【发布时间】:2016-01-11 22:15:11
【问题描述】:
所以我正在使用 Windows SDK 8.1 中的 signtool 对二进制文件进行签名:
"C:\Program Files (x86)\Windows Kits\8.1\bin\x64\signtool.exe" sign /a /i Symantec /ac C:\utils\MSCV-VSClass3.cer /ph /t "http://timestamp.verisign.com/scripts/timstamp.dll" "foo.exe"
Done Adding Additional Store
Successfully signed: foo.exe
"C:\Program Files (x86)\Windows Kits\8.1\bin\x64\signtool.exe" sign /a /i Symantec /ac C:\utils\MSCV-VSClass3.cer /ph /fd sha256 /tr "http://timestamp.geotrust.com/tsa" /td sha256 /as "foo.exe"
Done Adding Additional Store
Successfully signed: foo.exe
当我在文件属性中查看时,我可以看到正确的结果。
但是,当我将 verify 与 signtool 一起使用时,我得到的结果取决于传递的参数:
"C:\Program Files (x86)\Windows Kits\8.1\bin\x64\signtool.exe" verify /all "foo.exe"
File: foo.exe
Index Algorithm Timestamp
========================================
SignTool Error: A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.
SignTool Error: A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.
使用/pa 和/pa /all 我可以看到两个时间戳:
"C:\Program Files (x86)\Windows Kits\8.1\bin\x64\signtool.exe" verify /pa "foo.exe"
File: foo.exe
Index Algorithm Timestamp
========================================
0 sha1 Authenticode
Successfully verified: foo.exe
"C:\Program Files (x86)\Windows Kits\8.1\bin\x64\signtool.exe" verify /pa /all "foo.exe"
File: foo.exe
Index Algorithm Timestamp
========================================
0 sha1 Authenticode
1 sha256 RFC3161
但是当尝试使用/kp 来验证内核签名策略时,signtool 拒绝与/all 一起运行:
"C:\Program Files (x86)\Windows Kits\8.1\bin\x64\signtool.exe" verify /kp /all "foo.exe"
SignTool Error: The /all option is incompatible with the /kp option.
所以我有两个问题:
- 这是一个缺陷吗(
/kp和/all不能一起工作)? - 有没有比两次调用
signtool verify更好的方法,一次使用/pa /all,一次使用/kp以查看所有时间戳并验证内核签署政策?
【问题讨论】:
标签: windows code-signing signtool authenticode