我需要使用存储在 company.pfx 中的证书对 Application.exe 文件进行签名。所以,我使用了signtool:
signtool.exe sign /p password /f company.pfx /t http://timestamp.verisign.com/scripts/timestamp.dll /v Application.exe
The following certificate was selected:
Issued to: Company, Inc.
Issued by: Thawte Code Signing CA - G2
Expires: Wed Aug 27 02:59:59 2014
SHA1 hash: A2A0BD7C4516BF8C88AECC3A568CE9BB5D63902D
Done Adding Additional Store
Successfully signed and timestamped: App1_old.exe
Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0
signtool 说没有错误。但是在数字签名详细信息中有一条消息“无法验证签名中的证书”。并且没有认证路径。
在详细信息中有一个属性“扩展错误信息”表示“吊销状态:吊销功能无法检查吊销,因为吊销服务器处于脱机状态。”
为了调查这个问题,我在应用程序上使用了 sigcheck(-a 密钥),它显示“已验证:无法将证书链构建到受信任的根授权”。
然后我已将 pfx 文件导入 repository,似乎证书没问题。
我已经搜索了有关我的主题的 stackoverflow 并找到了一些链接,这很有帮助。
如何使用代码签名证书对 ActiveX 控件进行签名并成为经过验证的发布者?
解决方案是从 pfx 中提取证书(使用 OpenSSL)并使用 /ac 参数应用它
openssl pkcs12 -in company.pfx -out company_cl.pem -nodes -clcerts
openssl x509 -in company_cl.pem -out company_cl.cer -outform DER
signtool sign /ac company_cl.cer /p password /f company.pfx /t http://timestamp.verisign.com/scripts/timstamp.dll /v Application.exe
The following certificate was selected:
Issued to: Company, Inc.
Issued by: Thawte Code Signing CA - G2
Expires: Wed Aug 27 02:59:59 2014
SHA1 hash: A2A0BD7C4516BF8C88AECC3A568CE9BB5D63902D
Cross certificate chain (using machine store):
Issued to: thawte Primary Root CA
Issued by: thawte Primary Root CA
Expires: Thu Jul 17 02:59:59 2036
SHA1 hash: 91C6D6EE3E8AC86384E548C299295C756C817B81
Issued to: Thawte Code Signing CA - G2
Issued by: thawte Primary Root CA
Expires: Sat Feb 08 02:59:59 2020
SHA1 hash: 808D62642B7D1C4A9A83FD667F7A2A9D243FB1C7
Issued to: Company, Inc.
Issued by: Thawte Code Signing CA - G2
Expires: Wed Aug 27 02:59:59 2014
SHA1 hash: A2A0BD7C4516BF8C88AECC3A568CE9BB5D63902D
Done Adding Additional Store
Successfully signed and timestamped: Application.exe
Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0
现在数字安全详细信息中的消息是“数字签名正常”。
但我不明白为什么我需要使用 /ac 参数。有没有人有任何想法?
已编辑。
我已经使用 Application.exe 验证了应用程序的第一个版本(没有 /ac),它为我提供了更多信息:
signtool.exe verify /v /kp Application.exe
Verifying: Application.exe
Hash of file (sha1): 5CBB228F4F206C65AAC829ACF40C297F291FE0A7
Signing Certificate Chain:
Issued to: Company, Inc.
Issued by: Thawte Code Signing CA - G2
Expires: Wed Aug 27 02:59:59 2014
SHA1 hash: A2A0BD7C4516BF8C88AECC3A568CE9BB5D63902D
The signature is timestamped: Fri Mar 29 18:42:56 2013
Timestamp Verified by:
Issued to: Thawte Timestamping CA
Issued by: Thawte Timestamping CA
Expires: Fri Jan 01 02:59:59 2021
SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656
Issued to: Symantec Time Stamping Services CA - G2
Issued by: Thawte Timestamping CA
Expires: Thu Dec 31 02:59:59 2020
SHA1 hash: 6C07453FFDDA08B83707C09B82FB3D15F35336B1
Issued to: Symantec Time Stamping Services Signer - G4
Issued by: Symantec Time Stamping Services CA - G2
Expires: Wed Dec 30 02:59:59 2020
SHA1 hash: 65439929B67973EB192D6FF243E6767ADF0834E4
SignTool Error: WinVerifyTrust returned error: 0x800B010A
A certificate chain could not be built to a trusted root authority.
Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1
“无法将证书链构建到受信任的根机构。” 但为什么?