数字签名时间戳“不可用”在XP / Vista上，导致验证失败 [英] Digital signature timestamp "not available" on XP/Vista, causing verification failure

问题描述

背景

我有一个WiX / Burn安装包，其中包括安装ReportViewer 2012运行时。当在Windows 7或更高版本的机器上运行时，它工作正常。在XP（SP3）或Vista（SP1）上，它失败。

现在，检查 ReportViewer可再发行的下载页面，我注意到它说它需要Vista SP2或更高版本。通常我会接受这个，但a）我认为这已经最近改变，和b）下载和手动安装此可再发行作品。有可能有零件不工作的XP / Vista，但为了我的意图和目的，它安装和运行相当好，尽管他们的声称。

strong>

检查安装日志文件说明数字签名验证失败。所以我手动下载可再发行包到Windows XP机器上并检查其签名。签名存在，但时间戳报告不可用。点击详细信息还告诉我签名时间是不可用。文件本身是由过期的证书签名的，所以自然验证失败，没有这个时间戳。

但是，如果我下载同一文件 Windows 7机器，时间戳存在。

我安装了许多不同版本的根证书更新无效，包括最新的。如果这确实是解决方案，请告诉我

我已按照联署牌上的证书链结束于Microsoft根证书权威2010。此根证书似乎安装在XP计算机上。我唯一可以看到的是2011版本的此证书是也在第三方根证书颁发机构存储，而2010年不是。我不知道这是问题的原因还是正常的。

我最终可能会试图禁用签名验证和使用基于哈希的有效负载验证。

我的问题

是否有可以下载的更新或可以由正常用户采取的步骤，这将允许在XP / Vista中识别时间戳/联署？ 正常用户在这里是指不是很有计算机知识的人;我不是指管理员权限。

解决方案

似乎有两种时间戳联署类型可以使用对于Windows代码签名（Authenticode）：

• 专用：导致版本中的 V1 字段（PKCS＃7版本？）


• 基于RFC 3161：导致 V2

我没有找到明确说明这一点的任何文档，但通过测试似乎Windows XP（SP3，安装所有更新）只支持版本 V1 。版本 V2 的时间戳会导致不可用状态。当然，版本号可能只是与结果相关 - 有可能是时间戳的另一个方面，导致它被忽略。

ReportViewer MSI文件当前可用的具有 V2 时间戳。

更多背景：

Windows SDK signtool 命令支持两个选项（符号和 timestamp sub-commands）生成两种不同的时间戳类型：

• / t< timestamp server URL> ; ：results in V1


• / tr< RFC 3161 timestamp server网址> ：导致 V2

signtool 早期：不支持此标志。

但是，它似乎不清楚（由于类似语句在其他选项上使用的方式）是否适用于目标系统或 signtool 正在运行的系统。

示例

V1 时间戳记：

  signtool.exe sign / f cert.pfx / p％passphrase％/ t http://timestamp.comodoca.com/authenticode / dTesttest.exe 
  

V2 时间戳：

  signtool.exe sign / f cert.pfx / p％passphrase％/ tr http://timestamp.comodoca.com/rfc3161 / dTesttest-rfc3161.exe 
  

Background

I have a WiX/Burn installation bundle which, among other things, installs the ReportViewer 2012 Runtime. When run on a Windows 7 or later machine, it works fine. On XP (SP3) or Vista (SP1) it fails.

Now, checking the download page for the ReportViewer redistributable, I do notice it says it requires Vista SP2 or higher. Normally I would accept this, but a)I think this has recently changed, and b)downloading and manually installing this redistributable works. It's possible there are parts that do not work on XP/Vista but for my intents and purposes it installs and runs quite well despite their claims.

Problem

Examining the installation log file explains the digital signature verification failed. So I manually download the redistributable package onto the Windows XP machine and examine its signature. The signature is there, but the timestamp reports "Not available". Hitting Details also tells me the signing time is "Not available". The file itself is signed by an expired certificate, so naturally verification fails without this timestamp.

However, if I download the same file to a Windows 7 machine, the timestamp is present. Hitting Details shows me the countersignature, verification works, and installation proceeds correctly.

What I've Tried

I have installed a number of different versions of the "Update for Root Certificates" to no avail, including the latest. If this is indeed the solution, please tell me which one I need.

I have followed the certificate chain on the countersignature and it ends at "Microsoft Root Certificate Authority 2010". This root certificate appears to be installed in the XP machine. The only thing I can see is the "2011" version of this certificate is also in the "Third-Party Root Certification Authorities" store, while the 2010 is not. I do not know if this is the cause of the problem or normal.

I may eventually resort to disabling signature verification and using hash-based verification of the payload. However before doing this I would like to know if I have missed something obvious.

My Question

Is there an update to download or a step that can be taken by "normal" users which will allow the timestamp/countersignature to be recognized in XP/Vista? "Normal" users here means someone who is not very computer-literate; I am not referring to administrator rights.

解决方案

It seems that there are two timestamp countersignature types that can be used for Windows code signing (Authenticode):

• Proprietary: results in V1 in the Version field (PKCS#7 version?) of the countersignature properties
• RFC 3161 based: results in V2

I have not found any documentation that states this explicitly, but through testing it seems that Windows XP (SP3, with all updates installed) only supports timestamps with version V1. Timestamps with version V2 result in the "not available" status. Of course, the version numbers might just correlate with the results -- there is possibly another aspect to the timestamp that causes it to be ignored.

The ReportViewer MSI file that is currently available has a V2 timestamp. However, the timestamp was also made in July 2014, after this question was posted.

More background:

The Windows SDK signtool command supports two options (to the sign and timestamp sub-commands) to generate the two different timestamp types:

• /t <timestamp server URL>: results in V1
• /tr <RFC 3161 timestamp server URL>: results in V2

The signtool documentation for /tr states:

Windows Vista and earlier: This flag is not supported.

However, it seems unclear (due to the way that similar statements are used on other options) whether this applies to the target system or the system that signtool is running on.

Examples

V1 timestamp:

signtool.exe sign /f cert.pfx /p %passphrase% /t http://timestamp.comodoca.com/authenticode /d "Test" test.exe

V2 timestamp:

signtool.exe sign /f cert.pfx /p %passphrase% /tr http://timestamp.comodoca.com/rfc3161 /d "Test" test-rfc3161.exe

这篇关于数字签名时间戳“不可用”在XP / Vista上，导致验证失败的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！