我需要使用存储在company.pfx中的证书对Application.exe文件进行签名。所以,我使用了signtool:
signtool.exe sign /p password /f company.pfx /t http://timestamp.verisign.com/scripts/timestamp.dll /v Application.exe
The following certificate was selected:
Issued to: Company, Inc.
Issued by: Thawte Code Signing CA - G2
Expires: Wed Aug 27 02:59:59 2014
SHA1 hash: A2A0BD7C4516BF8C88AECC3A568CE9BB5D63902D
Done Adding Additional Store
Successfully signed and timestamped: App1_old.exe
Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0
在详细信息中有一个属性“扩展错误信息”,表示“撤销状态:撤销功能无法检查吊销,因为撤销服务器处于脱机状态。”
要调查我在应用程序上使用sigcheck(-a键)的问题,它说“已验证:无法将证书链构建到受信任的根权限。”
然后我将pfx文件导入了reporitory,看起来证书还可以。
我搜索了有关我的主题的stackoverflow并找到了一些链接并且有所帮助。
How to create PFX with my chain of certificates?
How can I sign an ActiveX control with a code signing certificate and be a verified publisher?
解决方案是从pfx中提取证书(使用OpenSSL)并使用/ ac参数应用它
openssl pkcs12 -in company.pfx -out company_cl.pem -nodes -clcerts
openssl x509 -in company_cl.pem -out company_cl.cer -outform DER
signtool sign /ac company_cl.cer /p password /f company.pfx /t http://timestamp.verisign.com/scripts/timstamp.dll /v Application.exe
The following certificate was selected:
Issued to: Company, Inc.
Issued by: Thawte Code Signing CA - G2
Expires: Wed Aug 27 02:59:59 2014
SHA1 hash: A2A0BD7C4516BF8C88AECC3A568CE9BB5D63902D
Cross certificate chain (using machine store):
Issued to: thawte Primary Root CA
Issued by: thawte Primary Root CA
Expires: Thu Jul 17 02:59:59 2036
SHA1 hash: 91C6D6EE3E8AC86384E548C299295C756C817B81
Issued to: Thawte Code Signing CA - G2
Issued by: thawte Primary Root CA
Expires: Sat Feb 08 02:59:59 2020
SHA1 hash: 808D62642B7D1C4A9A83FD667F7A2A9D243FB1C7
Issued to: Company, Inc.
Issued by: Thawte Code Signing CA - G2
Expires: Wed Aug 27 02:59:59 2014
SHA1 hash: A2A0BD7C4516BF8C88AECC3A568CE9BB5D63902D
Done Adding Additional Store
Successfully signed and timestamped: Application.exe
Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0
现在,数字安全详细信息中的消息是“数字签名正常。”
但我无法理解为什么我需要使用/ ac参数。有没有人有任何想法?
编辑。
我已经使用Application.exe验证了该应用程序的第一个版本(没有/ ac),它为我提供了更多信息:
signtool.exe verify /v /kp Application.exe
Verifying: Application.exe
Hash of file (sha1): 5CBB228F4F206C65AAC829ACF40C297F291FE0A7
Signing Certificate Chain:
Issued to: Company, Inc.
Issued by: Thawte Code Signing CA - G2
Expires: Wed Aug 27 02:59:59 2014
SHA1 hash: A2A0BD7C4516BF8C88AECC3A568CE9BB5D63902D
The signature is timestamped: Fri Mar 29 18:42:56 2013
Timestamp Verified by:
Issued to: Thawte Timestamping CA
Issued by: Thawte Timestamping CA
Expires: Fri Jan 01 02:59:59 2021
SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656
Issued to: Symantec Time Stamping Services CA - G2
Issued by: Thawte Timestamping CA
Expires: Thu Dec 31 02:59:59 2020
SHA1 hash: 6C07453FFDDA08B83707C09B82FB3D15F35336B1
Issued to: Symantec Time Stamping Services Signer - G4
Issued by: Symantec Time Stamping Services CA - G2
Expires: Wed Dec 30 02:59:59 2020
SHA1 hash: 65439929B67973EB192D6FF243E6767ADF0834E4
SignTool Error: WinVerifyTrust returned error: 0x800B010A
A certificate chain could not be built to a trusted root authority.
Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1
“无法将证书链构建到受信任的根权限。”但为什么?
答案 0 :(得分:3)
我发现了一篇关于使用Thawte证书签名文件的文章: http://codingexpedition.wordpress.com/2011/04/21/thawte-code-signing-pfx/
似乎总是需要 / ac signtool选项。所以,我已经将Thawte证书提取到.cer文件中并将其应用于/ ac参数。
openssl pkcs12 -in company.pfx -out company_ca.pem -nokeys -cacerts
openssl x509 -in company_ca.pem -out company_ca.cer -outform DER
signtool sign /ac company_ca.cer /p password /f company.pfx /t timeserver /v Application.exe
它工作正常!
答案 1 :(得分:0)
看起来像是使用
中的旧版本C:\Program Files\Microsoft SDKs\Windows\v6.0\Bin\signtool.exe
也解决了这个问题。
答案 2 :(得分:0)
此问题可能是因为缺少中间证书。 比较两台计算机中的证书(通过双击同一台计算机)并观察“证书路径”选项卡。如果缺少任何中间证书节点,则从旧计算机导出相同的证书并将其导入新计算机。