How to include entire certification path when signing code with signtool?

If you use Thawte then download their primaryca.cer.

Download to file primaryca.cer and sign your file with:

signtool sign /f certificate.pfx /p PASSWORD /ac primaryca.cer APP.exe.

Should work.

Use /ac and pass the filename of the .cer in which your certificate is rooted (for Verisign it was called MSCV-VSClass3.cer last time I checked when signing kernel code or other special code).

signtool.exe sign /v /f "Avatar.pfx" 
      /ac "Thawte Code Signing CA - G2.cer" 
      -t "http://timestamp.verisign.com/scripts/timstamp.dll" app.exe

This should be given by your CA. Usually MS offers bundles for the various CAs it accepts within Windows.

See:

• Windows root certificate program members ^🕗
• Cross-Certificates for Kernel Mode Code Signing ^🕗

Either way, to my knowledge this is only required for kernel code and very specific other things (e.g. Windows Security Center).