一个带有时间戳的双符号代码如何正确? [英] How does one correctly dual-sign code with a timestamp?

问题描述

我有两个要应用于同一文件的代码签名证书(一个SHA-1，一个SHA-256).我试图附加SHA-256证书，但这失败了:

I have two code signing certificates (one SHA-1, one SHA-256) which I'd like to apply to the same file. I tried to append the SHA-256 certificate, but this fails:

:: Signs with the SHA-1 certificate
signtool sign /sha1 8f52fa9db30525dfabb35b08bd1966693a30eccf /t http://timestamp.verisign.com/scripts/timestamp.dll my_app_here.exe
:: Signs with the SHA-2 certificate
signtool sign /sha1 8b0026ecbe5bf245993b26e164f02e1313579e47 /as /t http://timestamp.verisign.com/scripts/timestamp.dll my_app_here.exe

此操作失败，并显示以下错误:

This fails with the error:

Done Adding Additional Store
SignTool Error: SignedCode::Sign returned error: 0x80070057
        The parameter is incorrect.
SignTool Error: An error occurred while attempting to sign: my_app_here.exe

如果我从第二个命令中删除了时间戳URL，则签名成功完成，但是SHA-2签名没有时间戳. (是否在第一个签名上加上时间戳无效)

If I remove the timestamp URL from the second command, the signing completes successfully, but the SHA-2 signature has no timestamp. (Whether or not I put a timestamp on the first signature has no effect)

此处的目的是允许某人在支持此功能的操作系统上使用强证书来验证应用程序，但要避免在不支持强证书的操作系统(Vista，XP)上无法通过验证

The intent here is to allow someone to verify the app with the stronger certificate if they are on an operating system that supports this, but to avoid failing validation on operating systems that don't support the stronger certificates (Vista, XP).

这种事情甚至有可能吗?

Is this kind of thing even possible?

推荐答案

SHA-2 Authenticode签名需要RFC 3161时间戳服务器. timestamp.verisign.com URL对此无效.

SHA-2 Authenticode signing requires an RFC 3161 timestamp server. The timestamp.verisign.com URL does not work for this.

Symantec/Verisign的RFC 3161 URL为:

The RFC 3161 URL for Symantec/Verisign is:

http://sha256timestamp.ws.symantec.com/sha256/timestamp

如果您仍在使用旧版 http://timestamp.geotrust.com/tsa URL ，并且失败了(2017年4月)，您应该将其更新为上述版本.与Verisign一样，GeoTrust现在是Symantec的一部分.

If you are still using the older http://timestamp.geotrust.com/tsa URL, and it is failing (April 2017), you should update it to the above one. GeoTrust, like Verisign, is now part of Symantec.

来源:

https://knowledge.verisign .com/support/code-signing-support/index?page = content& id = SO5820

这篇关于一个带有时间戳的双符号代码如何正确?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！