SignTool不使用SHA256签名ClickOnce应用，仅使用SHA1 [英] SignTool Not Signing ClickOnce App Using SHA256, Only Uses SHA1

问题描述

我正在尝试对我的clickonce应用程序进行签名.我有一个使用SHA256的EV代码签名证书.问题是，当我使用post build命令对我的应用进行签名时，似乎正在使用SHA1而不是SHA256.这是输出窗口的片段:

I'm trying to sign my clickonce app. I have an EV code signing certificate that is using SHA256. The problem is that when I sign my app using the post build commands, it seems to be using SHA1 instead of SHA256. Here is a clip of the output window:

Running Code Analysis...
1>  Code Analysis Complete -- 0 error(s), 0 warning(s)
1>  The following certificate was selected:
1>      Issued to: Certificate Subject Name Here
1>  
1>      Issued by: DigiCert EV Code Signing CA (SHA2)
1>  
1>      Expires:   Thu Apr 14 06:00:00 2016
1>  
1>      SHA1 hash: HASH-HERE
1>  
1>  
1>  Done Adding Additional Store
1>  Successfully signed and timestamped: C:\Users\AnyBody\Documents\Visual Studio 2013\Projects\My Project\Project Folder\obj\x86\My Configuration\MyProgram.exe
1>  
1>  
1>  Number of files successfully Signed: 1
1>  
1>  Number of warnings: 0
1>  
1>  Number of errors: 0

这是我正在使用的构建后命令:

Here is the post build command I am using:

"C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Bin\signtool.exe" sign /fd SHA256 /t "http://timestamp.digicert.com" /n "Certificate Subject Name Here" /v "$(ProjectDir)obj\x86\$(ConfigurationName)\$(TargetFileName)"

当我查看文件的属性时，可以看到MyProgram.exe.deploy附加了数字签名.

I can see that MyProgram.exe.deploy has the digital signature attached when I look at the file's properties.

运行signtool/verify时没有返回错误

There are no errors returned when i run signtool /verify

当我尝试启动该应用程序时，出现错误应用程序验证未成功.无法继续".

When I try to launch the app, I get the error "Application validation did not succeed. Unable to continue".

在错误消息的详细信息中，有以下行:

In the details of the error message, there is this line:

+ File, MyProgram.exe, has a different computed hash than specified in manifest.

打开并查看清单时，MyProgram.exe的哈希指定为SHA256

When I open and look at the manifest, the hash for MyProgram.exe is specified as SHA256

可能是什么问题?是什么使signtool拒绝使用SHA256?根据我的阅读，默认情况下应该使用SHA256.

What could be the problem? What is making signtool refuse to use SHA256? From what I've read, it should be using SHA256 by default.

我没有安装或重新安装Visual Studio，Windows sdk，所有已安装的.net库，都无济于事.

I have unistalled/reinstalled visual studio, windows sdk, all installed .net libraries to no avail.

我真的希望有人有主意...

I'm really hoping someone has some idea...

推荐答案

WPF应用程序是否存在此问题?如果是这样，则在AfterCompile目标中对可执行文件进行签名应该可以解决您的问题.那对我有用.

Are you having this issue with a WPF application? If so signing the executable in the AfterCompile target should resolve your problem. That worked for me.

对此有更多讨论:

显然，Phil使用PostBuild或 BeforePublish命令，当用户安装它时，他会感到恐惧 "exe的计算哈希与清单中指定的哈希不同" 错误.他发现使用AfterCompile可以解决问题.

Apparently when Phil signs his executable using PostBuild or BeforePublish commands, when the user installs it, he gets the dreaded "exe has a different computed hash than specified in the manifest" error. He found that using AfterCompile instead fixed the problem.

http://robindotnet.wordpress.com/2013/04/14/windows-8-and-clickonce-the-definitive-answer-revisited/

这篇关于SignTool不使用SHA256签名ClickOnce应用，仅使用SHA1的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！