为什么signtool.exe仅在以管理员身份运行时才找到证书? [英] Why does signtool.exe only find certificate when run as admin?
问题描述
我正在安装一台新的开发笔记本电脑,并安装了自发的代码签名证书.我可以在certmgr中的当前用户的个人证书"下看到它.
I'm setting up a new development laptop, and have installed a self-issued code signing certificate. I can see it in certmgr under my Current Users's Personal Certificates.
当我尝试从Visual Studio 2017的开发人员命令提示符进行构建时,我得到:
error : SignTool Error: No certificates were found that met all the given criteria.
When I try to build from the Developer Command Prompt For Visual Studio 2017 I get:
error : SignTool Error: No certificates were found that met all the given criteria.
这在我的旧笔记本电脑上总是可以正常工作.
This always worked fine on my old laptop.
我已经发现,如果我以管理员身份启动后,从命令提示符运行相同的构建,则signtool成功并可以找到证书.
I have found if I run the same build from the command prompt after starting it as admin that signtool succeeds and can find the cert.
当我们设置新笔记本电脑时,这发生在3/4同事身上.一个人没事,可以在不以管理员身份运行的情况下签名.在我们的旧笔记本电脑上,我们无需以管理员身份运行.
This has happened to 3/4 colleagues when we've set up new laptops. One guy is ok and can sign without running as admin. On our old laptops we never had to run as admin.
我尝试使用Google搜索来查找可能的原因,因为我不知道以admin身份运行或不以admin身份运行对此没有任何影响.我还没有找到关于这个问题的参考.
I've tried googling to find what could be the cause because I wasn't aware that running as admin or not should have any affect over this. I haven't found any reference to this problem.
如何在不以管理员身份运行的情况下使用signtool.exe?
How can we use signtool.exe without running it as admin?
当不以管理员身份运行时,它似乎在私钥"过滤器步骤中,我希望选择的证书被过滤出:
When not running as admin it appears to be at the Private Key filter step where the cert I'm expecting to be selected gets filtered out:
**********************************************************************
** Visual Studio 2017 Developer Command Prompt v15.9.12
** Copyright (c) 2017 Microsoft Corporation
**********************************************************************
C:\>signtool sign /v /debug /ph /i "<issuedby>" /fd sha256 /td sha256 "C:\TestSign.dll"
The following certificates were considered:
Issued to: Scott Langham
Issued by: <issuedby>
Expires: Sun Sep 25 09:54:55 2022
SHA1 hash: <a_hash>
Issued to: Scott Langham
Issued by: <issuedby_somethingelse>
Expires: Wed May 13 15:51:14 2020
SHA1 hash: <b_hash>
After EKU filter, 1 certs were left.
After expiry filter, 1 certs were left.
After Issuer Name filter, 1 certs were left.
After Private Key filter, 0 certs were left.
SignTool Error: No certificates were found that met all the given criteria.
我确保所使用的signtool.exe版本与我的同事正在使用的版本相同(10.0.18362.1).我已经发现了我们系统之间的其他差异.
I've ensured the version of signtool.exe I'm using is the same as the one that my colleague who has this working is using (10.0.18362.1). I've been able to spot any other differences between our systems.
推荐答案
我今天遇到了这个问题,这就是我现在能够通过命令行运行signtool.exe而无需提升管理员权限的方法.
I ran into this today and here is how I am now able to run signtool.exe via command line without elevating to admin.
- 运行"mmc"并添加证书"管理单元
- 选择正确的密钥存储位置
- (我的计算机位于本地计算机中,因此我在此处选择计算机帐户")
- Run 'mmc' and add the 'Certificates' snap-in
- Select the correct key store location
- (mine is in Local Computer so I select 'Computer account' here)
- 在私钥权限"对话框中,添加用户帐户,然后授予自己完全控制"权限.现在,您将可以使用正常的命令提示符进行签名.
- 注意:如果您使用的是构建机器,请对执行构建的帐户执行上述步骤.
- Note: If you use a build machine, do the above steps for the account that performs the builds.
这篇关于为什么signtool.exe仅在以管理员身份运行时才找到证书?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
