TechQA.

SignTool gives internal error (0x80100001)

554 views Asked by At

I just installed my Extended Validation Code Signing Certificate to a Yubikey 5 device.

I call this from the Developer Command Prompt for VS 2022:

signtool sign /debug /sha1 <***> /fd SHA256 /t http://tsa.safecreative.org C:\temp\my_app.exe

I get this error:

The following certificate was selected:
Issued to: ***
Issued by: Sectigo Public Code Signing CA EV E36
Expires: Tue Sep 15 02:59:59 2026
SHA1 hash: <***>

Done Adding Additional Store
SignTool Error: An unexpected internal error has occurred.
Error information: "Error: SignerSign() failed." (-2146435071/0x80100001)

How to fix it?

I have Windows 10 / 22H2 Windows SDK: 10.0.22621

thank you

visual-studio signtool
Original Q&A
2

There are 2 answers

1
Sean On

This error can happen when you manually import the certificate into your certificate store. Instead import the certificate into the Yubikey manager. Once imported the certificate should automatically appear in the certificate store. The correct steps are posted here - https://www.sectigo.com/knowledge-base/detail/Key-Generation-and-Attestation-with-YubiKey/kA03l000000roEV

If you do not succeed start the process again using the above instructions and request a new certificate.

0
Xomega On

Did you use YubiKey slot 9c for your code signing certificate? I had the same error with slot 9c and got a new certificate for slot 9a, as recommended by the instructions, which (eventually) worked for me. The Yubico page on code signing states the following:

If you experience error code 0x8010006A when attempting to use the signtool utility, this indicates the pin-policy option was set to always which does not work with the YubiKey Smart Card Minidriver and signtool due to a restriction in the Microsoft Base Smart Card CSP. Unless otherwise specified, slot 9c (Digital Signature, used for code signing) will have the pin-policy option set to always unless otherwise specified to adhere to the PIV specification.

Edit: If you still want to use slot 9c, you can generate a new private key in it with a different PIN policy, as shown below, and then attest that key and get a new certificate for it.

ykman piv keys generate -a ECCP384 --pin-policy ONCE 9c -

Related Questions in VISUAL-STUDIO

Related Questions in SIGNTOOL

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Trending Questions