在使用Authenticode对代码进行代码签名后,我在执行应用程序时遇到问题。这就是我的工作:
详细说明:
C:\temp\signtest>more SimpleApp.cpp
#include "stdafx.h"
#include <iostream>
using namespace std;
int _tmain(int argc, _TCHAR* argv[])
{
cout << "Hello World from Simple App!" << endl;
return 0;
}
C:\temp\signtest>cl SimpleApp.cpp /c /EHsc
Microsoft (R) C/C++-Optimierungscompiler Version 17.00.61030 für x86
Copyright (C) Microsoft Corporation. Alle Rechte vorbehalten.
SimpleApp.cpp
C:\temp\signtest>link /INTEGRITYCHECK /OUT:SignedApp.exe SimpleApp.obj
Microsoft (R) Incremental Linker Version 11.00.61030.0
Copyright (C) Microsoft Corporation. All rights reserved.
C:\temp\signtest>signtool sign /t http://timestamp.digicert.com /f Code-Signing-Key.p12 /p mysecretpwd SignedApp.exe
Done Adding Additional Store
Successfully signed and timestamped: SignedApp.exe
C:\temp\signtest>SignedApp
The system cannot execute the specified program.
根据WinDbg的系统错误代码是:
Error Code 577: Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged [ERROR_INVALID_IMAGE_HASH (0x241)]
我购买了DigiCert代码签名证书。它的根CA在证书存储区中。
怎么回事?为什么不再是EXE可执行文件?
答案 0 :(得分:1)
我花了一段时间才找到如何正确编码PE图像的代码,同时保持其可执行性:交叉证书必须集成到嵌入式数字签名中,并且它必须是Microsoft的交叉证书明确信任(见https://msdn.microsoft.com/en-us/library/windows/hardware/dn170454%28v=vs.85%29.aspx)。
样品:
signtool sign /f <private_key_file> /p <private_key_password> /ac <cross_certificate_ca> /d "<description>" /du "<description_url>" /t "timestamp_server_url" /v /ph <pe_image>
就我而言:
signtool sign /f Code-Signing-Key.p12 /p mysecretpwd /ac DigiCert_Assured_ID_Root_CA.crt /t http://timestamp.digicert.com /v /ph SignedApp.exe
现在看起来好多了:
C:\temp\signtest>SignedApp
Hello World from SimpleApp!