How to include entire certification path when signing code with signtool?

How can i include the entire certification path when signing code using signtool?

Ol开发者_如何学Pythonder versions of signtool would include the entire certification path in a digital signature. As it is now if i sign an executable with signtool:

signtool.exe" sign /v /f avatar.pfx -t "http://timestamp.verisign.com/scripts/timstamp.dll" app.exe

the signature is not valid:

This is because there is no certification path:

Binaries signed with the older version of signtool worked fine:

How do i tell signcode to include the entire certification path when signing?

What is the proper way to sign a binary?

Update: SignTool version 6.1.7600.16385:

See also

• How can I sign an ActiveX control with a code signing certificate and be a verified publisher?
• Signing WinForms ClickOnce app with Certificate Chain
• ClickOnce: Certificate cannot be validated

Use /ac and pass the filename of the .cer in which your certificate is rooted (for Verisign it was called MSCV-VSClass3.cer last time I checked when signing kernel code or other special code).

signtool.exe sign /v /f "Avatar.pfx" 
      /ac "Thawte Code Signing CA - G2.cer" 
      -t "http://timestamp.verisign.com/scripts/timstamp.dll" app.exe

This should be given by your CA. Usually MS offers bundles for the various CAs it accepts within Windows.

See:

• Windows root certificate program members