PsSecDrv icon indicating copy to clipboard operation
PsSecDrv copied to clipboard
verified publisher icon ericwj

SignTool Error: Invalid SHA1 hash format /fd

Open lordvader00 opened this issue 1 year ago • 3 comments

Hello, I have been trying to get this to work on Windows 10 PRO 21h2. I have used all the links in the post for the Windows SDK and secdrv.sys.

I keep getting the error SignTool Error: Invalid SHA1 hash format: /fd when I attempt to sign and timestamp the certificate.

Do you have any ideas?

Thank you.

lordvader00 avatar Nov 03 '24 14:11 lordvader00

It should work. Something is wrong with the command arguments or the certificate. What is the value of $Publisher before you run signtool? What do you get to see if you do dir Cert:\LocalMachine\TrustedPublisher\? Is $Publisher.Thumbprint in the list? Does $Publisher.Subject contain the text SECDRV?

ericwj avatar Nov 05 '24 22:11 ericwj

It's because the signtool cmd has been updated and the /sha1 switch is no longer valid it seems. This command worked for me:

./signtool.exe sign /sm /s TrustedPublisher /fd SHA256 "$($Publisher.Thumbprint)" /t http://timestamp.digicert.com secdrv.cat

offten avatar May 23 '25 21:05 offten

I still have Windows Kit 10.0.26100.0 installed. Specifically Windows Software Development Kit - Windows 10.0.26100.4188 released May 2025 according to this link.

It does have the /sha1 option.

PS C:\Users\Eric> signtool sign /?
Usage: signtool sign [options] <filename(s)>

Use the "sign" command to sign files using embedded signatures. Signing
protects a file from tampering, and allows users to verify the signer (you)
based on a signing certificate. The options below allow you to specify signing
parameters and to select the signing certificate you wish to use.

Certificate selection options:
...
/s <name>   Specify the Store to open when searching for the cert. The default
            is the "MY" Store.
/sm         Open a Machine store instead of a User store.
/sha1 <h>   Specify the SHA1 thumbprint of the signing cert.
/fd         Specifies the file digest algorithm to use for creating file
            signatures. If this parameter is not specified, an error will be
            generated.
...

Does yours not? What is $SdkToolsPath when you run the first 2 PowerShell blocks?

Mine is:

C:\Program Files (x86)\Windows Kits\10\bin\10.0.26100.0\x86

Are you sure your signtool is ran from this location?

ericwj avatar Sep 20 '25 11:09 ericwj