由于私钥过滤器,使用signtool进行代码签名失败 [英] Code signing with signtool fails due to private key filter
问题描述
在尝试签署由我工作的公司创建的某些安装程序时,遇到一个错误,但我无法解决.我正在使用已经在另一台计算机(Win7)上成功使用过的同一证书,以相同的方式对类似的安装程序进行签名.无论如何,在运行CruiseControl.net的Windows Server 2008上,我尝试使用signtool.exe对安装程序进行签名,但安装失败,并出现以下错误:
While trying to sign some installer created by the company I am working for I encountered an error, which I have not been able to solve. I am using the same certificate which has been used on another machine (Win7) successfully in the same way for signing quasi the same installer. Anyway, on our Windows Server 2008 which is running CruiseControl.net I tried to sign an installer with signtool.exe and it fails with the following error:
The following certificates were considered:
Issued to: <our company>
Issued by: <some ca>
Expires: <is valid>
SHA1 hash: <...>
Issued to: <...>
Issued by: <...>
Expires: <...>
SHA1 hash: <...>
After EKU filter, 1 certs were left.
After expiry filter, 1 certs were left.
After Subject Name filter, 1 certs were left.
After Private Key filter, 0 certs were left.
SignTool Error: No certificates were found that met all the given criteria.
我尝试将证书安装到不同的证书存储区,尝试使用不同版本的signtool.exe,并尝试直接使用.cer文件,但这没有什么区别.在所有情况下,我都收到上述错误.我尝试了以下命令行命令
I tried installing the certificate to different certificate stores, tried different versions of signtool.exe and tried to use the .cer file directly, but it made no difference. I am receiving the error mentioned above in all of the cases. I tried the following command line commands
signtool.exe sign /debug /n "MyCompany" C:\my\installer.exe
signtool.exe sign /debug /f C:\path\to\my\certificate.cer C:\my\installer.exe
,但是在某些情况下,我放弃了/debug.我在做错什么或想念什么吗?
but I left the /debug away in some cases. Is there anything I am doing wrong or missing?
推荐答案
要对文件签名,您需要具有证书的私钥,该私钥不包含在从Windows 7计算机复制的* .cer文件中.要使用私钥导出证书,可以按照此处提供的说明.
In order to sign a file you need to have the certificate's private key, which is not included in the *.cer file you copied from the Windows 7 machine. To export the certificate with its private key you can follow the instructions supplied here.
请注意,如果证书被设置为允许在创建证书时将其导出(将-pe传递到makecert),则只能导出私钥
Do note that you'll only be able to export the private key if the certificate was set to allow exporting it when it was created (by passing -pe to makecert)
这篇关于由于私钥过滤器,使用signtool进行代码签名失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
