If I shouldn’t --dsig off, where do I find this dsig ID?
I did look in Microsoft Management Console, but nothing jumped out at me from the personal Certificates section. I have a Sectigo EV certificate on an external USB token - its communicating via SafeNet Authentification Client.
The sign ID is the hash of your EV certificate. The PACE signature sits on top of the OS signature in your EV. And the wraptool will call the OS signtool anyway, so there is no reason to sign the aax beforehand yourself.
Usually pace information is covered under NDA, so I hope I didn’t tell anything more than the obvious here.
Your best bet is to email Sergio under the support email you find in the eden SDK. There is also a lot invaluable information in there.