我正在尝试编写从DLL或EXE读取签名(证书)的代码。大多数DLL或EXE只有一个签名,我的代码正确读取与此签名关联的所有证书。更具体地说,它读取签名证书,它是颁发者(不是根),签署证书(带有时间戳)及其颁发者(不是根)。我在C++和C#中有2个示例程序,它们都返回相同的证书。这是C#代码,C++是长:)从可执行文件读取多个签名
static void Main(string[] args)
{
X509Certificate2Collection collection = new X509Certificate2Collection();
collection.Import(args[0]);
}
100倍但也有有2个签名,如图文件属性的DLL /数字签名,例如C:\ Program Files文件(x86)的\微软SQL服务器\ 80个\ TOOLS \ BINN \ MSVCR71.DLL:
对于此DLL我的代码读取仅与第一签名相关联的证书。
我也尝试过使用signtool,并且它返回与我的代码相同的信息:第一个cert(与它的路径)和countersignature(与它的路径)。但最后还要注意错误。
C:\Windows>signtool verify /d /v "C:\Program Files (x86)\Microsoft SQL Server\80\Tools\Binn\msvcr71.dll"
Verifying: C:\Program Files (x86)\Microsoft SQL Server\80\Tools\Binn\msvcr71.dll
Signature Index: 0 (Primary Signature)
Hash of file (sha1): 33BBCCF6326276B413A1ECED1BF7842A6D1DDA07
Signing Certificate Chain:
Issued to: Microsoft Root Certificate Authority
Issued by: Microsoft Root Certificate Authority
Expires: Sun May 09 19:28:13 2021
SHA1 hash: CDD4EEAE6000AC7F40C3802C171E30148030C072
Issued to: Microsoft Code Signing PCA
Issued by: Microsoft Root Certificate Authority
Expires: Wed Jan 25 19:32:32 2017
SHA1 hash: FDD1314ED3268A95E198603BA8316FA63CBCD82D
Issued to: Microsoft Corporation
Issued by: Microsoft Code Signing PCA
Expires: Fri Feb 01 18:49:17 2013
SHA1 hash: 8849D1C0F147A3C8327B4038783AEC3E06C76F5B
The signature is timestamped: Sat Feb 11 14:03:12 2012
Timestamp Verified by:
Issued to: Microsoft Root Certificate Authority
Issued by: Microsoft Root Certificate Authority
Expires: Sun May 09 19:28:13 2021
SHA1 hash: CDD4EEAE6000AC7F40C3802C171E30148030C072
Issued to: Microsoft Time-Stamp PCA
Issued by: Microsoft Root Certificate Authority
Expires: Sat Apr 03 09:03:09 2021
SHA1 hash: 375FCB825C3DC3752A02E34EB70993B4997191EF
Issued to: Microsoft Time-Stamp Service
Issued by: Microsoft Time-Stamp PCA
Expires: Thu Oct 25 16:42:17 2012
SHA1 hash: FC33104FAE31FB538749D5F2D17FA0ECB819EAE5
SignTool Error: The signing certificate is not valid for the requested usage.
This error sometimes means that you are using the wrong verification
policy. Consider using the /pa option.
Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1
我有2个问题: - 什么是第二个签名 的目的 - 如何读它(到目前为止只有Windows资源管理器文件属性对话框可以显示它)。
谢谢!
你看那些双签名的原因是[微软将弃用](http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code -signing-and-timestamping.aspx)由于SHA-1的[不足的碰撞抵抗]而产生的SHA-1签名(http://crypto.stackexchange.com/questions/845/what-is-wrong-with-using- SHA1功能于数字签名 - 为什么 - 是 - 一 - 鲁棒哈希functi)。他们今天离开后向兼容。 – ahmd0