This is great! I am going to utilize that in my own Repos. Ok I finally got windows to recognize my cert, Let me track through what I did and how I got it to work.
Originally I was using openssl on a linux server to generate the certs and private keys. I then used openssl to convert those to a pfx file and was using that to sign stuff, Looks like that does not work too well.
I followed the post in this thread and that worked....To rehash what I did to make this work:
Notes before you begin: MakeCert.exe, pvk2pfx.exe, and signtool.exe are all located in C:\Program Files (x86)\Windows Kits\8.1\bin\x64\ i have already added this to my environment variables, make sure you do so too otherwise you will have to specify in your command where to find these exes
NOTE: MakeCert is deprecated according to official Microsoft sources, but at the time of this writing that command still works. They have an alternative Powershell commandlet that does the same thing though I did not try that since MakeCert worked for me.
NOTE: The passwords can be the same here, The password Im using here is from a prompt from Step 1. That prompt will ask you to supply a password for the private key or give you the option to press "none" Whichever you choose, supply that password in step 2.
Step 3: Use CertMgr.msc to install your codesign.pfx file NOT the certificate. Install it Trusted Publishers, then in Trusted Root Certification Authorities
NOTE: its important here to click your .pfx file as when I did this step, the default was choosing the cert file. Im unsure if this way is better than simply right clicking and hitting "install cert" but it seems both will get you to the same spot.
Following this process I was able to get a valid digital signature, Im not sure why generating it using openssl on linux was causing an issue but there may be something to this method that works better.