Signtool error: No certificates were found that met all given criteria with a Windows Store App?


I'm trying to sign a Windows 8 appx package with a pfx file I have. I'm using a command like so:

signtool.exe sign /fd sha256 /f "key.pfx" "app.appx"

And from this, I get:

SignTool Error: No certificates were found that met all the given criteria.

What "criteria" am I not meeting? This is only for testing so these are self-signed certificates. I've tried importing the key and then signing it, but it always results in the same error. How do I fix this?

6/6/2019 9:57:47 AM

Try with /debug.1,2 As in :

signtool sign /debug /f mypfxfile.pfx /p <password> (mydllexectuable).exe

It will help you find out what is going on. You should get output like this:

The following certificates were considered:
    Issued to: <issuer>
    Issued by: <certificate authority> Class 2 Primary Intermediate Server CA
    Expires:   Sun Mar 01 14:18:23 2015
    SHA1 hash: DD0000000000000000000000000000000000D93E

    Issued to: <certificate authority> Certification Authority
    Issued by: <certificate authority> Certification Authority
    Expires:   Wed Sep 17 12:46:36 2036
    SHA1 hash: 3E0000000000000000000000000000000000000F

After EKU filter, 2 certs were left.
After expiry filter, 2 certs were left.
After Private Key filter, 0 certs were left.
SignTool Error: No certificates were found that met all the given criteria.

You can see what filter is causing your certificate to not work, or if no certificates were considered.

I changed the hashes and other info, but you should get the idea. Hope this helps.

1 Please note: signtool is particular about where the /debug option is placed. It needs to go after the sign statement.
2 Also note: the /debug option only works with some versions of signtool. The WDK version has the option, whereas the Windows SDK version does not.


Please always check your certificate expiry date first because most of the certificates have an expiry date. In my case certificate has expired and I was trying to build project.


If you do not have to sign the app, right click on your project

Project Properties -> Signing -> uncheck "Sign the ClickOnce Manifest"

Also as this MS article suggests,

If you are using Visual Studio 2008 and are targeting .NET 3.5 and using automatic updates, you can just change the certificate and deploy a new version,


In my case I have the wrong type of certificate that I am trying to associate.
I had "Server Authentication" rather than "Code signing".
You should be able to see this in Certificate snap in the Intended Purpose section.
After that, it just work fine.


just uncheck the 'Sign the click once manifests' from the signing tab in project properties,it will remove the error and you can create a new one as from there.