issuer:    DigiCert Trusted Root G4
                Serial Number:  07 36 37 B7 24 54 7C D8 47 AC FD 28 66 2A 5E 5B
                Thumbprint:     B6C8AF834D4E53B673C76872AA8C950C7C54DF5F
                Algorithm:      sha256RSA
                Valid from:     4:00 PM 3/22/2022
                Valid to:       3:59 PM 3/22/2037
           DigiCert Trusted Root G4
                Cert Status:    Valid
                Valid Usage:    All
                Cert Issuer:    DigiCert Assured ID Root CA
                Serial Number:  0E 9B 18 8E F9 D0 2D E7 EF DB 50 E2 08 40 18 5A
                Thumbprint:     A99D5B79E9F1CDA59CDAB6373169D5353F5874C6
                Algorithm:      sha384RSA
                Valid from:     4:00 PM 7/31/2022
                Valid to:       3:59 PM 11/9/2031
           DigiCert
                Cert Status:    Valid
                Valid Usage:    Client Auth, Code Signing, Email Protection, Server Auth, Timestamp Signing
                Cert Issuer:    DigiCert Assured ID Root CA
                Serial Number:  0C E7 E0 E5 17 D8 46 FE 8F E5 60 FC 1B F0 30 39
                Thumbprint:     0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
                Algorithm:      sha1RSA
                Valid from:     4:00 PM 11/9/2006
                Valid to:       4:00 PM 11/9/2031
        Company:        n/a
        Description:    n/a
        Product:        n/a
        Prod version:   n/a
        File version:   n/a
        MachineType:    64-bit

Signtool's sha256 run:

click to view

z:\ >copy hello.exe hello-signtool-sha256-signed.exe
        1 file(s) copied.

z:\ >signtool sign /fd sha256 /f z:\ross-smith-ii-code-signing-certificate.pfx /p ex ^
  /t http://timestamp.digicert.com hello-signtool-sha256-signed.exe
Done Adding Additional Store
Successfully signed: hello-signtool-sha256-signed.exe

z:\ >signtool verify hello-signtool-sha256-signed.exe
File: hello-signtool-sha256-signed.exe
Index  Algorithm  Timestamp
========================================
SignTool Error: A certificate chain processed, but terminated in a root
        certificate which is not trusted by the trust provider.

Number of errors: 1

z:\ >sigcheck -i hello-signtool-sha256-signed.exe

Sigcheck v2.90 - File version and signature viewer
Copyright (C) 2004-2022 Mark Russinovich
Sysinternals - www.sysinternals.com

z:\hello-signtool-sha256-signed.exe:
        Verified:       Signed
        Link date:      4:00 PM 12/31/1969
        Signing date:   5:25 PM 1/4/2025
        Catalog:        z:\hello-signtool-sha256-signed.exe
        Signers:
           Ross R. Smith
                Cert Status:    Valid
                Valid Usage:    Code Signing
                Cert Issuer:    Certera Code Signing CA
                Serial Number:  29 35 DC AE 06 BE 50 AE D7 C6 B4 94 62 A7 2C 7A
                Thumbprint:     4A07C4211BD75F354D810FB015619718B2848FA6
                Algorithm:      sha384RSA
                Valid from:     4:00 PM 2/18/2023
                Valid to:       3:59 PM 2/12/2026
           Certera Code Signing CA
                Cert Status:    Valid
                Valid Usage:    Code Signing
                Cert Issuer:    USERTrust RSA Certification Authority
                Serial Number:  21 66 F0 8A 51 EB FC AB CC 8F 44 30 91 A9 4B 0E
                Thumbprint:     4E6EFBA5EBA3775B9A6473D2F07E9A0B9AA81283
                Algorithm:      sha384RSA
                Valid from:     4:00 PM 9/6/2022
                Valid to:       3:59 PM 9/6/2032
           USERTrust RSA Certification Authority
                Cert Status:    Valid
                Valid Usage:    All
                Cert Issuer:    AAA Certificate Services
                Serial Number:  39 72 44 3A F9 22 B7 51 D7 D3 6C 10 DD 31 35 95
                Thumbprint:     D89E3BD43D5D909B47A18977AA9D5CE36CEE184C
                Algorithm:      sha384RSA
                Valid from:     4:00 PM 3/11/2019
                Valid to:       3:59 PM 12/31/2028
           Sectigo (AAA)
                Cert Status:    Valid
                Valid Usage:    Client Auth, Code Signing, EFS, Email Protection, IPSEC Tunnel, IPSEC User, Server Auth, Timestamp Signing
                Cert Issuer:    AAA Certificate Services
                Serial Number:  01
                Thumbprint:     D1EB23A46D17D68FD92564C2F1F1601764D8E349
                Algorithm:      sha1RSA
                Valid from:     4:00 PM 12/31/2003
                Valid to:       3:59 PM 12/31/2028
        Counter Signers:
           DigiCert Timestamp 2024
                Cert Status:    Valid
                Valid Usage:    Timestamp Signing
                Cert Issuer:    DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA
                Serial Number:  0B AE 66 BC 5A BA 7F 95 87 C6 F9 E9 04 E3 33 04
                Thumbprint:     DBD385EE62DBD23E7BE4F67148508724D5865B45
                Algorithm:      sha256RSA
                Valid from:     4:00 PM 9/25/2024
                Valid to:       3:59 PM 11/25/2035
           DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA
                Cert Status:    Valid
                Valid Usage:    Timestamp Signing
                Cert Issuer:    DigiCert Trusted Root G4
                Serial Number:  07 36 37 B7 24 54 7C D8 47 AC FD 28 66 2A 5E 5B
                Thumbprint:     B6C8AF834D4E53B673C76872AA8C950C7C54DF5F
                Algorithm:      sha256RSA
                Valid from:     4:00 PM 3/22/2022
                Valid to:       3:59 PM 3/22/2037
           DigiCert Trusted Root G4
                Cert Status:    Valid
                Valid Usage:    All
                Cert Issuer:    DigiCert Assured ID Root CA
                Serial Number:  0E 9B 18 8E F9 D0 2D E7 EF DB 50 E2 08 40 18 5A
                Thumbprint:     A99D5B79E9F1CDA59CDAB6373169D5353F5874C6
                Algorithm:      sha384RSA
                Valid from:     4:00 PM 7/31/2022
                Valid to:       3:59 PM 11/9/2031
           DigiCert
                Cert Status:    Valid
                Valid Usage:    Client Auth, Code Signing, Email Protection, Server Auth, Timestamp Signing
                Cert Issuer:    DigiCert Assured ID Root CA
                Serial Number:  0C E7 E0 E5 17 D8 46 FE 8F E5 60 FC 1B F0 30 39
                Thumbprint:     0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
                Algorithm:      sha1RSA
                Valid from:     4:00 PM 11/9/2006
                Valid to:       4:00 PM 11/9/2031
        Company:        n/a
        Description:    n/a
        Product:        n/a
        Prod version:   n/a
        File version:   n/a
        MachineType:    64-bit

[olszomal]

@rasa You need to install the following certificate in the Windows certificate store:

Issued to: USERTrust RSA Certification Authority
Issued by: USERTrust RSA Certification Authority
Expires: Tue Jan 19 00:59:59 2038
SHA1 hash: 2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E

For details, see:
https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/216943-list-of-root-certificates-required-for-a.html

Note: Use signtool verify /pa to specify the Default Authenticode Verification Policy.

This is my output:

>signtool verify /v /pa hello-osslsigncode-signed.exe

Verifying: hello-osslsigncode-signed.exe

Signature Index: 0 (Primary Signature)
Hash of file (sha256): E84DEE2A44715BA6863CFB37D1640199BD740FBCD721C39C14192A89E24BABA7

Signing Certificate Chain:
    Issued to: USERTrust RSA Certification Authority
    Issued by: USERTrust RSA Certification Authority
    Expires:   Tue Jan 19 00:59:59 2038
    SHA1 hash: 2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E

        Issued to: Certera Code Signing CA
        Issued by: USERTrust RSA Certification Authority
        Expires:   Tue Sep 07 00:59:59 2032
        SHA1 hash: 4E6EFBA5EBA3775B9A6473D2F07E9A0B9AA81283

            Issued to: Ross R. Smith
            Issued by: Certera Code Signing CA
            Expires:   Fri Feb 13 00:59:59 2026
            SHA1 hash: 4A07C4211BD75F354D810FB015619718B2848FA6

The signature is timestamped: Sun Jan 05 02:25:52 2025
Timestamp Verified by:
    Issued to: DigiCert Assured ID Root CA
    Issued by: DigiCert Assured ID Root CA
    Expires:   Mon Nov 10 01:00:00 2031
    SHA1 hash: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43

        Issued to: DigiCert Trusted Root G4
        Issued by: DigiCert Assured ID Root CA
        Expires:   Mon Nov 10 00:59:59 2031
        SHA1 hash: A99D5B79E9F1CDA59CDAB6373169D5353F5874C6

            Issued to: DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA
            Issued by: DigiCert Trusted Root G4
            Expires:   Mon Mar 23 00:59:59 2037
            SHA1 hash: B6C8AF834D4E53B673C76872AA8C950C7C54DF5F

                Issued to: DigiCert Timestamp 2024
                Issued by: DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA
                Expires:   Mon Nov 26 00:59:59 2035
                SHA1 hash: DBD385EE62DBD23E7BE4F67148508724D5865B45


Successfully verified: hello-osslsigncode-signed.exe

Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0