如何查找WiX RemotePayload的CertificatePublicKey哈希

Question

如何查找WiX RemotePayload的CertificatePublicKey哈希

Jim*_*ert 7 wix code-signing authenticode public-key-encryption

我正在尝试解决WiX RemotePayload哈希问题,但我不确定该CertificatePublicKey属性是如何找到的.

例如,从WiX 3.6源代码中获取.NET 4.0软件包定义:

  <Fragment>
    <util:RegistrySearchRef Id="NETFRAMEWORK40"/>

    <WixVariable Id="WixMbaPrereqPackageId" Value="NetFx40Redist" />
    <WixVariable Id="WixMbaPrereqLicenseUrl" Value="$(var.NetFx40EulaLink)" />

    <PackageGroup Id="NetFx40Redist">
      <ExePackage
          InstallCommand="/q /norestart /ChainingPackage &quot;[WixBundleName]&quot;"
          RepairCommand="/q /norestart /repair /ChainingPackage &quot;[WixBundleName]&quot;"
          UninstallCommand="/uninstall /q /norestart /ChainingPackage &quot;[WixBundleName]&quot;"
          PerMachine="yes"
          DetectCondition="NETFRAMEWORK40"
          Id="NetFx40Redist"
          Vital="yes"
          Permanent="yes"
          Protocol="netfx4"
          DownloadUrl="$(var.NetFx40RedistLink)"
          Compressed="no"
          Name="redist\dotNetFx40_Full_x86_x64.exe">
        <RemotePayload
            Size="50449456"
            Version="4.0.30319.1"
            ProductName="Microsoft .NET Framework 4"
            Description="Microsoft .NET Framework 4 Setup"
            CertificatePublicKey="672605E36DD71EC6B8325B91C5FE6971390CB6B6"
            CertificateThumbprint="9617094A1CFB59AE7C1F7DFDB6739E4E7C40508F"
            Hash="58DA3D74DB353AAD03588CBB5CEA8234166D8B99"/>
      </ExePackage>
    </PackageGroup>
  </Fragment>

Run Code Online (Sandbox Code Playgroud)

来自wix36-sources\src\ext\NetFxExtension\wixlib\NetFx4.wxs

我能找到的SHA1 Hash与fciv -sha1 dotNetFx40_Full_x86_x64.exe...

58da3d74db353aad03588cbb5cea8234166d8b99 dotnetfx40_full_x86_x64.exe

我可以CertificateThumbprint通过文件的属性对话框轻松找到匹配,或者使用signtool它来显示以下输出

C:\redist>signtool verify /v /ph dotNetFx40_Full_x86_x64.exe

Verifying: dotNetFx40_Full_x86_x64.exe
Signature Index: 0 (Primary Signature)
Hash of file (sha1): 8E8582D10521962F45F33935C38A2412C4F2D4C7

Signing Certificate Chain:
    Issued to: Microsoft Root Authority
    Issued by: Microsoft Root Authority
    Expires:   Thu Dec 31 03:00:00 2020
    SHA1 hash: A43489159A520F0D93D032CCAF37E7FE20A8B419

        Issued to: Microsoft Code Signing PCA
        Issued by: Microsoft Root Authority
        Expires:   Sat Aug 25 03:00:00 2012
        SHA1 hash: 3036E3B25B88A55B86FC90E6E9EAAD5081445166

            Issued to: Microsoft Corporation
            Issued by: Microsoft Code Signing PCA
            Expires:   Mon Mar 07 18:40:29 2011
            SHA1 hash: 9617094A1CFB59AE7C1F7DFDB6739E4E7C40508F

The signature is timestamped: Thu Mar 18 21:13:46 2010
Timestamp Verified by:
    Issued to: Microsoft Root Authority
    Issued by: Microsoft Root Authority
    Expires:   Thu Dec 31 03:00:00 2020
    SHA1 hash: A43489159A520F0D93D032CCAF37E7FE20A8B419

        Issued to: Microsoft Timestamping PCA
        Issued by: Microsoft Root Authority
        Expires:   Sun Sep 15 03:00:00 2019
        SHA1 hash: 3EA99A60058275E0ED83B892A909449F8C33B245

            Issued to: Microsoft Time-Stamp Service
            Issued by: Microsoft Timestamping PCA
            Expires:   Thu Jul 25 15:11:15 2013
            SHA1 hash: 4D6F357F0E6434DA97B1AFC540FB6FDD0E85A89F

SignTool Error: The signing certificate is not valid for the requested usage.
        This error sometimes means that you are using the wrong verification
        policy. Consider using the /pa option.

Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1

Run Code Online (Sandbox Code Playgroud)

什么工具可以提供哈希CertificatePublicKey？

编辑:不使用热量,我想了解哈希的来源.

编辑:我知道这是如何在WiX源代码中完成的,我可以执行
heat payload file -out file.wxs,但我正在寻找一些外部工具,可以提供预期的哈希值而不使用热量.这真的只是为了满足我的好奇心.

Answer 1

cav*_*ick 10

如果你看一下加热工具的源代码,它会使用该Microsoft.Tools.WindowsInstallerXml.Cab.Interop.NativeMethods.HashPublicKeyInfo函数来生成CertificatePublicKey.

byte[] publicKeyIdentifierHash = new byte[128];
uint publicKeyIdentifierHashSize = (uint)publicKeyIdentifierHash.Length;

Microsoft.Tools.WindowsInstallerXml.Cab.Interop.NativeMethods.HashPublicKeyInfo(
    certificate.Handle, 
    publicKeyIdentifierHash, 
    ref publicKeyIdentifierHashSize);

StringBuilder sb = new StringBuilder(((int)publicKeyIdentifierHashSize + 1) * 2);
for (int i = 0; i < publicKeyIdentifierHashSize; ++i)
{
    sb.AppendFormat("{0:X2}", publicKeyIdentifierHash[i]);
}

this.PublicKey = sb.ToString();

Run Code Online (Sandbox Code Playgroud)

您显然可以使用此代码生成指纹或根据公钥指纹上的Wiki页面,您也可以使用命令行

ssh-keygen -lf /path/to/key.pub

Run Code Online (Sandbox Code Playgroud)

问题是从证书生成一个符合RFC4716的ssh-keygen pub文件,这就是我被困住的地方.

我个人只是使用热命令行:

heat.exe payload PATH_TO_FILE -o Output.wxs

Run Code Online (Sandbox Code Playgroud)

并且不用担心它实际上在做什么!! :)

`heat.exe payload PATH_TO_FILE -o Output.wxs`是金童,在这里.非常感谢你! (3认同)

归档时间：	13 年，3 月前
查看次数：	2753 次
最近记录：	13 年，2 月前