问题描述
我能够使用PowerShell Set-AuthenticodeSignature签名js文件.之后,我可以看到签名以以下形式出现在文件中:
I was able to sign a js file with PowerShell Set-AuthenticodeSignature.After that i can see signature appeared in file in form of:
// SIG // Begin signature block
// SIG // MIIKgAYJKoZIhvcNAQcCoIIKcTCCCm0CAQExCzAJBgUr
// SIG // ....
// SIG // End signature block
我可以使用Get-AuthenticodeSignature验证签名.它说sig是有效的,但是我找不到在C#代码中验证签名的方法.所有这些选项均失败:
I can validate signature using Get-AuthenticodeSignature. It says that sig is valid, but I cant find a way to validate signature in C# code.All of those options failed:
- X509Certificate.CreateFromSignedFile
- X509证书对象的c#性能和内存问题替代方案-已修复
- 从Wintrust.dll使用WinVerifyTrust
- 从PowerShell移植Get-AuthenticodeSignature的一部分!
- X509Certificate.CreateFromSignedFile
- X509Certificate object c# performance and memory issues alternative – fixed
- Used WinVerifyTrust from Wintrust.dll
- Ported part of Get-AuthenticodeSignature from PowerShell!
也许有一些特定的api可以验证js签名?
Maybe there are some specific apis to validate js signatures?
推荐答案
我最近遇到了类似的问题,下面让我展示一下我为解决该问题所做的工作.在我开始之前,我现在很少有假设.如果我错了,请纠正我.
I recently encountered similar problem and let me show what I did to solve this problem. Before I go , there are few assumptions I make now. Please correct me if I am wrong.
- wintrust适用于脚本文件以外的所有其他情况,例如.js或.vbs
- 您可能已尝试通过以下方式进行"wintrustverify" 控制台应用程序(C#)
- wintrust is working for all other cases other than script files like.js or .vbs
- You might have attempted "wintrustverify" from an console application (C#)
我发现这仅发生在上面提到的脚本文件中,因为从自由线程单元模型(MTA)执行wintrust的方法时,wintrust的行为异常.一旦将其包装在STA线程中,它便开始为我工作.后来我才知道这是一个历史问题,当我们处理来自.Net应用程序的任何COM组件互操作时,我们应该采取预防措施.
I figured it out this happens only with script files as I have mentioned above because wintrust behaves wierdly when its methods are being executed from free-threaded apartment model (MTA). Once it's been wrapped inside a STA thread, it started working for me. Later I came to know it is a historical issue that we should have taken a precaution when we deal with any COM components interoperations from .Net application.
这是代码段,您可以用wintrust代码逻辑替换verifySignature并尝试.我希望这会有所帮助.
Here is the code snippet, you can replace the verifysignature with your wintrust code logic and try. I hope this helps.
public static void CheckSignature()
{
STAApartment apt = new STAApartment();
var result = apt.Invoke(() =>
{
return VerifySignature(@".\signedjsfile.js", false);
});
Console.WriteLine(result);
}
private static WinVerifyTrustResult VerifySignature(string filePath, bool verifySignatureOnly)
{
using (var wtd = new WinTrustData(new WinTrustFileInfo(filePath))
{
dwUIChoice = WintrustUIChoice.WTD_UI_NONE,
dwUIContext = WinTrustDataUIContext.WTD_DATA_UI_EXECUTE,
fdwRevocationChecks = WinTrustDataRevocationChecks.WTD_REVOCATION_CHECK_WHOLECHAIN,
dwStateAction = WintrustAction.WTD_STATEACTION_IGNORE,
dwProvFlags = verifySignatureOnly ? WintrustProviderFlags.WTD_HASH_ONLY_FLAG : WintrustProviderFlags.WTD_REVOCATION_CHECK_CHAIN
})
{
var result = WinTrust.WinVerifyTrust(
WinTrust.INVALID_HANDLE_VALUE, new Guid(WinTrust.WINTRUST_ACTION_GENERIC_VERIFY_V2), wtd
);
return result;
}
}
public class STAApartment
{
public T Invoke<T>(Func<T> func)
{
var tcs = new TaskCompletionSource<T>();
Thread thread = new Thread(() =>
{
try
{
tcs.SetResult(func());
}
catch (Exception e)
{
tcs.SetException(e);
}
});
thread.SetApartmentState(ApartmentState.STA);
thread.Start();
return tcs.Task.Result;
}
}
这篇关于如何在C#中验证Java的Authenticode的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!