Most Common SignTool Errors and Solutions

Fix Common SignTool Error

Provided by Microsoft as part of the Windows SDK, SignTool is a command-line tool used to sign the code digitally. However, like any tool, it can sometimes throw errors that can be frustrating.

In this guide, we’ll explore some of the most common SignTool errors and provide troubleshooting tips to help you resolve them efficiently.

Internal Errors:

Error Message:

SignTool Error: An unexpected internal error has occurred

Error information: “Error: SignerSign() failed.” (-2147024885 / 0x8007000B)

Solution:

This error message may arise due to various reasons. Here’s the solution to this.

  1. Run Eventvwr. Msc and open Event Viewer (Local).
  2. Go to Applications and Services Logs > Microsoft > Windows > AppxPackagingOM > Microsoft-Windows-AppxPackaging/Operational to find the most recent error.

Error Code: 0x8007000B

If the Event ID is 150 with error code 0x8007000B, it indicates that the app manifest publisher name does not match the subject name of the signing certificate.

Solution:

Ensure that the app manifest publisher name matches the subject name of the signing certificate. You can verify this by checking the Common Name (CN) and Country (C) fields of the app manifest publisher name and the signing certificate.

If they do not match, update the publisher name in the app manifest or obtain a new signing certificate with the correct publisher name.

Error Code: 0x8007000B

If the Event ID is 151 with error code 0x8007000B, then it indicates the signature hash method (SHA512) specified in SignTool does not match the hash method used in the app package block map (SHA256).

Solution:

Rerun SignTool with the correct hashAlgorithm parameter that matches the hash method used in the app package block map. To ensure consistency, use the /fd parameter.

Error Code: 0x8007000B

If the Event ID is 152 with error code 0x8007000B, then it indicates that the app package contents failed to validate against its block map.

Solution:

This error suggests that the app package is corrupt. To resolve this,  generate a new block map using tools like MakeAppx.exe. Ensure all app package contents are correctly included and structured according to the specifications.

Error Message:

SignTool Error: An unexpected internal error has occurred.

Error information: “Error: SignerSign() failed.” (-2147024885 / 0x80080206)

If the error code starts with 0x8008 ( like 0x80080206 (APPX_E_CORRUPT_CONTENT), the signed package is invalid.

Solution:

You can solve this error by rebuilding the package and running SignTool again.

Invalid Parameters

Error Message: Invalid Parameter (0x80080057)

This error arises when you try signing a Portable Executable (PE) file, such as .exe, .sys, and more than 4 gigabytes (GB) using SignTool on Windows.

Solution:

Ensure that any PE file you try to sign is less than 4 GB. However, no permanent solution is available due to potential backward compatibility issues. However, the issue is under investigation for possible future resolution.

Incorrect Internal Hash

Problem:

It is generally possible to sign .cat files larger than 4 GB; the internal hash generated during the signing process may be inaccurate.

Solution:

To avoid this issue, ensure that the .cat files you need to sign are smaller than 4 GB.

Certificate Chain could not be built during Verification

Error Message:

SignTool Error: WinVerifyTrust returned error: 0x800B010A

A certificate chain can’t be built to a trusted root authority.

This error happens when using a private trust to create the certificate for signing, and the root and intermediate certificates are not added to the Windows agent’s certificate store.

Solution:

There are two ways to fix this problem:

  1. Use a public trust to create your certificate.
  2. Import the private trust root CA certificate and intermediate CA certificate into the Windows agent’s certificate store.

Pro Tip: Ensure the root CA certificate is added to the “Trusted Root Certification Authorities.”

Also Read: Resolving SignTool Error: “No Certificates Were Found That Met All the Given Criteria”

The Bottom Line

By understanding all the above errors and their solutions, troubleshoot SignTool Errors more effectively and ensure smooth code signing processes.

Recommended: How to Create & Verify a Windows Authenticode Signature Using SignTool?

Code Signing Tutorials

Cheap Code Signing Certificates

Prevent Code Tampering and Authenticate Code Integrity by Digitally Sign your Code with Trusted Code Signing Certificates.

Starting at Just $215.99/Year
Janki Mehta

Janki Mehta

Janki Mehta is a Cyber-Security Enthusiast who constantly updates herself with new advancements in the Web/Cyber Security niche. Along with theoretical knowledge, she also implements her practical expertise in day-to-day tasks and helps others to protect themselves from threats.