我需要使用存储在company.pfx中的证书签署Application.exe文件。所以,我用signtool:Thawte证书中的“签名中的证书无法验证”
signtool.exe sign /p password /f company.pfx /t http://timestamp.verisign.com/scripts/timestamp.dll /v Application.exe
The following certificate was selected:
Issued to: Company, Inc.
Issued by: Thawte Code Signing CA - G2
Expires: Wed Aug 27 02:59:59 2014
SHA1 hash: A2A0BD7C4516BF8C88AECC3A568CE9BB5D63902D
Done Adding Additional Store
Successfully signed and timestamped: App1_old.exe
Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0
signtool说没有错误。但在数字签名详情中有一条消息“签名中的证书无法验证。”并且没有认证路径。
在详细信息中有一个属性“扩展错误信息”,表示“吊销状态:由于吊销服务器已脱机,吊销功能无法检查吊销。”
探讨我已经在应用程序中使用sigcheck(-a键)的问题,它说:“验证:证书链无法建立到受信任的根证书颁发机构”
然后我已经将pfx文件导入reporitory,看起来证书没问题。
我搜索计算器关于我的话题,并发现了一些链接,它可以帮助。
How to create PFX with my chain of certificates?
How can I sign an ActiveX control with a code signing certificate and be a verified publisher?
解决方法是提取物(使用OpenSSL)从PFX证书,并使用/ AC参数
openssl pkcs12 -in company.pfx -out company_cl.pem -nodes -clcerts
openssl x509 -in company_cl.pem -out company_cl.cer -outform DER
signtool sign /ac company_cl.cer /p password /f company.pfx /t http://timestamp.verisign.com/scripts/timstamp.dll /v Application.exe
The following certificate was selected:
Issued to: Company, Inc.
Issued by: Thawte Code Signing CA - G2
Expires: Wed Aug 27 02:59:59 2014
SHA1 hash: A2A0BD7C4516BF8C88AECC3A568CE9BB5D63902D
Cross certificate chain (using machine store):
Issued to: thawte Primary Root CA
Issued by: thawte Primary Root CA
Expires: Thu Jul 17 02:59:59 2036
SHA1 hash: 91C6D6EE3E8AC86384E548C299295C756C817B81
Issued to: Thawte Code Signing CA - G2
Issued by: thawte Primary Root CA
Expires: Sat Feb 08 02:59:59 2020
SHA1 hash: 808D62642B7D1C4A9A83FD667F7A2A9D243FB1C7
Issued to: Company, Inc.
Issued by: Thawte Code Signing CA - G2
Expires: Wed Aug 27 02:59:59 2014
SHA1 hash: A2A0BD7C4516BF8C88AECC3A568CE9BB5D63902D
Done Adding Additional Store
Successfully signed and timestamped: Application.exe
Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0
现在数字安全细节的消息是运用它的”数字签名确定。“
但我不明白为什么我需要使用/ ac参数。有没有人有任何想法?
编辑。
我已经验证的应用程序的第一个版本(无/ AC)与Application.exe,它给了我更多的信息:
signtool.exe verify /v /kp Application.exe
Verifying: Application.exe
Hash of file (sha1): 5CBB228F4F206C65AAC829ACF40C297F291FE0A7
Signing Certificate Chain:
Issued to: Company, Inc.
Issued by: Thawte Code Signing CA - G2
Expires: Wed Aug 27 02:59:59 2014
SHA1 hash: A2A0BD7C4516BF8C88AECC3A568CE9BB5D63902D
The signature is timestamped: Fri Mar 29 18:42:56 2013
Timestamp Verified by:
Issued to: Thawte Timestamping CA
Issued by: Thawte Timestamping CA
Expires: Fri Jan 01 02:59:59 2021
SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656
Issued to: Symantec Time Stamping Services CA - G2
Issued by: Thawte Timestamping CA
Expires: Thu Dec 31 02:59:59 2020
SHA1 hash: 6C07453FFDDA08B83707C09B82FB3D15F35336B1
Issued to: Symantec Time Stamping Services Signer - G4
Issued by: Symantec Time Stamping Services CA - G2
Expires: Wed Dec 30 02:59:59 2020
SHA1 hash: 65439929B67973EB192D6FF243E6767ADF0834E4
SignTool Error: WinVerifyTrust returned error: 0x800B010A
A certificate chain could not be built to a trusted root authority.
Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1
“证书链无法建立到受信任的根证书颁发机构“。但是为什么?
同一问题 http://stackoverflow.com/questions/6575424/how-to-include-entire-certification-path-when-signing-code-with-signtool – cctor