You may experience the following issues when you try to sign a Portable Executable (PE) file by using the SignTool tool on Windows:
- Failure to sign a PE file that is 4 gigabytes (GB) or larger. When you try to sign, you receive an “invalid parameter (0x80080057)” error message.
- For files that are larger than 4 GB, the generated hash may not be accurate even though SignTool may otherwise successfully sign the file.
Note This is especially true of .cat files.
This issue occurs for PE files such as .exe, .sys, and so on.
This issue occurs because of a ULONG variable in the PE header that specifies the image size. (The image size is 2 GB for down-level operating systems, such as Vista and earlier versions.)
This is a design limitation since 1996. The maximum limit for this value is 4 GB for PE files, such as .exe and .sys. Although .cat files are usually signable, the internal hash that's generated may not be accurate.
To work around this issue until it is resolved, make sure that any PE file that you try to sign is less than 4 GB.
Because of backward compatibility risks, neither backports nor a permanent fix are currently possible. However, this issue is being investigated.
Note This issue isn't specific to SignTool. The design of the PE header is limited to 4 GB for Windows 7 and later Windows versions, regardless of which tool is used.
Frequently asked questions (FAQ)
Q1: What is the current, official file size limit for a digital signature (and time stamp counter-signature) on Windows?
A1: For PE files such as .exe and .sys, the maximum file size for signing is 4 GB.
Q2: Is there a particular version of Windows, such as Windows Server 2016, that has the most capability to sign large files?
A2: No, the issue affects all versions of Windows.
Q3: Does the 64-bit version of Signtool have better support for this functionality than the 32-bit version does?
A: No, the 64-bit version of SignTool uses the same values as the 32-bit version. Therefore, the issue remains in 64-bit.
Q4: Would customers who are using a 32-bit version of Windows potentially experience issues if they try to use files that were signed by using the 64-bit version of SignTool?
A: No. However, the limitations would remain regardless of which version of SignTool is used.
Q5: Should we be using a different signing tool or method altogether?
A: We currently have no alternative method for digital signing.