我正在使用signtool.exe v6.2.9200.20527进行/ tr和/ td开关支持。在以下示例中,0961 ... 35d2是当前用户的个人>中的SHA256代码签名证书的SHA1指纹。证书存储。
示例1:使用SHA256摘要进行代码签名,无时间戳。
c:signtool.exe sign /fd sha256 /sha1 0961...35d2 CertificateCheck.exe
c:signtool.exe verify /all /pa CertificateCheck.exe
File: CertificateCheck.exe
Index Algorithm Timestamp
========================================
0 sha256 None
Successfully verified: CertificateCheck.exe
示例2:使用SHA1摘要进行代码签名,无时间戳。
c:signtool.exe sign /fd sha1 /sha1 0961...35d2 CertificateCheck.exe
c:signtool.exe verify /all /pa CertificateCheck.exe
File: CertificateCheck.exe
Index Algorithm Timestamp
========================================
0 sha1 None
Successfully verified: CertificateCheck.exe
示例3:使用SHA256摘要和SHA1摘要以及带时间戳的双重签名。
c:signtool.exe sign /fd sha256 /sha1 0961...35d2 /tr http://timestamp.globalsign.com/scripts/timstamp.dll /td sha256 CertificateCheck.exe
c:signtool.exe sign /as /fd sha1 /sha1 0961...35d2 /tr http://timestamp.globalsign.com/scripts/timstamp.dll /td sha1 CertificateCheck.exe
c:signtool.exe verify /all /pa CertificateCheck.exe
File: CertificateCheck.exe
Index Algorithm Timestamp
========================================
0 sha256 RFC3161
1 sha1 RFC3161
使用signtool verify / v我还可以看到证书详细信息和证书信任链...
c:signtool.exe verify /all /pa /v CertificateCheck.exe
Verifying: CertificateCheck.exe
Signature Index: 0 (Primary Signature)
Hash of file (sha256): 6774...B2D1
Signing Certificate Chain:
Issued to: GlobalSign
Issued by: GlobalSign
Expires: Sun Mar 18 20:00:00 2029
SHA1 hash: D69B...76AD
Issued to: GlobalSign CodeSigning CA - SHA256 - G2
Issued by: GlobalSign
Expires: Fri Aug 02 20:00:00 2019
SHA1 hash: 4E34...36FF
Issued to: Example Company Pty Ltd
Issued by: GlobalSign CodeSigning CA - SHA256 - G2
Expires: Fri May 11 02:17:24 2018
SHA1 hash: 0961...35D2
The signature is timestamped: Wed May 06 13:51:05 2015
Timestamp Verified by:
Issued to: GlobalSign Root CA
Issued by: GlobalSign Root CA
Expires: Fri Jan 28 22:00:00 2028
SHA1 hash: B1BC...829C
Issued to: GlobalSign Timestamping CA - G2
Issued by: GlobalSign Root CA
Expires: Fri Jan 28 22:00:00 2028
SHA1 hash: C0E4...5B71
Issued to: GlobalSign TSA for Standard - G2
Issued by: GlobalSign Timestamping CA - G2
Expires: Tue Mar 03 10:00:00 2026
SHA1 hash: 19E1...65B6
Signature Index: 1
Hash of file (sha1): CFA4...7863
Signing Certificate Chain:
Issued to: GlobalSign
Issued by: GlobalSign
Expires: Sun Mar 18 20:00:00 2029
SHA1 hash: D69B...76AD
Issued to: GlobalSign CodeSigning CA - SHA256 - G2
Issued by: GlobalSign
Expires: Fri Aug 02 20:00:00 2019
SHA1 hash: 4E34...36FF
Issued to: Example Company Pty Ltd
Issued by: GlobalSign CodeSigning CA - SHA256 - G2
Expires: Fri May 11 02:17:24 2018
SHA1 hash: 0961...35D2
The signature is timestamped: Wed May 06 13:51:06 2015
Timestamp Verified by:
Issued to: GlobalSign Root CA
Issued by: GlobalSign Root CA
Expires: Fri Jan 28 22:00:00 2028
SHA1 hash: B1BC...829C
Issued to: GlobalSign Timestamping CA - G2
Issued by: GlobalSign Root CA
Expires: Fri Jan 28 22:00:00 2028
SHA1 hash: C0E4...5B71
Issued to: GlobalSign TSA for Standard - G2
Issued by: GlobalSign Timestamping CA - G2
Expires: Tue Mar 03 10:00:00 2026
SHA1 hash: 19E1...65B6
Successfully verified: CertificateCheck.exe
Number of signatures successfully Verified: 2
Number of warnings: 0
Number of errors: 0
我们还使用Mage.exe和SignTool.exe的组合对我们的ClickOnce .application和.manifest文件进行了双重签名,但SignTool验证似乎无法使用.application和.manifest文件:
c:signtool.exe verify /all /pa /v CertificateCheck.application
Verifying: CertificateCheck.application
SignTool Error: This file format cannot be verified because it is not recognized.
Number of signatures successfully Verified: 0
Number of warnings: 0
Number of errors: 1
c:signtool.exe verify /all /pa /v CertificateCheck.exe.manifest
Verifying: CertificateCheck.exe.manifest
SignTool Error: This file format cannot be verified because it is not recognized.
Number of signatures successfully Verified: 0
Number of warnings: 0
Number of errors: 1
我们可以在支持XML的编辑器中打开.manifest和.application文件,看看是否实际添加了base64编码的签名,但是它是否与SignTool相同验证允许我查看签名和/或证书从命令行附加的信任链?或者我只是把它弄错了?我想这样做,以便我们可以在构建脚本中添加测试步骤。
更多信息......
好的,这似乎是与版本相关的问题。
我收集了几个不同版本的SignTool来尝试各种各样的事情。 v5系列有各种验证/清单开关,而我遇到的v6系列都没有。另一方面,v6系列支持SHA2证书和算法,而v5系列则不太喜欢它们。
使用signtool.exe v5.2.3790.2568我可以用以下方法检查强名称(应用程序标识):
signtool verify /manifest /snonly /v CertificateChecker.application
Successfully verified: CertificateChecker.application
Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0
但如果我尝试显示证书信任链(并且其中包含SHA256证书),则会出错:
signtool verify /manifest /pa /v CertificateChecker.application
SignTool Error: CryptVerifyManifestFile returned error: 0x800B0004
The subject is not trusted for the specified action.
Signing Certificate Chain:
Issued to: GlobalSign
Issued by: GlobalSign
Expires: 2029-03-18 8:00:00 PM
SHA1 hash: D69B...76AD
Issued to: GlobalSign CodeSigning CA - SHA256 - G2
Issued by: GlobalSign
Expires: 2019-08-02 8:00:00 PM
SHA1 hash: 4E34...A36FF
Issued to: Example Pty Ltd
Issued by: GlobalSign CodeSigning CA - SHA256 - G2
Expires: 2018-05-11 2:17:24 AM
SHA1 hash: 0961...A35D2
File is not timestamped.
SignTool Error: File not valid: CertificateChecker.application
Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1
所以我留下了原始问题的变体:是否有SignTool验证ClickOnce .application和.manifest文件的替换...并支持SHA256?
答案 0 :(得分:0)
mage.exe Manifest Generation and Editing Tool
mage -s CertificateCheck.application
我还没有意识到从CLI验证的方法。
答案 1 :(得分:0)
使用此代码验证ClickOnce清单:
// based on tip from http://www.pcreview.co.uk/threads/tool-for-clickonce-maifest-and-application-signature-validation.3308405/#post-11299058
private static ManifestSignatureInformationCollection GetClickOnceManifestSignature(string manifestPath)
{
bool isApplicationManifest;
if (manifestPath.EndsWith(".exe.manifest"))
{
isApplicationManifest = true;
}
else if (manifestPath.EndsWith(".application"))
{
isApplicationManifest = false;
}
else
{
throw new InvalidOperationException("Unrecognized manifest type, expected either application manifest (.exe.manifest) or deployment manifest (.application)");
}
XmlNamespaceManager namespaceManager = new XmlNamespaceManager(new NameTable());
namespaceManager.AddNamespace("asmv1", "urn:schemas-microsoft-com:asm.v1");
XElement assemblyIdentityXml = XDocument.Load(manifestPath).XPathSelectElement("/asmv1:assembly/asmv1:assemblyIdentity", namespaceManager);
string applicationIdentityPart = string.Format(
"{0}, Version={1}, Culture={2}, PublicKeyToken={3}, processorArchitecture={4}",
assemblyIdentityXml.Attribute("name").Value,
assemblyIdentityXml.Attribute("version").Value,
assemblyIdentityXml.Attribute("language").Value,
assemblyIdentityXml.Attribute("publicKeyToken").Value,
assemblyIdentityXml.Attribute("processorArchitecture").Value);
if (isApplicationManifest)
{
applicationIdentityPart += ", type=" + assemblyIdentityXml.Attribute("type").Value;
}
return ManifestSignatureInformation.VerifySignature(
ActivationContext.CreatePartialActivationContext(new ApplicationIdentity(applicationIdentityPart + "/" + applicationIdentityPart),
new[] { manifestPath, manifestPath }),
isApplicationManifest ? ManifestKinds.Application : ManifestKinds.Deployment);
}
private static void Main(string[] args)
{
ManifestSignatureInformationCollection resultDeployment = GetClickOnceManifestSignature(@"path\to\DeploymentManifest.application");
ManifestSignatureInformationCollection resultApplication = GetClickOnceManifestSignature(@"path\to\ApplicationManifest.exe.manifest");
Console.WriteLine("Deployment manifest is trusted: ");
Console.WriteLine(resultDeployment[0].AuthenticodeSignature.TrustStatus == TrustStatus.KnownIdentity || resultDeployment[0].AuthenticodeSignature.TrustStatus == TrustStatus.Trusted);
Console.WriteLine("Application manifest is trusted: ");
Console.WriteLine(resultApplication[0].AuthenticodeSignature.TrustStatus == TrustStatus.KnownIdentity || resultApplication[0].AuthenticodeSignature.TrustStatus == TrustStatus.Trusted);
}
答案 2 :(得分:-1)
不是我知道的。微软的白痴有时候让我很震惊。
旧的signtool.exes不支持SHA256。新版本可以,但不支持签名清单(为什么M $删除了该功能?!)。 mage.exe不支持HSM证书服务器,除非您知道私钥(这是使用此类服务器来保护证书的重点)。这太棒了。