Reputation: 10581
"Invalid SHA1 hash format" error calling signtool from msbuild or command line
I am trying to sign my assemblies and setup files during project build using SignTool.exe. Following this answer I wanted to use the /sha1 option so that I don't need to specify the certificate password. However, when I do this I am getting an "Invalid SHA1 hash format" error. I have tried both from an MSBuild Exec task, from a Visual Studio Developer Command prompt and from a batch file all with the same error.
The command I'm trying is (obviously with a different key):
signtool.exe sign /a /sha1 1234567890abcdef1234567890abcdef12345678 /tr http://timestamp.comodoca.com /td SHA256 /v Setup.msi
I think my certificate is installed correctly and the SHA1 key is correct as it works with the SignFile MSBuild task correctly. I'd just use that but I also need to be able to sign my installer files which aren't built with MSBuild and hence need to be signed from a batch script.
So what could be the problem and how do I fix it?
Upvotes: 6
Views: 4988
Answers (3)
Reputation: 1
I solved it by providing the thumprint in the build command itself as follows:
msbuild /restore /t:Publish /p:TargetFramework=net6.0-windows10.0.19041 /p:configuration=release /p:PackageCertificateThumbprint=897C9032E6BD06D32A315173D09C93B06CBDE1B4
remove the thumbprint from .csproj it should look like this.
<PackageCertificateThumbprint></PackageCertificateThumbprint>
Upvotes: 0
Reputation: 4225
I had the same problem and found out that there might be a hidden UNICODE character which causing this error. Just copy the text to a new Notepad instance and back and it will work. Alternatively, place the cursor in this location:
/sha1 <cursor>abcdefg
Then press BACKSPACE. If you have to press BACKSPACE twice to get the cursor next to the "/sha1" directive, there was an invisible character. Then just type space and you are done.
Upvotes: 13
Reputation: 10581
Stupid mistake and I can't believe it took so long to realise. I had an extra space character before the thumbprint string which was the cause of the error.
Even after fixing that though I then got another error:
No certificates were found that met all the given criteria.
Running the command again with the /debug option listed all of the certificates it attempted to use and
After Hash filter, 0 certs were left.
The hash SHA1 hash for the certificate I wanted to use was exactly the same as I specified with the only exception being that the hash was all in upper-case letters. So tried the command again with the hash in all upper-case letters and... it worked.
As I haven't seen this requirement documented anywhere I thought I'd provide the answer here.
Upvotes: 3
Related Questions
- Batch file to delete files older than N days
- Signtool error: No certificates were found that met all given criteria with a Windows Store App?
- How do I run msbuild from the command line using Windows SDK 7.1?
- SignTool Error: The specified timestamp server either could not be reached or returned an invalid response
- Path to SignTool.exe or "Windows Kits" directory when using Visual Studio 2012
- signtool failing to dual sign SHA2 and SHA1 with timestamps
- MSBuild SignFile task returning MSB3481: The signing certificate could not be located