代码签名Excel加载项使Excel认为它被篡改

时间:2016-10-25 14:45:25

标签: code-signing excel-dna

我们已经创建了一个Excel DNA AddInand,我们已经为野外做好了准备。因此,我们希望将其与我们组织的代码签名证书签署。

因此,在收到pfx证书后,我将其安装到我的个人空间grabbed the thumbprint并在我们的.csproj文件中使用the SignFile task在发布版本上创建签名输出文件。

以下是csproj文件中的代码。值得注意的是,有一个AfterBuild目标将输出文件复制到out目录并重命名它们。

<Target Name="SignOutputs" AfterTargets="AfterBuild"
          Condition="$(Configuration) == 'Release'">
  <PropertyGroup>
    <FileToSign32>$(SolutionDir)out\AddIn.xll</FileToSign32>
    <FileToSign64>$(SolutionDir)out\AddIn64.xll</FileToSign64>
    <CertificateThumbprint>8ccfeae0....</CertificateThumbprint>
    <TimestampUrl>http://timestamp.digicert.com</TimestampUrl>
  </PropertyGroup>
  <SignFile CertificateThumbprint="$(CertificateThumbprint)" SigningTarget="$(FileToSign32)" TimestampUrl="$(TimestampUrl)" />
  <SignFile CertificateThumbprint="$(CertificateThumbprint)" SigningTarget="$(FileToSign64)" TimestampUrl="$(TimestampUrl)" />
</Target>

这会正确签署输出文件。当你看到文件的数字签名时,它们都很开心和好 - &#34;这个数字签名是好的&#34;等等。证书还有3年的时间,所以我们&#39;肯定是在约会。

在它上运行signtool验证也可以。

signtool verify /v /pa "AddIn.xll"

Verifying: AddIn.xll
Signature Index: 0 (Primary Signature)
Hash of file (sha256): Hash here

Signing Certificate Chain:
    Issued to: DigiCert Assured ID Root CA
    Issued by: DigiCert Assured ID Root CA
    Expires:   Mon Nov 10 01:00:00 2031
    SHA1 hash: Hash here

        Issued to: DigiCert SHA2 Assured ID Code Signing CA
        Issued by: DigiCert Assured ID Root CA
        Expires:   Sun Oct 22 13:00:00 2028
        SHA1 hash: Hash here

            Issued to: Us
            Issued by: DigiCert SHA2 Assured ID Code Signing CA
            Expires:   Wed Oct 09 13:00:00 2019
            SHA1 hash: Hash here

The signature is timestamped: Tue Oct 25 11:29:42 2016
Timestamp Verified by:
    Issued to: DigiCert Assured ID Root CA
    Issued by: DigiCert Assured ID Root CA
    Expires:   Mon Nov 10 01:00:00 2031
    SHA1 hash: Hash here

        Issued to: DigiCert Assured ID CA-1
        Issued by: DigiCert Assured ID Root CA
        Expires:   Wed Nov 10 01:00:00 2021
        SHA1 hash: Hash here

            Issued to: DigiCert Timestamp Responder
            Issued by: DigiCert Assured ID CA-1
            Expires:   Tue Oct 22 01:00:00 2024
            SHA1 hash: Hash here

Successfully verified: AddIn.xll

Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0

我认为这意味着它全部签名并且很开心。所以我继续在Excel中运行它,并收到一条警告消息:

Warning: The digital signature on this application add-in is invalid and cannot
be trusted. Application add-in is disabled.
困惑,困惑和迷茫,我四处乱窜,直到我偶然发现了启用信任中心的日志记录。然后,我设法find the Trust Center logs。对于AddIn,它有此条目。 

---
Content Type: Add-in DLL
Binary: "C:\development\out\AddIn.xll"
Certificate: Us
Certificate Signature: DigiCert SHA2 Assured ID Code Signing CA
Certificate Status: Tampered
Trust Center Decision: Block Content
User Decision: Block Content
Error Code: 80096001
根据{{​​3}}的

80096001显然映射到此消息:&#34;在验证信任时出现系统级错误&#34;。

这并没有让我继续下去。我看不出任何明显错误的东西,但我可能会错过一些东西。

在dev命令提示符下使用signtool进行签名会产生相同的结果。

我刚刚在谷歌上乱跑,我现在开始谈到结果为我提供可执行文件来修复导致此问题的损坏的系统文件(剧透:他们&# 39;几乎可以肯定是恶意软件)。所以我认为我需要一些指导。

如何签署我的XLL文件,而不是将其作为&#34;篡改&#34;?

0 个答案:

没有答案
相关问题
最新问题