signtool无法使用时间戳双重签名SHA2和SHA1 [英] signtool failing to dual sign SHA2 and SHA1 with timestamps
问题描述
我们需要使用signtool.exe对SHA1和SHA2进行二进制双重签名,我们的证书支持256位SHA2.
We need to dual sign our binaries with SHA1 and SHA2 using signtool.exe, our certificate supports 256-bit SHA2.
使用Windows 8 SDK的signtool:
Using the Windows 8 SDK's signtool:
例如:
signtool.exe标志/as/fd sha256/t http://timestamp.verisign.com/scripts/timstamp.dll /f"certificate.pfx"/p XXXXXXX"file.dll"
signtool.exe sign /as /fd sha256 /t http://timestamp.verisign.com/scripts/timstamp.dll /f "certificate.pfx" /p XXXXXXX "file.dll"
(其中XXXXXXX是我们的证书密码)
(where XXXXXXX is our password for the certificate)
失败,并出现神秘错误:
fails with the cryptic error:
SignTool错误:SignedCode :: Sign返回错误:0x80070057 参数错误. SignTool错误:尝试签名时发生错误:file.dll
SignTool Error: SignedCode::Sign returned error: 0x80070057 The parameter is incorrect. SignTool Error: An error occurred while attempting to sign: file.dll
没有时间戳的签名有效,可以像SHA1或SHA256一样单独签名,但是我们需要双重签名,并且想象没有时间戳是不可以的.
Signing without a timestamp works, signing individually as SHA1 or SHA256 works, but we need to dual sign, and imagine not having a timestamp is a no no.
我尝试了32位和64位版本的signtool.exe,在Win7和Win8计算机上进行了尝试,并尝试使用命令行选项,但无济于事.以前有人打过这个问题吗?
I've tried the 32 and 64-bit versions of signtool.exe, tried it on a Win7 and Win8 machine, and tried playing around with the command line options but to no avail. Has anyone hit on this issue before?
推荐答案
我一直在尝试执行此操作,发现以下方法可以解决问题.此方法依赖于使用两个Authenticode证书,一个用于SHA-1,另一个用于SHA-256,以确保Windows Vista和Windows Server 2008将文件接受为有效文件,而这些文件不支持通过SHA-256证书进行签名即使使用SHA-1算法:
I've been trying to do this exact thing, and found the following did the trick. This approach relies on using two Authenticode certificates, one for SHA-1 and another for SHA-256, in order to ensure the files are accepted as valid by Windows Vista and Windows Server 2008 which do not support being signed by a SHA-256 certificate even if the SHA-1 algorithm is used:
signtool.exe sign /sha1 SHA1_Thumprint /v /d "FileDescription" /du "CompanyURL" /fd sha1 /tr http://timestamp.comodoca.com/rfc3161 /td sha1 "FileName.dll"
signtool.exe sign /sha1 SHA256_Thumprint /as /v /d "FileDescription" /du "CompanyURL" /fd sha256 /tr http://timestamp.comodoca.com/rfc3161 /td sha256 "FileName.dll"
请注意,使用/sha1开关为每个签名步骤明确指定了SHA-1指纹,并且/as用于追加 SHA-256签名.否则,SHA-256签名将覆盖SHA-1签名.
Note that the SHA-1 thumbprints are explicitly specified for each signing step using the /sha1 switch and that /as is used to append the SHA-256 signature. Otherwise the SHA-256 signature will override the SHA-1 signature.
我在此过程中发现的另一个难题是,只有DLL和EXE支持双重签名. MSI安装程序没有.
The other gotcha I found in the process was that only DLLs and EXEs support dual signatures. MSI installers do not.
更新15年12月29日:
SHA-1/SHA-256指纹的格式为40个字符的十六进制大写字符串,没有空格.例如:
The format of the SHA-1/SHA-256 thumbprint is a 40-character hexadecimal upper case string with no spaces. For example:
signtool.exe sign /sha1 0123456789ABCDEF0123456789ABCDEF01234567 /as /v /d "FileDescription" /du "CompanyURL" /fd sha256 /tr http://timestamp.comodoca.com/rfc3161 /td sha256 "FileName.dll"
更新了30/12/2015
要使用SHA-256证书但使用SHA-1哈希对MSI文件进行签名,请使用类似于以下命令:
To sign an MSI file with a SHA-256 certificate but with a SHA-1 hash use a command similar to the below:
signtool.exe sign /sha1 SHA256_Thumprint /v /d "FileDescription" /du "CompanyURL" /t http://timestamp.comodoca.com/authenticode "FileName.msi"
这篇关于signtool无法使用时间戳双重签名SHA2和SHA1的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
