SignTool: Selecting a certificate from the store does not work

[ylangisc]

Selecting a certificate from the store does not work while specifying it from the local disk with the /f parameter works fine.

NOK

signtool sign /d MD /fd sha256 /tr http://timestamp.acs.microsoft.com /td SHA256 /a /sm /csp "Google Cloud KMS Provider" /kc projects/myProjectId/locations/europe/keyRings/code-signing/cryptoKeys/mykey/cryptoKeyVersions/1 /sha1 2daafb27143ab86e26afcdec3da086b8b0dedf2d /v binary.exe

→

The following certificate was selected:
    Issued to: MyCompany
    Issued by: Sectigo Public Code Signing CA R36
    Expires:   Fri Nov 06 00:59:59 2026
    SHA1 hash: 2DAAFB27143AB86E26AFCDEC3DA086B8B0DEDF2D

SignTool Error: An unexpected internal error has occurred.
Error information: "Could not associate private key with certificate." (-2147024891/0x80070005)

OK

signtool sign /d MD /fd sha256 /tr http://timestamp.acs.microsoft.com /td SHA256 /a /f mycert.crt /csp "Google Cloud KMS Provider" /kc projects/myProjectId/locations/europe/keyRings/code-signing/cryptoKeys/mykey/cryptoKeyVersions/1 binary.exe

Any ideas?

[tdbhacks]

Without being very familiar with how the machine store loading works, and how that /sm signtool flag affects execution, my gut feeling is that signtool might be trying to call some CNG functions that are not implemented in our KMS provider.

Verbose logging can be turned on in our provider by setting the dedicated env variable, if you'd like to investigate more. What kinds of workflows would be unblocked through this kind of support? Is using the machine store a blocking part of any key CUJs? Any additional insights would help with future prioritization, thanks!