I'm getting "SignTool Error: Access is Denied" when I attempt to sign a file. When I use an administrator cmd, all works fine. However, this process is going to be used in a TFS 2010 build process and using the InvokeProcess task with signtool gives the same access denied message as a non-administrator command prompt.

More info:

• On a Win2008 R2 enterprise machine.
• User is machine admin and on the domain.
• The TFS Build service is also set to run as this user.
• Using a self signed certificate created using these instructions: How do I create a self-signed certificate for code signing on Windows?

After following these instructions I have the following files:

• MyCA.cer
• MyCA.pvk
• MySPC.cer
• MySPC.pvk
• MySPC.pfx

MyCA is in my Trusted Root Certification Authorities I imported MySPC.pfx into personal certificates, following the advice here: SignTool error: Access is denied

To do the signing I'm using the thumbprint of the MySPC.pfx that was imported into the Personal section so my signtool command looks like:

sign /sha1 1e9d7b5ad98552d9c58944e3f3903e6b929f4819 /t http://timestamp.verisign.com/scripts/timestamp.dll "FileName"

Once again this works in Admin mode. This also works when running cmd as administrator:

sign /f "C:\Code Signing Non-Release\MySPC.pfx" /t http://timestamp.verisign.com/scripts/timestamp.dll "FileName"

New to code signing in general, so any help is welcome.