0

我在使用 windows' 创建 Zip 文件的分离 PKCS#7 签名时遇到问题signtool.exe

我设法用嵌入的签名签署了一个 exe 文件,但我正在努力使用分离对 Zip 文件签名的命令。我可能遗漏了一些明显的东西......

PS C:\somewhere> Get-ChildItem -path cert:\LocalMachine\My


   PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\My

Thumbprint         Subject
----------         -------
0ABCD...01234      CN=my-signing-cert.example.com, OU=(obfuscated), O=(obfuscated)...



PS C:\somewhere> & "C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x64\signtool.exe" sign /debug /v /tr http://timestamp.digicert.com /fd sha256 /sha1 0ABCD...01234 /sm /p7ce DetachedSignedData /p7co 1.2.840.113549.1.7.2 /p7 "C:\somewhere\test-tiny-zip-file.zip.sig" "C:\somewhere\test-zip-file.zip"


The following certificates were considered:
    Issued to: my-signing-cert.example.com
    Issued by: my-ca-cert.example.com
    Expires:   Wed Mar 23 15:33:34 2022
    SHA1 hash: 0ABCD...01234

After EKU filter, 1 certs were left.
After expiry filter, 1 certs were left.
After Hash filter, 1 certs were left.
After Private Key filter, 1 certs were left.
The following certificate was selected:
    Issued to: my-signing-cert.example.com
    Issued by: my-ca-cert.example.com
    Expires:   Wed Mar 23 15:33:34 2022
    SHA1 hash: 0ABCD...01234

Done Adding Additional Store
SignTool Error: An unexpected internal error has occurred.
Error information: "Error: pkcs7 sign." (-2147024893/0x80070003)
4

1 回答 1

0

问题出在/p7参数中。它需要一个文件夹的路径,而不是文件的路径。

/p7 Path 指定为每个指定的内容文件生成一个公钥加密标准 (PKCS) #7 文件。PKCS #7 文件被命名为path\filename.p7.

此外:

  • 该参数/p7ce可以具有以下两个值中的任何一个: DetachedSignedDatapkcs7DetachedSignedData用于分离签名。
  • 该参数/p7co采用1.2.840.113549.1.7.2映射到 RSA 签名 RFC 的值。

& "C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x64\signtool.exe" `
    sign /debug /v /tr http://timestamp.digicert.com `
    /fd sha256 /sha1 0ABCD...01234 /sm /p7ce DetachedSignedData `
    /p7co 1.2.840.113549.1.7.2 /p7 "C:\somewhere\" `
    "C:\somewhere\test-zip-file.zip"
于 2021-09-09T19:16:03.480 回答