I make my own certificate with signTool like

powershell.exe New-SelfSignedCertificate -DnsName "www.mydns.me" -Type CodeSigning -NotBefore 27.10.2021 -NotAfter 27.10.2024 -CertStoreLocation "cert:\CurrentUser\My"

The certificate is availabe in certificate manager I signed my file with

signtool sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /a myfile.exe

I want to show certificates on the file with

signtool verify /pa  myfile.exe

but it gave the source is not trusted SignTool Error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

Why is certificate not trusted when the option is /pa and is available in my certificate center.

CodePudding user response：

The self signed certificate is self-signed and stored in your current user certificate Personal store. This is not because you have the certificate that you trust it or the computer trust it. You must import a copy of this certificate in the Trusted Root Certification Authorities. You can import it in the user store or computer store (any user on the local machine would trust your self signed certificate). Use by example Import-Certificate -CertStoreLocation Cert:\CurrentUser\Root -FilePath C:\cert.cer. Only the public key must be imported in the Trusted Root Certification Authorities store and not the private key.

I don't know for the /pa option. Try without any option.