代码签名时是否/如何避免SHA-1签名的时间戳? [英] Whether/how to avoid SHA-1 signed timestamp when code signing?

问题描述

我们刚刚从SHA-1切换为SHA-2代码签名证书.(作为背景信息，我们使用COMODO代码签名证书在Windows上使用signtool.exe对.exe和.xap文件进行签名.)我们使用经过认证的时间戳进行此操作，以确保Windows在代码签名证书之后继续信任代码签名.到期.

现在，当使用http://timestamp.comodoca.com/authenticode .(详细信息:它是df946a5 ...，主题为"CN = COMODO时间戳签名者，O = COMODO CA Limited，L = Salford，S =大曼彻斯特，C = GB".)

(在Windows上，可以通过签名的.exe查看该证书，然后在其浏览器属性"对话框中转到数字签名"选项卡，选择签名，然后单击详细信息"，然后在数字签名详细信息"对话框中单击计数器签名，然后单击详细信息"，然后在第二个数字签名详细信息"对话框中单击查看证书".如果其签名哈希算法"为"sha1"，则该证书为SHA-1证书.)

会出现问题吗?换句话说，在我们当前的代码签名证书过期之后，并且在Microsoft Windows将SHA-1视为损坏的算法之后(最晚在2020年)，我们当前的签名仍会被信任吗?还是Windows会说:时间戳在代码签名证书的有效范围内，但是时间戳是使用SHA-1证书签名的，所以我将不信任该时间戳，因此将不信任此签名"?

还有其他我们可以/应该使用的服务吗?(不是Verisign的 http://timestamp.verisign.com/scripts/timstamp.dll ，因为他们仍然使用SHA-1时间戳证书，也就是6543992 ...)

解决方案

此文章描述了如何使用时间戳URL http:/获得SHA-256时间戳证书./timestamp.globalsign.com/?signature=sha2 .或者，请参见此时间戳服务器列表，您也可以使用.

signtool /td 标志也很重要(且文献记载不充分).

这样签名:

signtool标志/fd SHA256/tr http://timestamp.globalsign.com/?signature=sha2/td SHA256/a filename.exe

使用SHA-256签名哈希算法生成带有代码签名证书和时间戳证书的可执行文件.

We just switched from a SHA-1 to a SHA-2 code signing certificate. (As background info, we sign .exe and .xap files on Windows with signtool.exe, using COMODO code signing certificates.) We do this using a certified timestamp, to make sure that Windows keeps trusting the code signature after the code signing certificate expires.

Now I noticed that the timestamp certificate is still a SHA-1 certificate, when using http://timestamp.comodoca.com/authenticode. (Details: It is df946a5... with Subject 'CN=COMODO Time Stamping Signer,O=COMODO CA Limited,L=Salford, S=Greater Manchester,C=GB'.)

(On Windows one can see that certificate by taking a signed .exe, then in its Explorer Properties dialog go to the Digital Signatures tab, select the signature and click Details, then in the Digital Signature Details dialog click the counter signature and click Details, then in the second Digital Signature Details dialog click on View Certificate. The certificate is a SHA-1 certificate if its 'Signature hash algorithm' is 'sha1'.)

Will this be a problem? In other words, after our current code signing certificate has expired, and after Microsoft Windows treats SHA-1 as a broken algorithm (which is in 2020 at the latest), will our current signatures still be trusted? Or will Windows say, "The timestamp is within the code signing certificate's validity range, but the timestamp was signed with a SHA-1 certificate, so I will not trust the timestamp, and therefore I won't trust this signature"?

Is there another service we can/should use? (Not Verisign's http://timestamp.verisign.com/scripts/timstamp.dll, since they also still use a SHA-1 time stamping certificate, viz. 6543992...)

解决方案

Since 1/1/2017, you can no longer use SHA-1 on Windows 7 and later (if timestamped after 1/1/2016).

This article describes how to obtain a SHA-256 timestamp certificate, using the timestamp URL http://timestamp.globalsign.com/?signature=sha2. As an alternative, see this list of timestamp servers which you can also use.

The signtool /td flag is also important (and poorly documented).

Signing like this:

signtool sign /fd SHA256 /tr http://timestamp.globalsign.com/?signature=sha2 /td SHA256 /a filename.exe

results in an executable with a code sign certificate and timestamp certificate with SHA-256 signature hash algorithm.

这篇关于代码签名时是否/如何避免SHA-1签名的时间戳?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！