我不能使用我的代码证书来签署我的 .exe 文件（EKU 过滤器）

Question

我使用以下方法创建了代码证书：

$cert = New-SelfSignedCertificate -CertStoreLocation "Cert:\CurrentUser\My" -dnsname testcert.test.io
$cert 

$secPassword = ConvertTo-SecureString -String 'password1234' -Force -AsPlainText

$certPath = "Cert:\CurrentUser\My\$($cert.Thumbprint)"
Export-PfxCertificate -Cert $certPath -FilePath C:\selfcert.pfx -Password $secPassword

我正在尝试使用它来签署我的 .exe 使用：

"C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x86\signtool.exe" sign /debug /f "C:\selfcert.pfx" /p password1234 "A:\mysoft\sign\myexe.EXE"

调试抛出这个：

The following certificates were considered:
    Issued to: testcert.test.io
    Issued by: testcert.test.io
    Expires:   Fri Aug 12 15:25:13 2022
    SHA1 hash: 0CDA91D628CA855B49FA1CB8DFD0F53C121BEB27

After EKU filter, 0 certs were left.
After expiry filter, 0 certs were left.
After Private Key filter, 0 certs were left.
SignTool Error: No certificates were found that met all the given criteria.

运行 certmgr 在 Personal>certificates 中显示我的证书为 testcert.test.io （我想是因为 dnsname）

我的想法是，（这是我第一次尝试认证 .exe，所以我可能是错的）这意味着我的证书没有通过 EKU 过滤器，据我所知 EKU 过滤器意味着被列为受信任的证书（我不确定在那一个）

我究竟做错了什么？或者我缺少做什么？

Answer 1

您需要一个Code Signing证书，这意味着它具有带有代码签名对象标识符 (OID) 的扩展密钥用法 (EKU)。

$ku_codeSigning = "1.3.6.1.5.5.7.3.3";

  $codeSignCert = New-SelfSignedCertificate `
    -Type "CodeSigningCert" `
    -KeyExportPolicy "Exportable" `
    -Subject "..." `
    -KeyUsageProperty @("Sign") `
    -KeyUsage @("DigitalSignature") `
    -TextExtension @("2.5.29.37={text}$($ku_codeSigning)", "2.5.29.19={text}false") `
    -CertStoreLocation cert:\CurrentUser\My `
    -KeyLength 2048 `
    -NotAfter ([DateTime]::Now.AddDays(90)) `
    -Provider "Microsoft Software Key Storage Provider" `
    -Signer $subCaCert;

该-Signer参数用于创建由根证书和子 CA 证书组成的信任链。

  $rootCaCert = New-SelfSignedCertificate `
    -Type "Custom" `
    -KeyExportPolicy "Exportable" `
    -KeyUsageProperty "All" `
    -KeyUsage @("CertSign", "CrlSign") `
    -Subject "My Fake Root CA" `
    -CertStoreLocation cert:\LocalMachine\My `
    -NotAfter ([DateTime]::Now.AddYears(20)) `
    -Provider "Microsoft Software Key Storage Provider" `
    -KeyLength 4096 `
    -TextExtension @("2.5.29.19={text}cA=true&pathLength=1");

 $subCaCert = New-SelfSignedCertificate `
    -Type "Custom" `
    -KeyExportPolicy "Exportable" `
    -KeyUsageProperty "All" `
    -KeyUsage @("CertSign", "CrlSign") `
    -Subject "My Fake Sub CA" `
    -CertStoreLocation cert:\LocalMachine\My `
    -NotAfter ([DateTime]::Now.AddYears(5)) `
    -Provider "Microsoft Software Key Storage Provider" `
    -KeyLength 4096 `
    -TextExtension @("2.5.29.19={text}cA=true&pathLength=0") `
    -Signer $rootCaCert;