Code Signing Certificate Mystery
Hi all, this is not a problem with SB. I'm posting here because this is where all the code-signing gurus hang out. (Jane?)
I've been code-signing my apps with a code-signing certificate from Comodo for about a year and a half, and renewed my certificate for two years through Lindersoft back in April of this year. I've had great success, all my apps sign with no errors, and thanks to Jane Fleming's great articles in Clarion Mag, I have had very few problems.
Or so I thought. Just today, in finishing up an app that interfaces with Quickbooks, QB complained that my certificate was invalid, and kicked me out! I verified the certificate through Windows Explorer, and then through signtool verify, and sure enough, both tell me that "The certificate is invalid for the requested usage". I have checked apps that I have signed after the renewal date, and apps that I signed last year, and it's the same story, so it has nothing to do with the renewal.
Since discovering this issue, I have used signtool with every parameter I can think of, and even used the signtool wizard, trying every combination I could think of, and it's always the same thing: I never get any errors during code-signing, but all verification methods say, "The certificate is invalid for the requested usage". It also doesn't matter if I "manually" use signtool or have SB do it.
In my frustration, I'd like to ask, if a code-signing certificate isn't valid for signing code, then what good is it? But that's not very nice, so instead, I'll ask, what could I possibly have done wrong? I'll reiterate, the certificate is valid. I've checked it, and it's good from 27 April 2008 until 27 April 2010.
Help! I need to get this Quickbooks interface done and this is a major show-stopper.
Thanks, and I apologize again for taking up space with a non-SB issue.
Wayne
Re: Code Signing Certificate Mystery
Wayne,
Is this on a Vista machine? If this is the case, check the "Vista Event Viewer" and see if there is a CAPI2 application error.
Friedrich
Re: Code Signing Certificate Mystery
Hi Friedrich,
No, I should have said. It's an XP machine.
Wayne
Analytica Business Systems
analyticabiz.com
Re: Code Signing Certificate Mystery
Hi Wayne,
Perhaps some kind of Windows "root certificate" problem on your machine.
What do you see in Internet Explorer -> Tools -> Internet Options -> Content -> Certificates. Do you see your new Comodo certificate in the Personal list? If yes, please highlight it and click the "View" button. Then select the "Certification Path" tab. Does it say "This certificate is OK"?
Friedrich
Re: Code Signing Certificate Mystery
Friedrich,
No, actually, it said it had expired on 4/27/2008, even though I had renewed it on 4/30/2008.
So I re-imported it, and now IE says it's okay, with an expiration date of 4/30/2010.
But when I sign an executable, I still get the same error, "This certificate is invalid for the usage requested" even though the type shows as "Digital Signature".
Wayne
2 Attachment(s)
Re: Code Signing Certificate Mystery
Wayne,
Does it look like this (see attached screenshots)? Could you please post yours?
Friedrich
2 Attachment(s)
Re: Code Signing Certificate Mystery
Friedrich,
Yes, it does. At least, I think so.
3 Attachment(s)
Re: Code Signing Certificate Mystery
However, this is what the certificate details look like after signing an .exe with it:
1 Attachment(s)
Re: Code Signing Certificate Mystery
Wayne,
Yes, looks okay to me. If Windows says "certificate OK" then there is no problem with your code-signing certificate.
What do you have in the Advanced options. Does it look like this (see attached screenshot). Is Code-Signing enabled?
Friedrich
Re: Code Signing Certificate Mystery
Yes, exactly. "Code Signing" is checked, as are all the other check boxes visible in your screenshot.
But did you see the screenshots I posted of what Windows Explorer says about the certificate? It doesn't agree with IE at all!
Wayne