11

我正在尝试解析 WiX RemotePayload 哈希,但我不确定如何CertificatePublicKey找到该属性。

例如,来自 WiX 3.6 源的 .NET 4.0 包定义:

  <Fragment>
    <util:RegistrySearchRef Id="NETFRAMEWORK40"/>

    <WixVariable Id="WixMbaPrereqPackageId" Value="NetFx40Redist" />
    <WixVariable Id="WixMbaPrereqLicenseUrl" Value="$(var.NetFx40EulaLink)" />

    <PackageGroup Id="NetFx40Redist">
      <ExePackage
          InstallCommand="/q /norestart /ChainingPackage &quot;[WixBundleName]&quot;"
          RepairCommand="/q /norestart /repair /ChainingPackage &quot;[WixBundleName]&quot;"
          UninstallCommand="/uninstall /q /norestart /ChainingPackage &quot;[WixBundleName]&quot;"
          PerMachine="yes"
          DetectCondition="NETFRAMEWORK40"
          Id="NetFx40Redist"
          Vital="yes"
          Permanent="yes"
          Protocol="netfx4"
          DownloadUrl="$(var.NetFx40RedistLink)"
          Compressed="no"
          Name="redist\dotNetFx40_Full_x86_x64.exe">
        <RemotePayload
            Size="50449456"
            Version="4.0.30319.1"
            ProductName="Microsoft .NET Framework 4"
            Description="Microsoft .NET Framework 4 Setup"
            CertificatePublicKey="672605E36DD71EC6B8325B91C5FE6971390CB6B6"
            CertificateThumbprint="9617094A1CFB59AE7C1F7DFDB6739E4E7C40508F"
            Hash="58DA3D74DB353AAD03588CBB5CEA8234166D8B99"/>
      </ExePackage>
    </PackageGroup>
  </Fragment>

来自wix36-sources\src\ext\NetFxExtension\wixlib\NetFx4.wxs

我可以找到 sha1 Hash...fciv -sha1 dotNetFx40_Full_x86_x64.exe

58da3d74db353aad03588cbb5cea8234166d8b99 dotnetfx40_full_x86_x64.exe

CertificateThumbprint我可以通过文件的属性对话框轻松找到匹配项,或者使用signtool它显示以下输出

C:\redist>signtool verify /v /ph dotNetFx40_Full_x86_x64.exe

Verifying: dotNetFx40_Full_x86_x64.exe
Signature Index: 0 (Primary Signature)
Hash of file (sha1): 8E8582D10521962F45F33935C38A2412C4F2D4C7

Signing Certificate Chain:
    Issued to: Microsoft Root Authority
    Issued by: Microsoft Root Authority
    Expires:   Thu Dec 31 03:00:00 2020
    SHA1 hash: A43489159A520F0D93D032CCAF37E7FE20A8B419

        Issued to: Microsoft Code Signing PCA
        Issued by: Microsoft Root Authority
        Expires:   Sat Aug 25 03:00:00 2012
        SHA1 hash: 3036E3B25B88A55B86FC90E6E9EAAD5081445166

            Issued to: Microsoft Corporation
            Issued by: Microsoft Code Signing PCA
            Expires:   Mon Mar 07 18:40:29 2011
            SHA1 hash: 9617094A1CFB59AE7C1F7DFDB6739E4E7C40508F

The signature is timestamped: Thu Mar 18 21:13:46 2010
Timestamp Verified by:
    Issued to: Microsoft Root Authority
    Issued by: Microsoft Root Authority
    Expires:   Thu Dec 31 03:00:00 2020
    SHA1 hash: A43489159A520F0D93D032CCAF37E7FE20A8B419

        Issued to: Microsoft Timestamping PCA
        Issued by: Microsoft Root Authority
        Expires:   Sun Sep 15 03:00:00 2019
        SHA1 hash: 3EA99A60058275E0ED83B892A909449F8C33B245

            Issued to: Microsoft Time-Stamp Service
            Issued by: Microsoft Timestamping PCA
            Expires:   Thu Jul 25 15:11:15 2013
            SHA1 hash: 4D6F357F0E6434DA97B1AFC540FB6FDD0E85A89F

SignTool Error: The signing certificate is not valid for the requested usage.
        This error sometimes means that you are using the wrong verification
        policy. Consider using the /pa option.

Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1

什么工具可以提供哈希CertificatePublicKey

编辑:不使用热量,我想了解哈希的来源。

编辑:我知道这是如何在 WiX 源代码中完成的并且我可以执行
heat payload file -out file.wxs,但我正在寻找一些可以在不使用热量的情况下提供预期哈希的外部工具。这真的只是为了满足我的好奇心。

4

2 回答 2

17

如果您查看 heat 工具的源代码,它使用该Microsoft.Tools.WindowsInstallerXml.Cab.Interop.NativeMethods.HashPublicKeyInfo函数生成CertificatePublicKey.

byte[] publicKeyIdentifierHash = new byte[128];
uint publicKeyIdentifierHashSize = (uint)publicKeyIdentifierHash.Length;

Microsoft.Tools.WindowsInstallerXml.Cab.Interop.NativeMethods.HashPublicKeyInfo(
    certificate.Handle, 
    publicKeyIdentifierHash, 
    ref publicKeyIdentifierHashSize);

StringBuilder sb = new StringBuilder(((int)publicKeyIdentifierHashSize + 1) * 2);
for (int i = 0; i < publicKeyIdentifierHashSize; ++i)
{
    sb.AppendFormat("{0:X2}", publicKeyIdentifierHash[i]);
}

this.PublicKey = sb.ToString();

您显然可以使用此代码生成指纹,或者根据公钥指纹上的 wiki 页面,您也可以使用命令行

ssh-keygen -lf /path/to/key.pub

问题是从证书生成一个符合RFC4716的 ssh-keygen pub 文件,这就是我被难住的地方。

我个人只使用 heat 命令行:

heat.exe payload PATH_TO_FILE -o Output.wxs

并且不用担心它在工作时实际在做什么!:)

于 2012-09-19T10:15:22.547 回答
1

您可以在文件属性对话框中找到有关签名的所有信息:

  1. 在文件属性对话框中,单击签名选项卡。 文件属性

  2. 单击详细信息,然后单击“查看证书”。 查看证书

  3. 可以在“详细信息”选项卡上找到“公钥”等属性。 证书详情

  4. 如果您需要此公钥的散列,则可以使用标准散列工具通过使用“复制到文件”按钮并散列该文件来获取它。

    我错了,“复制到文件”不会导出选定的属性,而是导出整个证书。您可以将此值复制并粘贴到哈希程序或十六进制编辑器中以获取哈希。

于 2012-10-08T17:08:37.803 回答