I remembered it wasn't signed when the Windows 8 beta started nagging me about it. I allocated a 5-minute task on my "to-do" list to fix it.
However, taking the generated binaries from before (and verifying them with GPG), signtool is perfectly happy to sign the
MSIs and the
DLLs, but the
setup.exe, the actual launcher that asks for elevation in the first place gives:
$ signtool sign /a setup.exe Done Adding Additional Store SignTool Error: SignedCode::Sign returned error: 0x80070057 The parameter is incorrect. SignTool Error: An error occurred while attempting to sign: setup.exe Number of errors: 1
(Extensive) investigation with STUD_PE reveals that the certificate table, the location where signtool is expecting to find current certificates and write new ones, is full of junk; an address and a block that reads past the end of the file. While STUD_PE allows you to fix this, I elected to write a tool to automatically strip evidence of signatures from files: unsigntool (github), the opposite of signtool.