windows signtool 无法使用时间戳对 SHA2 和 SHA1 进行双重签名
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/18542160/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
signtool failing to dual sign SHA2 and SHA1 with timestamps
提问by JosephA
We need to dual sign our binaries with SHA1 and SHA2 using signtool.exe, our certificate supports 256-bit SHA2.
我们需要使用 signtool.exe 使用 SHA1 和 SHA2 对我们的二进制文件进行双重签名,我们的证书支持 256 位 SHA2。
Using the Windows 8 SDK's signtool:
使用 Windows 8 SDK 的签名工具:
e.g.:
例如:
signtool.exe sign /as /fd sha256 /t http://timestamp.verisign.com/scripts/timstamp.dll/f "certificate.pfx" /p XXXXXXX "file.dll"
signtool.exe 签名 /as /fd sha256 /t http://timestamp.verisign.com/scripts/timstamp.dll/f "certificate.pfx" /p XXXXXXX "file.dll"
(where XXXXXXX is our password for the certificate)
(其中 XXXXXXX 是我们的证书密码)
fails with the cryptic error:
因神秘错误而失败:
SignTool Error: SignedCode::Sign returned error: 0x80070057 The parameter is incorrect. SignTool Error: An error occurred while attempting to sign: file.dll
SignTool 错误:SignedCode::Sign 返回错误:0x80070057 参数不正确。SignTool 错误:尝试签名时发生错误:file.dll
Signing without a timestamp works, signing individually as SHA1 or SHA256 works, but we need to dual sign, and imagine not having a timestamp is a no no.
没有时间戳的签名有效,单独签名为 SHA1 或 SHA256 有效,但我们需要双重签名,想象一下没有时间戳是不行的。
I've tried the 32 and 64-bit versions of signtool.exe, tried it on a Win7 and Win8 machine, and tried playing around with the command line options but to no avail. Has anyone hit on this issue before?
我尝试过 32 位和 64 位版本的 signtool.exe,在 Win7 和 Win8 机器上尝试过,并尝试使用命令行选项,但无济于事。以前有人遇到过这个问题吗?
回答by Martin Costello
I've been trying to do this exact thing, and found the following did the trick. This approach relies on using two Authenticode certificates, one for SHA-1 and another for SHA-256, in order to ensure the files are accepted as valid by Windows Vista and Windows Server 2008 which do not support being signed by a SHA-256 certificate even if the SHA-1 algorithm is used:
我一直在尝试做这件事,发现以下方法可以解决问题。此方法依赖于使用两个 Authenticode 证书,一个用于 SHA-1,另一个用于 SHA-256,以确保文件被不支持由 SHA-256 证书签名的 Windows Vista 和 Windows Server 2008 接受为有效即使使用 SHA-1 算法:
signtool.exe sign /sha1 SHA1_Thumprint /v /d "FileDescription" /du "CompanyURL" /fd sha1 /tr http://timestamp.comodoca.com/rfc3161 /td sha1 "FileName.dll"
signtool.exe sign /sha1 SHA256_Thumprint /as /v /d "FileDescription" /du "CompanyURL" /fd sha256 /tr http://timestamp.comodoca.com/rfc3161 /td sha256 "FileName.dll"
Note that the SHA-1 thumbprints are explicitly specified for each signing step using the /sha1switch and that /asis used to appendthe SHA-256 signature. Otherwise the SHA-256 signature will override the SHA-1 signature.
请注意,SHA-1 指纹是使用/sha1开关为每个签名步骤明确指定的,/as用于附加SHA-256 签名。否则 SHA-256 签名将覆盖 SHA-1 签名。
The other gotcha I found in the process was that only DLLs and EXEs support dual signatures. MSI installers do not.
我在这个过程中发现的另一个问题是只有 DLL 和 EXE 支持双重签名。MSI 安装程序没有。
Updated 29/12/15:
29/12/15 更新:
The format of the SHA-1/SHA-256 thumbprint is a 40-character hexadecimal upper case string with no spaces. For example:
SHA-1/SHA-256 指纹的格式是一个 40 个字符的十六进制大写字符串,没有空格。例如:
signtool.exe sign /sha1 0123456789ABCDEF0123456789ABCDEF01234567 /as /v /d "FileDescription" /du "CompanyURL" /fd sha256 /tr http://timestamp.comodoca.com/rfc3161 /td sha256 "FileName.dll"
Updated 30/12/2015
2015/12/30 更新
To sign an MSI file with a SHA-256 certificate but with a SHA-1 hash use a command similar to the below:
要使用 SHA-256 证书但使用 SHA-1 哈希签署 MSI 文件,请使用类似于以下的命令:
signtool.exe sign /sha1 SHA256_Thumprint /v /d "FileDescription" /du "CompanyURL" /t http://timestamp.comodoca.com/authenticode "FileName.msi"
回答by Ricardo Busato
I know it's a bit old, but I landed in this thread and maybe someone else will too.
我知道它有点旧,但我登陆了这个线程,也许其他人也会。
It will work if you sign first with SHA1 and then with SHA256:
如果您先使用 SHA1 签名,然后使用 SHA256 签名,它将起作用:
signtool.exe sign /f cert_file.pfx /t http://timestamp.comodoca.com/authenticode /p cert_password
signtool.exe sign /f cert_file.pfx /as /fd sha256 /tr http://timestamp.comodoca.com/rfc3161 /td sha256 /p cert_password
It worked using the same certificate in both signatures. I used the signtool from Windows 10 SDK, don't know if it will work with previous versions.
它在两个签名中使用相同的证书工作。我使用了 Windows 10 SDK 的 signtool,不知道它是否适用于以前的版本。
回答by Daniel Georgiev
The issue is actually way simpler.
这个问题其实要简单得多。
The problem is with the time stamp server.
问题出在时间戳服务器上。
Instead of using signtool.exewith this
而不是使用signtool.exe与此
/t http://timestamp.comodoca.com
You need to use it like this for SHA1
您需要像这样将它用于 SHA1
/tr http://timestamp.comodoca.com /td sha1
And for SHA256
对于 SHA256
/tr http://timestamp.comodoca.com/?td=sha256 /td sha256
回答by Marius Greuel
Adding to martin_costello answer, XP and Vista do not support the RFC timestamp. You need to use the /t option for sha1 signatures.
添加到 martin_costello 答案,XP 和 Vista 不支持 RFC 时间戳。您需要对 sha1 签名使用 /t 选项。
signtool.exe sign /sha1 SHA1_Thumprint /v /d "FileDescription" /du "CompanyURL" /fd sha1 /t http://timestamp.verisign.com/scripts/timestamp.dll "FileName.dll"
signtool.exe sign /sha1 SHA256_Thumprint /as /v /d "FileDescription" /du "CompanyURL" /fd sha256 /tr http://timestamp.comodoca.com/rfc3161 /td sha256 "FileName.dll"
回答by ElDesdichado
Try using
尝试使用
signtool.exe sign /as /fd sha256 /tr http://timestamp.geotrust.com /td sha256 /f certificate.pfx /p XXXXXX file.dll
/tr is for RFC3161 timestamping, /td obviously for the hash to use.
/tr 用于 RFC3161 时间戳,/td 显然用于散列使用。
回答by Keeely
I also get the above error, however It works with the osslsigncodeutility when using the '-nest' option:
我也收到了上述错误,但是在使用“-nest”选项时它与osslsigncode实用程序一起使用:
osslsigncode sign -pkcs12 cert1.pfx -h sha1 -t http://timestamp.verisign.com/scripts/timestamp.dll -in original.exe -out intermediate.exe
osslsigncode sign -pkcs12 cert2.pfx -nest -h sha1 -t http://timestamp.verisign.com/scripts/timestamp.dll -in intermediate.exe -out final.exe
The official project is for Unix, however I've knocked up my own windows fork.
官方项目是针对 Unix 的,但是我已经敲了自己的windows fork。
回答by Legolas
I think this linkhas some nice pointers. Some of it is mentioned in the answer by martin_costello, but this article provides some more details. In particular:
我认为这个链接有一些很好的指示。martin_costello 的回答中提到了其中一些,但本文提供了更多详细信息。特别是:
- 'Dual signing and include an SHA1 file digest' is possible if you sign SHA1 first, and use /as for the SHA256. It only works with signtool v6.3 from the Windows 8.1 SDK (or later) though.
- Dual signing with 'a FULL SHA1 signature', needed for windows version before XP sp3, requires 2 different certificates.
- 如果您先签署 SHA1,并使用 /as 作为 SHA256,则“双重签名并包含 SHA1 文件摘要”是可能的。不过,它仅适用于 Windows 8.1 SDK(或更高版本)中的 signtool v6.3。
- XP sp3 之前的 Windows 版本需要使用“完整 SHA1 签名”进行双重签名,需要 2 个不同的证书。
(I haven't tested all this myself though.)
(不过,我自己还没有测试过所有这些。)
