Has anyone had success signing an windows executable? (SignTool)

[jean3x7]

Question

https://docs.microsoft.com/pt-br/windows/win32/seccrypto/signtool https://docs.microsoft.com/en-us/windows-hardware/drivers/install/authenticode

[Hayden-IO]

Copying response from a Fulcio issue (https://github.com/sigstore/fulcio/issues/250) on this topic:

There are no current plans to include the Fulcio root in the macOS or Windows trust stores. The way that Sigstore manages and updates its roots of trust through TheUpdateFramework is incompatible with the OSs' trust store requirements.

As for the short expiration, Authenticode supports including a signed timestamp. Sigstore is working on spinning up a timestamping authority (TSA), though you could also request a signed timestamp from a TSA like Digicert's. For any TSA where its root is not trusted by the OS, you will run into the same warnings.

re: https://github.com/sigstore/fulcio/issues/250#issuecomment-1019297096, there may be some X.509 extension or additional value that needs to be set in a Windows code signing certificate. We have a specification for issued certificates in our docs.

[github-actions[bot]]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days.