Colemak UK and signtool

I've just uploaded a signed version of my "Colemak UK" (colemauk) keyboard layout: colemauk installer (asc).

I remembered it wasn't signed when the Windows 8 beta started nagging me about it. I allocated a 5-minute task on my "to-do" list to fix it.

However, taking the generated binaries from before (and verifying them with GPG), signtool is perfectly happy to sign the MSIs and the DLLs, but the setup.exe, the actual launcher that asks for elevation in the first place gives:

$ signtool sign /a setup.exe
Done Adding Additional Store
SignTool Error: SignedCode::Sign returned error: 0x80070057
        The parameter is incorrect.
SignTool Error: An error occurred while attempting to sign: setup.exe

Number of errors: 1


(Extensive) investigation with STUD_PE reveals that the certificate table, the location where signtool is expecting to find current certificates and write new ones, is full of junk; an address and a block that reads past the end of the file. While STUD_PE allows you to fix this, I elected to write a tool to automatically strip evidence of signatures from files: unsigntool (github), the opposite of signtool.

Commenting is disabled for this post.

Read more of Faux' blog