由于私钥过滤器，signtool.exe有时无法使用证书

Question

在构建服务器上，我们使用signtool.exe对我们的工件进行签名。

每次都将相同的参数传递给signtool.exe，但由于“私有密钥筛选器”未使用我们的证书，因此失败或偶尔传递。

我们已经使用了一段时间，但我们在2019年3月27日上午开始看到失败。

我们使用以下参数启动signtool.exe进程： sign /fd sha256 /f "cert.p12" /p certPass /du hostSiteHere /v /debug /tr timeStampUrl "fileNames"

规格 -signtool.exe来自Windows 10 SDK -构建服务器作为Windows 2016 Server EC2实例托管在AWS中 -jenkins（v2.1.68）使用Amazon ec2插件（v1.42）运行构建版本

日志，取决于它是否通过：

• 通过

The following certificates were considered:
    Issued to: myCompany, Inc.
    Issued by: DigiCert SHA2 Assured ID Code Signing CA
    Expires:   Wed Oct 30 12:00:00 2019
    SHA1 hash: myCertSha1Hash
After EKU filter, 1 certs were left.
After expiry filter, 1 certs were left.
After Private Key filter, 1 certs were left.
The following certificate was selected:
    Issued to: myCompany, Inc.
    Issued by: DigiCert SHA2 Assured ID Code Signing CA
    Expires:   Wed Oct 30 12:00:00 2019
    SHA1 hash: myCertSha1Hash
The following additional certificates will be attached:
    Issued to: DigiCert SHA2 Assured ID Code Signing CA
    Issued by: DigiCert Assured ID Root CA
    Expires:   Sun Oct 22 12:00:00 2028
    SHA1 hash: digiCertSigningSha1Hash
Done Adding Additional Store

• 失败

The following certificates were considered:
    Issued to: myCompany, Inc.
    Issued by: DigiCert SHA2 Assured ID Code Signing CA
    Expires:   Wed Oct 30 12:00:00 2019
    SHA1 hash: myCertSha1Hash
After EKU filter, 1 certs were left.
After expiry filter, 1 certs were left.
After Private Key filter, 0 certs were left.
No certificates were found that met all the given criteria.

需要注意的奇怪行为：

• 同一个ec2实例可以成功工作，然后在以后失败
• 如果用户RDP进入ec2实例，则ec2实例出现故障可能会开始工作
• 每次都传递相同的证书，signtool.exe和参数