'"Invalid SHA1 hash format" error calling signtool from msbuild or command line
I am trying to sign my assemblies and setup files during project build using SignTool.exe. Following this answer I wanted to use the /sha1 option so that I don't need to specify the certificate password. However, when I do this I am getting an "Invalid SHA1 hash format" error. I have tried both from an MSBuild Exec task, from a Visual Studio Developer Command prompt and from a batch file all with the same error.
The command I'm trying is (obviously with a different key):
signtool.exe sign /a /sha1 1234567890abcdef1234567890abcdef12345678 /tr http://timestamp.comodoca.com /td SHA256 /v Setup.msi
I think my certificate is installed correctly and the SHA1 key is correct as it works with the SignFile MSBuild task correctly. I'd just use that but I also need to be able to sign my installer files which aren't built with MSBuild and hence need to be signed from a batch script.
So what could be the problem and how do I fix it?
Solution 1:[1]
Stupid mistake and I can't believe it took so long to realise. I had an extra space character before the thumbprint string which was the cause of the error.
Even after fixing that though I then got another error:
No certificates were found that met all the given criteria.
Running the command again with the /debug option listed all of the certificates it attempted to use and
After Hash filter, 0 certs were left.
The hash SHA1 hash for the certificate I wanted to use was exactly the same as I specified with the only exception being that the hash was all in upper-case letters. So tried the command again with the hash in all upper-case letters and... it worked.
As I haven't seen this requirement documented anywhere I thought I'd provide the answer here.
Solution 2:[2]
I had the same problem and found out that there might be a hidden UNICODE character which causing this error. Just copy the text to a new Notepad instance and back and it will work. Alternatively, place the cursor in this location:
/sha1 <cursor>abcdefg
Then press BACKSPACE. If you have to press BACKSPACE twice to get the cursor next to the "/sha1" directive, there was an invisible character. Then just type space and you are done.
Solution 3:[3]
I solved it by providing the thumprint in the build command itself as follows:
msbuild /restore /t:Publish /p:TargetFramework=net6.0-windows10.0.19041 /p:configuration=release /p:PackageCertificateThumbprint=897C9032E6BD06D32A315173D09C93B06CBDE1B4
remove the thumbprint from .csproj it should look like this.
<PackageCertificateThumbprint></PackageCertificateThumbprint>
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | kjbartel |
| Solution 2 | Michael Haephrati |
| Solution 3 | Jeremy Caney |