为什么我的代码签名(MS authenticode)验证失败？

Question

我发布了这个问题,并从Thawte获得了新的代码签名证书.

我按照说明(或者我认为)和代码签名声称成功,但是当我尝试验证工具显示错误时.

验证步骤的结果似乎表明它是正确的,但是存在错误并且没有解释错误存在的原因.

任何意见或建议都非常感谢.

命令行签署exe:

signtool sign /f mdt.pfx /p password /t http://timestamp.verisign.com/scripts/timstamp.dll test.exe

结果:

The following certificate was selected:
    Issued to: [my company]

    Issued by: Thawte Code Signing CA

    Expires:   4/23/2011 7:59:59 PM

    SHA1 hash: 7D1A42364765F8969E83BC00AB77F901118F3601


Done Adding Additional Store


Attempting to sign: test.exe

Successfully signed and timestamped: test.exe


Number of files successfully Signed: 1

Number of warnings: 0

Number of errors: 0

请注意,没有错误或警告.

现在,当我试图验证想象我的惊喜:

signtool verify /v test.exe

结果是:

Verifying: test.exe

SHA1 hash of file: 490BA0656517D3A322D19F432F1C6D40695CAD22
Signing Certificate Chain:
    Issued to: Thawte Premium Server CA

    Issued by: Thawte Premium Server CA

    Expires:   12/31/2020 7:59:59 PM

    SHA1 hash: 627F8D7827656399D27D7F9044C9FEB3F33EFA9A


        Issued to: Thawte Code Signing CA

        Issued by: Thawte Premium Server CA

        Expires:   8/5/2013 7:59:59 PM

        SHA1 hash: A706BA1ECAB6A2AB18699FC0D7DD8C7DE36F290F


            Issued to: [my company]

            Issued by: Thawte Code Signing CA

            Expires:   4/23/2011 7:59:59 PM

            SHA1 hash: 7D1A42364765F8969E83BC00AB77F901118F3601


The signature is timestamped: 4/27/2010 10:19:19 AM

Timestamp Verified by:
    Issued to: Thawte Timestamping CA

    Issued by: Thawte Timestamping CA

    Expires:   12/31/2020 7:59:59 PM

    SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656


        Issued to: VeriSign Time Stamping Services CA

        Issued by: Thawte Timestamping CA

        Expires:   12/3/2013 7:59:59 PM

        SHA1 hash: F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D


            Issued to: VeriSign Time Stamping Services Signer - G2

            Issued by: VeriSign Time Stamping Services CA

            Expires:   6/14/2012 7:59:59 PM

            SHA1 hash: ADA8AAA643FF7DC38DD40FA4C97AD559FF4846DE



Number of files successfully Verified: 0

Number of warnings: 0

Number of errors: 1

Answer 1

尝试 Signtool verify /v /pa foo.exe

从使用SignTool验证文件签名(重点是我的)

SignTool verify MyControl.exe

如果前面的示例失败,则签名可能使用代码签名证书.SignTool默认使用Windows驱动程序策略进行验证.

以下命令使用默认的身份验证验证策略验证签名:

SignTool verify /pa MyControl.exe