I am trying to authenticode sign a .NET application with a new code signing certificate on Windows Server 2008 R2 x64 with VS2010 installed, but SignTool keeps responding with Access is denied:
SignTool.exe sign /v /a /sha1 <thumbprint> MyApplication.exe
The following certificate was selected:
Issued to: <redacted>
Issued by: VeriSign Class 3 Code Signing 2010 CA
Expires: Thu Jun 28 01:59:59 2012
SHA1 hash: <thumbprint>
Done Adding Additional Store
SignTool Error: Access is denied.
SignTool Error: An error occurred while attempting to sign: MyApplication.exe
Number of files successfully Signed: 0
Number of warnings: 0
Number of errors: 1
The certificate is installed to the user's personal store and the user is member of the local Administrators group. I also tried signing using the .pfx file but kept getting the same error. Disabling the UAC prompt showed no effect either.
Any ideas?
The reason was that private key protection was enabled, but unless running the command prompt as Administrator, the corresponding "An application is requesting access to a protected Item." prompt did not appear.
To resolve the issue, I had to delete certificate and key, and then reimport it from the .pfx file, this time not selecting the strong private key protection option.