使用signtool对CAB文件进行签名不再起作用(签名者的证书对签名无效) [英] Signing CAB file with signtool not working any more (The signer's certificate is not valid for signing)

问题描述

几个月前，我能够使用我在服务器上创建的测试证书成功签署了CAB文件.这是我已采取的步骤:

Few month ago a was able to successfully sign CAB file with test certificate I have created on my server. Here are the steps I have taken:

makecert.exe -sv"Demo.pvk" -n"CN = Demo Company，E = demo @ gmail.com""Demo.cer"

makecert.exe -sv "Demo.pvk" -n "CN=Demo Company,E=demo@gmail.com" "Demo.cer"

cert2spc.exe"Demo.cer""Demo.spc"

cert2spc.exe "Demo.cer" "Demo.spc"

pvk2pfx.exe -pvk"Demo.pvk" -pi"pvk_password" -spc"Demo.spc" -pfx"Demo.pfx" -po"pfx_password"

pvk2pfx.exe -pvk "Demo.pvk" -pi "pvk_password" -spc "Demo.spc" -pfx "Demo.pfx" -po "pfx_password"

signtool.exe标志/f"Demo.pfx"/p"pfx_password"/v"D:\ Setup.cab"

signtool.exe sign /f "Demo.pfx" /p "pfx_password" /v "D:\Setup.cab"

所有步骤均成功完成，但最后一个带有signtool的步骤返回:签名者的证书对签名无效". 我已经在网上进行了有关此错误的研究，但实际上并没有解决我的问题.通常会创建此错误，因为pfx已过期，但是这里不是这种情况.我已成功将证书导入本地证书存储，并检查了其有效性.

All the steps are successfull except the last one with signtool that returns: "The signer's certificate is not valid for signing". I have done the research on web about this error but nothing did actualy solved my problem. This error is usualy created because pfx has expired but this is not the case here. I have successfully imported certificate to local cert store and checked it's validity.

为什么即使重新创建，我也不能再用pfx对CAB进行签名? 是否有一些Windows Update负责此更改?

Why I am not able to sign CAB with my pfx any more even if I recreate it? Is there some windows update responsible for this change?

我愿意接受使用命令提示符使用pfx对CAB进行签名的任何其他方式的建议.

I am open to suggestions for any other way to sign CAB with pfx using command prompt.

推荐答案

我设法破解了这一点，并用测试证书对CAB进行了签名.

I have managed to crack this nut and signed CAB with test certificate.

首先，我通过添加代表自签名的-r参数更改了makecert调用:

First I have changed makecert call by adding -r parameter that stands for self-signing:

makecert.exe -sv "Demo.pvk" -n "CN=Gregor Primar SP,E=gprimar@gmail.com" "Demo.cer" -r

下一步是使用makecert创建pfx，不再使用pvk2pfx:

Next step was creating pfx using makecert not pvk2pfx any more:

makecert -sk GpSolutionsKey -iv "Demo.pvk" -n "CN=Gregor Primar SP" -ic "Demo.cer" -sr currentuser -ss my -sky signature -pe

这还将pfx导入到用户证书存储区(-sr currentuser).

This also imports pfx to user cert store (-sr currentuser).

然后，我打开了mmc并添加了证书管理单元(我的用户帐户).选择个人证书并导出到光盘.

Then I have opened mmc and add Certificates snap-inn (my user account). Selected personal certificate and exported to disc.

最后一步是使用以下命令进行签名:

The last step was signing using following command:

signtool.exe sign /f "Demo.pfx" /p "pfx_password" /v "d:\Setup.cab"

Setup.cab已成功与Demo.pfx签名！

And Setup.cab was successfully signed with Demo.pfx!

这篇关于使用signtool对CAB文件进行签名不再起作用(签名者的证书对签名无效)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！