Tentacle Permissions with Cert Store


I am trying to run signtool.exe to sign some files with an EV code signing certificate. Due to how the EV signing process works, I’ve had to place the cert in the machine (local computer) personal store.

The command I am invoking via a script step in the process looks like this:

C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x86\signtool.exe sign /fd sha256 /tr http://ts.ssl.com /td sha256 /sm /s My /sha1 [thumbprint] C:\Temp\File.exe

This is giving an error of:

SignTool Error: No certificates were found that met all the given criteria. 

Doing some reading on the internet, it may have something to do with the fact that the Tentacle service is running under the System account. However, I am specifying the /sm /s My switches to tell it to use the machine personal store. The command does work when using PowerShell in admin mode.

Any ideas on how to get it to see the cert?

Hey @travis_phillips,

Thanks for contacting Octopus Support!

Interesting question - short of swapping the tentacle service account and finding the cert in the new account cert store (which I’m sure could cause other issues), I’m not sure what your best option is.

Can you try running that command with the /debug switch and see if there is more information provided that way?

Update: Could you also try the same command without the ‘/s My’, I’ve seen some other reports of this causing a failure of the search.

C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x86\signtool.exe sign /fd sha256 /tr http://ts.ssl.com /td sha256 /sm /sha1 [thumbprint] C:\Temp\File.exe

Kind Regards,

No dice. It appears it has something to do with the ‘helper’ application and how it handles doing the esigning.

For anyone else reading this, if you use ssl.com for your EV code signing certs and Octopus to sign them, there are permissions issues. The Octopus tentacle runs as the System user by default. If you run the eSigner CKA application, it will place the master text file where you tell it. But it also dumps things out in your user profile which it also needs.

1 Like

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.