cct*_*tor 7 openssl digital-signature signtool
我需要使用company.pfx 中存储的证书对Application.exe 文件进行签名。所以,我使用了signtool:
signtool.exe sign /p password /f company.pfx /t http://timestamp.verisign.com/scripts/timestamp.dll /v Application.exe
The following certificate was selected:
Issued to: Company, Inc.
Issued by: Thawte Code Signing CA - G2
Expires: Wed Aug 27 02:59:59 2014
SHA1 hash: A2A0BD7C4516BF8C88AECC3A568CE9BB5D63902D
Done Adding Additional Store
Successfully signed and timestamped: App1_old.exe
Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0
Signtool 说没有错误。但在数字签名详细信息中,有一条消息“无法验证签名中的证书”。并且没有认证路径。
在“详细信息”中,有一个属性“扩展错误信息”,表示“吊销状态:吊销功能无法检查吊销,因为吊销服务器已离线”。
为了调查这个问题,我在应用程序上使用了 sigcheck(-a key),它显示“已验证:无法为受信任的根颁发机构构建证书链。”
然后我将 pfx 文件导入存储库,看起来证书没问题。
我在 stackoverflow 上搜索了有关我的主题的信息,找到了一些链接,它很有帮助。
如何使用代码签名证书对 ActiveX 控件进行签名并成为经过验证的发布者?
解决方案是从 pfx 中提取证书(使用 OpenSSL)并使用 /ac 参数应用它
openssl pkcs12 -in company.pfx -out company_cl.pem -nodes -clcerts
openssl x509 -in company_cl.pem -out company_cl.cer -outform DER
signtool sign /ac company_cl.cer /p password /f company.pfx /t http://timestamp.verisign.com/scripts/timstamp.dll /v Application.exe
The following certificate was selected:
Issued to: Company, Inc.
Issued by: Thawte Code Signing CA - G2
Expires: Wed Aug 27 02:59:59 2014
SHA1 hash: A2A0BD7C4516BF8C88AECC3A568CE9BB5D63902D
Cross certificate chain (using machine store):
Issued to: thawte Primary Root CA
Issued by: thawte Primary Root CA
Expires: Thu Jul 17 02:59:59 2036
SHA1 hash: 91C6D6EE3E8AC86384E548C299295C756C817B81
Issued to: Thawte Code Signing CA - G2
Issued by: thawte Primary Root CA
Expires: Sat Feb 08 02:59:59 2020
SHA1 hash: 808D62642B7D1C4A9A83FD667F7A2A9D243FB1C7
Issued to: Company, Inc.
Issued by: Thawte Code Signing CA - G2
Expires: Wed Aug 27 02:59:59 2014
SHA1 hash: A2A0BD7C4516BF8C88AECC3A568CE9BB5D63902D
Done Adding Additional Store
Successfully signed and timestamped: Application.exe
Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0
现在“数字安全详细信息”中的消息是“数字签名正常”。
但我不明白为什么我需要使用 /ac 参数。有人有什么想法吗?
已编辑。
我已经使用 Application.exe 验证了该应用程序的第一个版本(不带 /ac),它为我提供了更多信息:
signtool.exe verify /v /kp Application.exe
Verifying: Application.exe
Hash of file (sha1): 5CBB228F4F206C65AAC829ACF40C297F291FE0A7
Signing Certificate Chain:
Issued to: Company, Inc.
Issued by: Thawte Code Signing CA - G2
Expires: Wed Aug 27 02:59:59 2014
SHA1 hash: A2A0BD7C4516BF8C88AECC3A568CE9BB5D63902D
The signature is timestamped: Fri Mar 29 18:42:56 2013
Timestamp Verified by:
Issued to: Thawte Timestamping CA
Issued by: Thawte Timestamping CA
Expires: Fri Jan 01 02:59:59 2021
SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656
Issued to: Symantec Time Stamping Services CA - G2
Issued by: Thawte Timestamping CA
Expires: Thu Dec 31 02:59:59 2020
SHA1 hash: 6C07453FFDDA08B83707C09B82FB3D15F35336B1
Issued to: Symantec Time Stamping Services Signer - G4
Issued by: Symantec Time Stamping Services CA - G2
Expires: Wed Dec 30 02:59:59 2020
SHA1 hash: 65439929B67973EB192D6FF243E6767ADF0834E4
SignTool Error: WinVerifyTrust returned error: 0x800B010A
A certificate chain could not be built to a trusted root authority.
Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1
“无法为受信任的根颁发机构构建证书链。” 但为什么?
我找到了一篇关于使用 Thawte 证书签署文件的文章: http://codingexpedition.wordpress.com/2011/04/21/thawte-code-signing-pfx/
似乎/ac signtool 选项始终是必需的。因此,我已将 Thawte 证书提取到 .cer 文件中,并使用 /ac 参数应用它。
openssl pkcs12 -in company.pfx -out company_ca.pem -nokeys -cacerts
openssl x509 -in company_ca.pem -out company_ca.cer -outform DER
signtool sign /ac company_ca.cer /p password /f company.pfx /t timeserver /v Application.exe
而且效果很好!
| 归档时间: |
|
| 查看次数: |
12313 次 |
| 最近记录: |