Problem Signing with SafeNet EV Certificate

  • Article

I had an interesting case that I want to share in the event anyone else experiences this problem.  In this case a Symantec certificate stored on a SafeNet USB dongle was being used to sign a Windows Store app in Visual Studio.  The signing was failing.  Visual Studio reported: “SignTool Error:  An unexpected internal error has occurred”.  These guidelines were followed and everything seemed in order:

https://msdn.microsoft.com/en-us/library/windows/apps/br230260(v=vs.110).aspx

During packaging, Visual Studio validates the specified certificate in the following ways:

· Verifies the presence of the Basic Constraints extension and its value, which must be either Subject Type=End Entity or unspecified.

· Verifies the value of the Enhanced Key Usage property, which must contain Code Signing and may also contain Lifetime Signing. Any other EKUs are prohibited.

· Verifies the value of the KeyUsage (KU) property, which must be either Unset or DigitalSignature.

· Verifies the existence of a private key exists.

· Verifies whether the certificate is active, hasn’t expired, and hasn't been revoked.

Solution

I used Process Monitor (Procmon) to determine the command line that was being used and then using the command line SignTool.exe to issue the same command, saw that it was returning this:  Error: SignerSign() failed." (-1073741275/0xc0000225)

SafeNet had the solution for this problem.  Using the SafeNet Client Authentication tools it was found that there were ‘Orphan Objects’ on the device.  Removing these resulted in being able to use this device to sign the application successfully!

SafeNet

Let me know if this helps you out!