如何使用signtool.exe在exe文件中嵌入哈希 [英] How to embed hash in exe file with signtool.exe

问题描述

我正在使用signtool.exe对exe文件进行签名. 我正在尝试将.pfx证书以及exe的签名哈希(使用openssl生成签名哈希)一起嵌入我的exe文件.我只能使用证书签名.但是我也需要将签名的哈希值嵌入exe中. signtool.exe符号/as 可能有帮助. /as 选项不需要任何参数，因此无法在此处传递我的哈希值.

I am using signtool.exe to sign exe file. I am trying to embed my exe file with the .pfx certificate along with the signed hash of exe(generated signed hash using openssl). I am able to sign only with certificate. But I need to embed the signed hash in the exe as well. Probably signtool.exe sign /as could help. /as option does not expect any argument so not able to pass my hash there.

有人可以帮助我用证书和哈希值对我的exe签名.

Could someone please help me sign my exe with certificate and hash.

谢谢

推荐答案

Windows 10 SDK附带的Signtool版本包括将签名的哈希值嵌入exe的功能.

The version of Signtool shipped with the Windows 10 SDK includes the capability to embed a signed hash into an exe.

从以下页面: https://vcsjones.com/2017/05/07/custom-authenticode -签名/

从Windows 10 SDK开始，提供了两个新的命令行开关dg和di.回想一下，始终对Authenticode的哈希执行签名. dg选项更改了signtool的行为，以输出摘要，您可以使用所需的任何内容进行签名.让我们在notepad.exe副本上尝试一下.

Starting in the Windows 10 SDK, two new command line switches are available, dg and di. Recall that a signature is always performed on a hash on Authenticode. The dg option changes signtool’s behavior to output a digest that you can sign using anything you’d like. Let’s try this on a copy of notepad.exe.

signtool sign /dg "C:\scratch\dir" /fd SHA256 /f public-cert.cer notepad.exe

这会将文件获取公共证书-没有密钥 公共证书您还可以使用/sha1选项指定一个 证书存储中的证书也只有一个公共密钥. 这将在"C:\ scratch \ dir"目录中输出一些文件.这 摘要是带有".dig"扩展名的摘要.该文件将具有 Base64编码摘要进行签名.接下来，使用您的自定义工具，对 使用证书的私钥进行摘要.您应该解码 如果签名API需要原始签名，则在签名之前进行Base64签名 二进制摘要.

This takes a file to a public certificate - there is no key in public-cert.cer. You could also use the /sha1 option to specify a certificate in the certificate store that also has only a public key. This will output a few files in the "C:\scratch\dir" directory. The digest is the one with the ".dig" extension. This file will have the Base64 encoded digest to sign. Next, using your custom tool, sign the digest with the private key for the certificate. You should decode the Base64 signature before signing if the signing API expects a raw binary digest.

接下来，在base64中对您的签名进行编码，并将其放置在 与摘要文件同名的"C:\ scratch \ dir"目录，带有 签名"扩展名.例如，"notepad.exe.dig.signed".

Next, encode your signature in base64 and place it in a file in the "C:\scratch\dir" directory with the same name as the digest file, with the "signed" extension. For example, "notepad.exe.dig.signed".

下一步是将签名摘要与其他 Authenticode签名以完成签名.

The next step is to ingest the signed digest along with the rest of the Authenticode signature to complete the signing.

signtool sign /di "C:\scratch\dir" notepad.exe

这将完成签名过程，我们现在拥有自己的签名 notepad.exe的副本.像以前一样完成签名的添加， 除了/as标志.

This will complete the signing process, and we now have our own signed copy of notepad.exe. Appending a signature is done just as before, except with the /as flag.

这为签名者使用非CSP/CNG提供了极大的灵活性 签名选项，或减轻签名过程的负担. Signtool现在可以 也可以使用/ds选项对纯摘要文件进行签名.如果你有一个 用于执行Authenticode签名的专用服务器，您现在可以使用 /dg，/ds，/di选项，因此只需要很小的文件即可 移动到签名服务器，而不是完全二进制文件 大.

This provides great flexibility for signers to use non CSP / CNG signing options, or offloading the signing process. Signtool can now also sign just a plain digest file using the /ds option. If you have a dedicated server for performing Authenticode signing, you can now use the /dg, /ds, /di options so that only a very small file needs to be moved to the signing server, instead of the entirely binary if they are large in size.

这篇关于如何使用signtool.exe在exe文件中嵌入哈希的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！