signtool无法使用时间戳双重签名SHA2和SHA1

signtool无法使用时间戳双重签名SHA2和SHA1

本文介绍了signtool无法使用时间戳双重签名SHA2和SHA1的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我们需要使用signtool.exe对SHA1和SHA2进行二进制双重签名,我们的证书支持256位SHA2.

We need to dual sign our binaries with SHA1 and SHA2 using signtool.exe, our certificate supports 256-bit SHA2.

使用Windows 8 SDK的signtool:

Using the Windows 8 SDK's signtool:

例如:

signtool.exe标志/as/fd sha256/t http://timestamp.verisign.com/scripts/timstamp.dll /f"certificate.pfx"/p XXXXXXX"file.dll"

signtool.exe sign /as /fd sha256 /t http://timestamp.verisign.com/scripts/timstamp.dll /f "certificate.pfx" /p XXXXXXX "file.dll"

(其中XXXXXXX是我们的证书密码)

(where XXXXXXX is our password for the certificate)

失败,并出现神秘错误:

fails with the cryptic error:

SignTool错误:SignedCode :: Sign返回错误:0x80070057 参数错误.SignTool错误:尝试签名时发生错误:file.dll

SignTool Error: SignedCode::Sign returned error: 0x80070057 The parameter is incorrect.SignTool Error: An error occurred while attempting to sign: file.dll

没有时间戳的签名有效,可以像SHA1或SHA256一样单独签名,但是我们需要双重签名,并且想象没有时间戳是不可以的.

Signing without a timestamp works, signing individually as SHA1 or SHA256 works, but we need to dual sign, and imagine not having a timestamp is a no no.

我尝试了32位和64位版本的signtool.exe,在Win7和Win8计算机上进行了尝试,并尝试使用命令行选项,但无济于事.以前有人打过这个问题吗?

I've tried the 32 and 64-bit versions of signtool.exe, tried it on a Win7 and Win8 machine, and tried playing around with the command line options but to no avail. Has anyone hit on this issue before?

推荐答案

我一直在尝试执行此操作,发现以下方法可以解决问题.此方法依赖于使用两个Authenticode证书,一个用于SHA-1,另一个用于SHA-256,以确保Windows Vista和Windows Server 2008将文件接受为有效文件,而这些文件不支持通过SHA-256证书进行签名即使使用SHA-1算法:

I've been trying to do this exact thing, and found the following did the trick. This approach relies on using two Authenticode certificates, one for SHA-1 and another for SHA-256, in order to ensure the files are accepted as valid by Windows Vista and Windows Server 2008 which do not support being signed by a SHA-256 certificate even if the SHA-1 algorithm is used:

signtool.exe sign /sha1 SHA1_Thumprint /v /d "FileDescription" /du "CompanyURL" /fd sha1 /tr http://timestamp.comodoca.com/rfc3161 /td sha1 "FileName.dll"
signtool.exe sign /sha1 SHA256_Thumprint /as /v /d "FileDescription" /du "CompanyURL" /fd sha256 /tr http://timestamp.comodoca.com/rfc3161 /td sha256 "FileName.dll"

请注意,使用/sha1开关为每个签名步骤明确指定了SHA-1指纹,并且/as用于追加 SHA-256签名.否则,SHA-256签名将覆盖SHA-1签名.

Note that the SHA-1 thumbprints are explicitly specified for each signing step using the /sha1 switch and that /as is used to append the SHA-256 signature. Otherwise the SHA-256 signature will override the SHA-1 signature.

我在此过程中发现的另一个难题是,只有DLL和EXE支持双重签名. MSI安装程序没有.

The other gotcha I found in the process was that only DLLs and EXEs support dual signatures. MSI installers do not.

更新15年12月29日:

SHA-1/SHA-256指纹的格式为40个字符的十六进制大写字符串,没有空格.例如:

The format of the SHA-1/SHA-256 thumbprint is a 40-character hexadecimal upper case string with no spaces. For example:

signtool.exe sign /sha1 0123456789ABCDEF0123456789ABCDEF01234567 /as /v /d "FileDescription" /du "CompanyURL" /fd sha256 /tr http://timestamp.comodoca.com/rfc3161 /td sha256 "FileName.dll"

更新了30/12/2015

要使用SHA-256证书但使用SHA-1哈希对MSI文件进行签名,请使用类似于以下命令:

To sign an MSI file with a SHA-256 certificate but with a SHA-1 hash use a command similar to the below:

signtool.exe sign /sha1 SHA256_Thumprint /v /d "FileDescription" /du "CompanyURL" /t http://timestamp.comodoca.com/authenticode "FileName.msi"

这篇关于signtool无法使用时间戳双重签名SHA2和SHA1的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

07-30 13:00