I have purchased a code signing certificate for the 3rd time since 2015, but when I convert it to a .pfx file and try to use it to sign a self-extracting installer using the code below, the installer shows the publisher as unknown. This did not happen for any of the previous certificates I have purchased.
copy /b 7zS.sfx + config.txt + CaptionPro.7z CaptionPro3.2.153.exe
set FILEDESCR=/s desc "Caption Pro v 3.2.153"
verpatch /va CaptionPro3.2.153.exe %FILEDESCR%
"C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x64\SignTool.exe" sign /f aleka_consulting_pty_ltd_2026.pfx /fd sha1 /p "XXXXXXX" CaptionPro3.2.153.exe
If I dump the contents of aleka_consulting_pty_ltd_2026.pfx using
certutil -dump aleka_consulting_pty_ltd_2026.pfx
at the command line I get the results below, which include the error "Certified public key does not match stored keyset". Is this the cause of my problem, and if so how do I fix it?
================ Certificate 0 ================
================ Begin Nesting Level 1 ================
Element 0:
Serial Number: 0ceba62297552e41d68dd86da996151b
Issuer: CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O=DigiCert, Inc., C=US
NotBefore: 17/10/2023 11:00 AM
NotAfter: 31/08/2026 10:59 AM
Subject: CN=Aleka Consulting Pty Ltd, O=Aleka Consulting Pty Ltd, L=O'Connor, S=Australian Capital Territory, C=AU
Non-root Certificate
Cert Hash(sha1): ae656c2e258349832111f7e6959cc1e59aa6aead
---------------- End Nesting Level 1 ----------------
Provider = Microsoft Strong Cryptographic Provider
Certificate Public Key:
Version: 3
Public Key Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA
Algorithm Parameters:
05 00
Public Key Length: 4096 bits
Public Key: UnusedBits = 0
0000 30 82 02 0a 02 82 02 01 00 cb a9 87 e0 69 e0 14
0010 2d 0c 21 95 8f ed ee 49 bf 8d f7 c4 e5 6f c4 f3
0020 6d 09 ce e8 c1 8c 5c 13 ce 7e ef b7 02 24 b0 8d
0030 0d 7e a2 0b 97 76 b6 0c d8 dc 6e 5e 48 57 6f 24
0040 57 99 8e 27 ee be a9 7f 1b a0 8a 36 15 70 13 70
0050 86 b4 55 08 f6 74 26 94 c8 63 00 b4 b6 87 08 7b
0060 3b ff ea 32 d4 69 6c 28 55 63 b2 be c7 24 6e 57
0070 04 e6 05 e2 6f 12 97 c1 6b 6a 4d de 6e 9a a0 c3
0080 30 e3 65 8e 96 90 d4 60 cb f7 18 22 e4 bd e8 b6
0090 fc e5 36 93 6c 16 22 f1 a6 0d e5 98 d0 90 8c a9
00a0 2e 51 12 90 c3 b3 8f 53 dd 2c 49 49 60 3e 33 a8
00b0 c5 80 f9 27 32 45 70 35 50 ca a6 9f 80 6b 3f 0c
00c0 7c 34 3d 28 32 4c 99 f5 47 51 c8 73 c2 52 da 69
00d0 20 84 93 51 3e 8b b6 db 0c d6 75 d2 8d 81 01 d4
00e0 69 10 bb 8e 46 87 48 af ea 73 45 12 b6 3a 67 e5
00f0 0c cb c0 c9 2f 08 e0 a5 9c 7c b4 bd 55 0d af 57
0100 4c aa 01 7d 2b 56 01 a9 da f0 2a 5f 97 b6 3d a3
0110 8c f0 24 2d 26 f7 1d d3 c0 fd e0 e2 17 0a d8 c0
0120 86 e3 08 2d ce 32 7d ba 53 53 b8 59 2e 17 72 a4
0130 26 ea 28 df c1 2c 6e 26 06 45 f6 cd 74 0c fa 2f
0140 bd 31 27 f9 dd 5b 1f 68 3f 16 d0 35 6a 87 95 12
0150 21 30 35 49 25 34 c0 0a 70 1c d5 de f9 d2 a8 3c
0160 11 21 fb b2 4d bb 21 59 5d 5f d8 e9 bc 6c 5b 75
0170 2f ce 39 8d 03 f5 b1 09 e9 80 06 2d fb 8c e6 27
0180 2f fa d0 29 68 48 22 3f 3c 56 e1 87 18 a1 da 74
0190 7d 4e 56 d3 df a6 b6 01 4f 3e 17 d3 5f ea 5d 46
01a0 d7 4f 3c ee 0f d8 19 3c 1e af 11 e0 2c db 72 cc
01b0 86 12 3d bc e0 cf 61 d1 27 2f fe e4 46 55 cf 8e
01c0 86 e7 27 5f 6e d2 57 28 9b 3b c3 f5 28 4d 48 ee
01d0 ef 63 ab e5 d8 22 80 46 8b 15 96 fc 6d 6f b6 53
01e0 f3 d7 ab f5 c0 69 e6 06 6b 2b c6 c2 ee 03 d8 29
01f0 ff 43 81 2e 55 83 47 d9 89 c4 81 b7 28 9b a1 02
0200 8e 9d a6 41 ab 31 30 c4 3b 02 03 01 00 01
Key Id Hash(rfc-sha1): 7f720f3a85fffde2ed1d6094cad75545af374508
Key Id Hash(sha1): 44277b2ff203fe8217478be8f4824c194bd5631d
Key Id Hash(bcrypt-sha1): f473b197c5a785280d6548e0019a3cc04a3100d2
Key Id Hash(bcrypt-sha256): e99db4cb6314e53e90a8c37ffc70c9509dfbb37244933a6a4fb8b429175235ee
Container Public Key:
Public Key Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA
Algorithm Parameters: NULL
Public Key Length: 2048 bits
Public Key: UnusedBits = 0
0000 30 82 01 0a 02 82 01 01 00 af 0a a0 16 7d ac 52
0010 d4 08 9b 9f b6 8b 05 2c fd f2 38 bb 52 95 0c e2
0020 ec cd 62 53 2f 6b 34 9d 9d 6a b0 e3 44 e7 f1 d4
0030 59 e4 06 56 50 0f 0c 42 e6 d1 5f 62 6a 6d 04 84
0040 ac ea e8 91 ea 87 10 56 a3 51 61 1b c3 a0 dc 45
0050 35 73 8d 73 f2 b9 1e a6 91 f0 3f de c8 c1 a7 f2
0060 52 7d e3 bd 6a 95 2e 77 80 c3 1b ce f4 80 27 42
0070 08 f2 8e 4b c7 1c 29 40 49 f7 b8 84 9c 2a 46 3e
0080 06 5f ee 2a 7a 57 e8 25 ea 10 eb 88 24 3a 38 95
0090 2e c0 17 a4 42 3d 5c e4 20 ae 0d aa 22 0c 22 98
00a0 64 c6 ac b5 b2 ee ec fa f9 d4 10 a2 f5 15 6d 34
00b0 bb 9e 12 8e 57 52 79 11 1d 1b 08 dd 8d 8d 4b 5d
00c0 42 fd 46 79 33 b4 b2 a4 d5 bd 97 e8 74 2f 1b 54
00d0 0f cb d1 ca 6b d1 46 56 8d 87 4a f3 c1 1b a9 36
00e0 10 fe 6a 19 94 8d 47 33 5a 88 ad 87 18 1e 1d 47
00f0 ff b1 08 3c c8 a6 91 60 ab 94 03 7c f1 4f 5f c5
0100 a6 d6 24 37 f5 6a 3a ef 93 02 03 01 00 01
Key Id Hash(rfc-sha1): 71fd56de0a56681a82bc48bb51bc36f5b2f648f9
Key Id Hash(sha1): 212fc0f4b31b616ea1fd06874dcc1f4a1da9d284
Key Id Hash(bcrypt-sha1): 9d66a9751469b816f952acd4011e807bb476e06a
Key Id Hash(bcrypt-sha256): 7f11e8e97d44d550ef304421d5749eadec40df91c3e883441d39ba8b00cbeb2b
ERROR: Certificate public key does NOT match stored keyset
Signature test FAILED
CertUtil: -dump command completed successfully.
When I run SignTool in a command window I get:
"C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x64\SignTool.exe" sign /f aleka_consulting_pty_ltd_2026.pfx /fd sha1 /p "XXXXXX" CaptionPro3.2.153.exe
Done Adding Additional Store
SignTool Error: An error occurred while attempting to load the signing
certificate from: C:\Installs Caption Pro\CaptionPro3.2.153.exe
The problem was that I'd forgotten I had to use a Digicert Token for signing. The signing process is quite separate from making the self extracting .exe. It uses a utility from Digicert.