所以我使用Windows SDK 8.1中的signtool签署二进制文件:
"C:\Program Files (x86)\Windows Kits\8.1\bin\x64\signtool.exe" sign /a /i Symantec /ac C:\utils\MSCV-VSClass3.cer /ph /t "http://timestamp.verisign.com/scripts/timstamp.dll" "foo.exe"
Done Adding Additional Store
Successfully signed: foo.exe
"C:\Program Files (x86)\Windows Kits\8.1\bin\x64\signtool.exe" sign /a /i Symantec /ac C:\utils\MSCV-VSClass3.cer /ph /fd sha256 /tr "http://timestamp.geotrust.com/tsa" /td sha256 /as "foo.exe"
Done Adding Additional Store
Successfully signed: foo.exe
当我在文件属性中查看它时,我可以看到正确的结果。
然而,当我使用verify非常signtool时,我会得到,具体取决于传递的参数:
"C:\Program Files (x86)\Windows Kits\8.1\bin\x64\signtool.exe" verify /all "foo.exe"
File: foo.exe
Index Algorithm Timestamp
========================================
SignTool Error: A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.
SignTool Error: A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.
使用/pa和/pa /all我可以看到两个时间戳:
"C:\Program Files (x86)\Windows Kits\8.1\bin\x64\signtool.exe" verify /pa "foo.exe"
File: foo.exe
Index Algorithm Timestamp
========================================
0 sha1 Authenticode
Successfully verified: foo.exe
"C:\Program Files (x86)\Windows Kits\8.1\bin\x64\signtool.exe" verify /pa /all "foo.exe"
File: foo.exe
Index Algorithm Timestamp
========================================
0 sha1 Authenticode
1 sha256 RFC3161
但在尝试使用/kp验证内核签名策略时,signtool拒绝与/all一起运行:
"C:\Program Files (x86)\Windows Kits\8.1\bin\x64\signtool.exe" verify /kp /all "foo.exe"
SignTool Error: The /all option is incompatible with the /kp option.
所以我有两个问题:
/kp和/all无法一起工作)?signtool verify两次更好,一次是/pa /all,一次是/kp 看所有时间戳和验证内核签名策略?答案 0 :(得分:1)
我最近偶然发现了与/kp和/all相同的问题,并且偶然地发现参数的顺序很重要。如果指定/kp /all,则得到The /all option is incompatible with the /kp option。但是,如果我通过/all /kp,则验证会顺利进行:它会枚举文件中的所有签名并全部检查。