SignTool error: Access is denied

R

4

5

I am trying to authenticode sign a .NET application with a new code signing certificate on Windows Server 2008 R2 x64 with VS2010 installed, but SignTool keeps responding with Access is denied:

SignTool.exe sign /v /a /sha1 <thumbprint> MyApplication.exe

The following certificate was selected:
    Issued to: <redacted>
    Issued by: VeriSign Class 3 Code Signing 2010 CA
    Expires:   Thu Jun 28 01:59:59 2012
    SHA1 hash: <thumbprint>

Done Adding Additional Store
SignTool Error: Access is denied.
SignTool Error: An error occurred while attempting to sign: MyApplication.exe

Number of files successfully Signed: 0
Number of warnings: 0
Number of errors: 1

The certificate is installed to the user's personal store and the user is member of the local Administrators group. I also tried signing using the .pfx file but kept getting the same error. Disabling the UAC prompt showed no effect either.

Any ideas?

Roath answered 30/6, 2011 at 9:6 Comment(0)

R

2

The reason was that private key protection was enabled, but unless running the command prompt as Administrator, the corresponding "An application is requesting access to a protected Item." prompt did not appear.

To resolve the issue, I had to delete certificate and key, and then reimport it from the .pfx file, this time not selecting the strong private key protection option.

Roath answered 13/7, 2011 at 10:21 Comment(2)

For future readers: Also make sure the file you are trying to sign isn't marked as read-only, that was my problem. – Outdoor 4/8, 2014 at 17:51

Thanks @eselk, your suggestion was the right solution in my case. – Jovian 31/7, 2015 at 15:43

P

4

I also had this pb to use signtool.exe with windows 8. To resolve, you have to run cmd.exe directly from c:\windows\system32\cmd.exe clicking "Run as administrator".

Pellucid answered 25/11, 2012 at 8:52 Comment(0)

C

4

What solved it for me was realising that my exe was read-only. Removing write-protection allowed SignTool to do its job with no further issues.

(Credit: eselk's comment at SignTool error: Access is denied)

Catty answered 15/8, 2019 at 10:10 Comment(3)

But is that safe? Is there no way around this without removing the write protection? – Stallard 5/8 at 9:13

@IppaSeppälä But signing it is by definition writing to it, and you can always put write protection back on after signing it., but I'm not sure if that's what you're asking. – Catty 6/8 at 9:42

True, what I mean is that it wouldn't be safe in an automated production pipeline, as it is too easy to forget to put the protection back on if you do it manually. In an automated pipeline it would be preferrable to be able to momentarily grant the runner/slave access to write without manually removing these protections. – Stallard 7/8 at 6:28

R

2

The reason was that private key protection was enabled, but unless running the command prompt as Administrator, the corresponding "An application is requesting access to a protected Item." prompt did not appear.

To resolve the issue, I had to delete certificate and key, and then reimport it from the .pfx file, this time not selecting the strong private key protection option.

Roath answered 13/7, 2011 at 10:21 Comment(2)

For future readers: Also make sure the file you are trying to sign isn't marked as read-only, that was my problem. – Outdoor 4/8, 2014 at 17:51

Thanks @eselk, your suggestion was the right solution in my case. – Jovian 31/7, 2015 at 15:43

E

1

I had the same problem, but in my case I was trying to run from the windows service which was running under LocalSystem account. Changing it to regular account solved the issue.

External answered 18/1, 2016 at 15:10 Comment(0)

Recommended topics

Hot tags