如何验证已正确签名的时间戳记 [英] How to verify that timestamping is done correctly for signed code

问题描述

我刚刚从StartSSL获得了代码签名证书，并正在尝试对我们的安装程序进行签名.

I have just got my code signing certificate from StartSSL and am trying to sign our installer.

签名过程进行顺利，我得到了Windows不再抱怨来自未知发行商的安装程序exe.太好了！

The signing process goes well and I get an installer exe that Windows no longer complains about being from unknown publisher. This is great!

但是，我试图确保时间戳也能像广告中一样工作，所以我将代码签名证书的有效日期后的PC日期移到了2012年.

However I tried to make sure that the timestamping also works as advertised so I moved my PC date to 2012, after my code signing certificate expiration date.

这应该没有什么区别，但是当我运行相同的安装程序exe时，我现在收到相同的讨厌的未知发行者"警告.

This supposedly should not make any difference but when I run the same installer exe I now get the same nasty "unknown publisher" warning.

查看数字签名"选项卡中exe的属性，我可以肯定地看到时间戳显示了今天(2010年)，但这似乎根本没有帮助.

Looking at the properties of the exe in the Digital Signatures tab I can definitely see that the timestamp shows today (2010) but this does not seem to help at all.

Google搜索没有给我任何好处，只是如果您在时间戳记"字段中看到日期，则一切正常.我无法相信这一点，我的高级PC抱怨它不正常.

Googling gave me nothing except that if you see the date in the Timestamp field then all is OK. I cannot believe this, my PC with advanced date complains that it is not OK.

有人知道这个带有时间戳记的概念是否完全可行，以及如何确保我正确地签署了可执行文件?

Does anyone know if this timestamping concept works at all and how to make sure I am signing the executable correctly?

谢谢.

推荐答案

由StartSSL颁发的代码签名证书包含增强的密钥用法(EKU)属性生命周期签名"(1.3.6.1.4.1.311.10.3.13)，这会导致证书过期时文件签名失效，而与任何时间戳无关.

The code-signing certificates issued by StartSSL contain the enhanced key usage (EKU) attribute "Lifetime Signing" (1.3.6.1.4.1.311.10.3.13), which causes the file signatures to expire when the certificate expires, regardless of any timestamps.

这篇关于如何验证已正确签名的时间戳记的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！