如何查找WiX RemotePayload的CertificatePublicKey哈希

时间:2012-09-18 15:41:42

标签: wix code-signing public-key-encryption authenticode

我正在尝试解析WiX RemotePayload哈希值,但我不确定如何找到CertificatePublicKey属性。

例如,从WiX 3.6源代码中获取.NET 4.0软件包定义:

  <Fragment>
    <util:RegistrySearchRef Id="NETFRAMEWORK40"/>

    <WixVariable Id="WixMbaPrereqPackageId" Value="NetFx40Redist" />
    <WixVariable Id="WixMbaPrereqLicenseUrl" Value="$(var.NetFx40EulaLink)" />

    <PackageGroup Id="NetFx40Redist">
      <ExePackage
          InstallCommand="/q /norestart /ChainingPackage &quot;[WixBundleName]&quot;"
          RepairCommand="/q /norestart /repair /ChainingPackage &quot;[WixBundleName]&quot;"
          UninstallCommand="/uninstall /q /norestart /ChainingPackage &quot;[WixBundleName]&quot;"
          PerMachine="yes"
          DetectCondition="NETFRAMEWORK40"
          Id="NetFx40Redist"
          Vital="yes"
          Permanent="yes"
          Protocol="netfx4"
          DownloadUrl="$(var.NetFx40RedistLink)"
          Compressed="no"
          Name="redist\dotNetFx40_Full_x86_x64.exe">
        <RemotePayload
            Size="50449456"
            Version="4.0.30319.1"
            ProductName="Microsoft .NET Framework 4"
            Description="Microsoft .NET Framework 4 Setup"
            CertificatePublicKey="672605E36DD71EC6B8325B91C5FE6971390CB6B6"
            CertificateThumbprint="9617094A1CFB59AE7C1F7DFDB6739E4E7C40508F"
            Hash="58DA3D74DB353AAD03588CBB5CEA8234166D8B99"/>
      </ExePackage>
    </PackageGroup>
  </Fragment>

来自 wix36-sources \ src \ ext \ NetFxExtension \ wixlib \ NetFx4.wxs

我可以找到带有Hash ...

的sha1 fciv -sha1 dotNetFx40_Full_x86_x64.exe
  

58da3d74db353aad03588cbb5cea8234166d8b99 dotnetfx40_full_x86_x64.exe

我可以通过文件的属性对话框轻松找到匹配的CertificateThumbprint,或使用显示以下输出的signtool 

C:\redist>signtool verify /v /ph dotNetFx40_Full_x86_x64.exe

Verifying: dotNetFx40_Full_x86_x64.exe
Signature Index: 0 (Primary Signature)
Hash of file (sha1): 8E8582D10521962F45F33935C38A2412C4F2D4C7

Signing Certificate Chain:
    Issued to: Microsoft Root Authority
    Issued by: Microsoft Root Authority
    Expires:   Thu Dec 31 03:00:00 2020
    SHA1 hash: A43489159A520F0D93D032CCAF37E7FE20A8B419

        Issued to: Microsoft Code Signing PCA
        Issued by: Microsoft Root Authority
        Expires:   Sat Aug 25 03:00:00 2012
        SHA1 hash: 3036E3B25B88A55B86FC90E6E9EAAD5081445166

            Issued to: Microsoft Corporation
            Issued by: Microsoft Code Signing PCA
            Expires:   Mon Mar 07 18:40:29 2011
            SHA1 hash: 9617094A1CFB59AE7C1F7DFDB6739E4E7C40508F

The signature is timestamped: Thu Mar 18 21:13:46 2010
Timestamp Verified by:
    Issued to: Microsoft Root Authority
    Issued by: Microsoft Root Authority
    Expires:   Thu Dec 31 03:00:00 2020
    SHA1 hash: A43489159A520F0D93D032CCAF37E7FE20A8B419

        Issued to: Microsoft Timestamping PCA
        Issued by: Microsoft Root Authority
        Expires:   Sun Sep 15 03:00:00 2019
        SHA1 hash: 3EA99A60058275E0ED83B892A909449F8C33B245

            Issued to: Microsoft Time-Stamp Service
            Issued by: Microsoft Timestamping PCA
            Expires:   Thu Jul 25 15:11:15 2013
            SHA1 hash: 4D6F357F0E6434DA97B1AFC540FB6FDD0E85A89F

SignTool Error: The signing certificate is not valid for the requested usage.
        This error sometimes means that you are using the wrong verification
        policy. Consider using the /pa option.

Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1

哪种工具可以为CertificatePublicKey提供哈希?

编辑:不使用热量,我想了解哈希的来源。

编辑我知道如何在WiX源代码中完成此操作并且我可以执行
heat payload file -out file.wxs,但我正在寻找一些可以在不使用热量的情况下提供预期散列的外部工具。这真的只是为了满足我的好奇心。

2 个答案:

答案 0 :(得分:9)

如果您查看加热工具的源代码,它会使用Microsoft.Tools.WindowsInstallerXml.Cab.Interop.NativeMethods.HashPublicKeyInfo函数生成CertificatePublicKey

byte[] publicKeyIdentifierHash = new byte[128];
uint publicKeyIdentifierHashSize = (uint)publicKeyIdentifierHash.Length;

Microsoft.Tools.WindowsInstallerXml.Cab.Interop.NativeMethods.HashPublicKeyInfo(
    certificate.Handle, 
    publicKeyIdentifierHash, 
    ref publicKeyIdentifierHashSize);

StringBuilder sb = new StringBuilder(((int)publicKeyIdentifierHashSize + 1) * 2);
for (int i = 0; i < publicKeyIdentifierHashSize; ++i)
{
    sb.AppendFormat("{0:X2}", publicKeyIdentifierHash[i]);
}

this.PublicKey = sb.ToString();

您显然可以使用此代码生成指纹或根据Public Key fingerprints上的Wiki页面,您也可以使用命令行

ssh-keygen -lf /path/to/key.pub

问题是从证书生成一个符合RFC4716的ssh-keygen pub文件,这就是我被困住的地方。

我个人只是使​​用热命令行:

heat.exe payload PATH_TO_FILE -o Output.wxs

并且不用担心它实际上在做什么!! :)

答案 1 :(得分:1)

您可以在文件属性对话框中找到有关签名的所有信息:

  1. 在文件属性对话框中,单击签名选项卡。 File properties

  2. 点击详细信息,然后点击“查看证书”。 View Certificate

  3. 可以在“详细信息”标签上找到“公钥”等属性。 Certificate Details

  4. 如果您需要此公钥的哈希值,那么您可以使用标准哈希工具通过使用“复制到文件”按钮并对该文件进行哈希来获取它。

    我错了,“复制到文件”不会导出所选属性,而是导出整个证书。您可以将此值复制并粘贴到哈希程序或十六进制编辑器中以获取哈希值。

相关问题
最新问题