So, I'm trying to sign a Windows 8 appx package with a pfx file I have. I'm using a command like so:
signtool.exe sign /fd sha256 /f "key.pfx" "app.appx" And from this, I get:
SignTool Error: No certificates were found that met all the given criteria.
What "criteria" am I not meeting? This is only for testing so these are self-signed certificates. I've tried importing the key and then signing it, but it always results in the same error. How do I fix this?
When getting this error through Visual Studio it was because there was a signing certificate setup to match the computer it was originally developed on.
You can check this by going to the project properties > signing tab and checking the certificate details.
You can uncheck "Sign the ClickOnce manifests" to disable signing.
If you don't want to turn this option off you will have to install the certificate.
Try with /debug.1,2 As in :
signtool sign /debug /f mypfxfile.pfx /p (mydllexectuable).exe It will help you find out what is going on. You should get output like this:
The following certificates were considered: Issued to: Issued by: Class 2 Primary Intermediate Server CA Expires: Sun Mar 01 14:18:23 2015 SHA1 hash: DD0000000000000000000000000000000000D93E Issued to: Certification Authority Issued by: Certification Authority Expires: Wed Sep 17 12:46:36 2036 SHA1 hash: 3E0000000000000000000000000000000000000F After EKU filter, 2 certs were left. After expiry filter, 2 certs were left. After Private Key filter, 0 certs were left. SignTool Error: No certificates were found that met all the given criteria. You can see what filter is causing your certificate to not work, or if no certificates were considered.
I changed the hashes and other info, but you should get the idea. Hope this helps.
1Please note: signtool is particular about where the /debug option is placed. It needs to go after the sign statement.
2Also note: the /debug option only works with some versions of signtool. The WDK version has the option, whereas the Windows SDK version does not.
Please always check your certificate expiry date first because most of the certificates have an expiry date. In my case certificate has expired and I was trying to build project.
Got the same issue, turned out that the private key to the certificate had no permission.
To fix - open the certifacte management, find your certificate, right click -> Manage Private Keys and then in security on top be sure that your user is added and given permissions, that fixed it for me.
In case anyone else runs into this: My problem ended up being that I needed to run the command prompt as administrator before using the signtool.exe app. Then everything works wonderfully.
Go to Project Properties --> Click on the Signing ---> Uncheck the Sign the ClickOnce manifests.
Or Create Test Certificates with password.
In my case I have the wrong type of certificate that I am trying to associate.
I had "Server Authentication" rather than "Code signing".
You should be able to see this in Certificate snap in the Intended Purpose section.
After that, it just work fine.
The criteria include account name (whose private key it is associated with), domain, company, expiration date, intended purposes, among other things.
There are many different possible reasons for this error to occur, some have been listed already. Here is another tip: When importing a certificate, be sure you work with the original file received from the certificate authority (CA), or else some of the properties might be lost.
Example: recently I tried to import a certificate exported from a different account on the same machine. The certificate became visible to my account but was not associated with my account, and as a result signtool refused to recognize it without explicitly providing the file name and a password. Which, when done as part of the build process and written out explicitly in a batch file or source file, may not be sufficiently secure. (Importing the original CA-issued certificate solved it.)
I'm having the same problem, reading some answers (posted here), I saw my certificate expired.
Just create a new one from my start project. Then at certificates manager deleted the expired certificate.
Now everything compiles fine.
I have had this issue too, tried a lot. Used SDK as well as Visual Studio signing, but everywhere I got "No certificates were found that met all the given criteria".
Solution: Be aware that, if "after private key filter": '0 left' shows up with option signtool sign /debug..., the cause is your PC doesn't has the CA itself in the store. To solve this, install the CA first (in my case a .crt file), then run the sign again. It should work right now!
Signtool only can be used with a CA which is requested ánd owned by the same PC.
My problem ended up being that I did not understand the signtool options. I had provided the /n option with something that did not match my certificate. When I removed that it stopped complaining.
I had a similar problem my computer name had change and the certificate had expired. I was able to resolve this issue by creating a new test certificate.
In Visual Studio, right click on project in solution explorer. Select properties. Select Signing in properties window. Click "Create Test Certificate....". Enter password information for test certificate and click ok.
I solved this by using the /sm flag to specify to look in the machine store instead of the default, which is My (Local User) store. Also, it can help to turn on debug for signtool by using /debug.
With /debug, when you get this message "After Private Key filter, 0 certs were left.", one reason could be that the pfx file doesn't have the private key. When you export the installed certificate to pfx file ensure to enable the check box to also include the private key.
just uncheck the 'Sign the click once manifests' from the signing tab in project properties,it will remove the error and you can create a new one as from there.
Go to project properties and uncheck all fields from the Firm before init the compilation
I had this problem because and not entirely sure which made it work, but hope this helps somebody else...this is what I did:
certmgr.msc and export the certificate (found in whichever store you used in the 1st step) as a pfx file including private key, and extended properties (probably unnecessary)signtool sign /f "c:\mycert.pfx" /p mypassword /d "description" /t http://timestamp.verisign.com/scripts/timstamp.dll $(TargetPath)