code-signingdigicertsmctl

Certificate for keypair alias not found


I'm trying to implement code-signing in a GitHub action using a digicert certificate. I'm using this GitHub action to guide me.

I'm using smctl with the digicert/ssm-code-signing@v0.0.2 action.

After using the ssm-code-signing action, I have smctl working, and it, indeed, finds a certificate:

ID                                     Key Modal TYPE      ALIAS               ALGORITHM & SIZE/CURVE   STATUS              TYPE                STORAGE             CERTIFICATE
af658fe8-eb5b-40a2-927a-xyzxyzxyzxyz   STATIC              key_554917318       RSA - 3072               ONLINE              PRODUCTION          HSM                 

However, the "CERTIFICATE" column is empty, and when I try to certsync or sign I get the following error message:

$ smctl windows certsync --keypair-alias="key_554917318"
  
Certificate for keypair alias: key_554917318 not found

and

$ smctl sign --verbose --keypair-alias=key_554917318 --input partitions.exe
  
Command : 
 signtool sign  /tr http://timestamp.digicert.com /td SHA256  /fd  SHA256   "my-app.exe" 
Error : 
 
 exit status 1: SignTool Error: No certificates were found that met all the given criteria.
signCommand command for file my-app.exe FAILED

Any idea of what I did wrong, and why smctl can't use my certificate? Do I need to change something on the server side?


Solution

  • The order of our certificate at https://one.digicert.com was still marked as "pending".

    We needed to go into the key locker, and there, in the "certificates" tab, click on the "sync orders" button that appears when one hovers over the order ID.