我有相同症状,但是总共不同的原因。与许多开发人员一样,我的系统上安装了许多不同的工具链。我只是对他们进行了调查,以展示这看起来如何;滚动到此答案的底部以获取完整列表。
我已将 VeriSign 的代码签名证书安装到系统证书存储区(需要/sm with signtool.exe)像往常一样,使用certutil -importPFX cert.pfx从提升的命令提示符。
第一次测试看起来很有希望,但突然签名开始失败。
为了调试我首先开始使用的问题signtool.exe sign /debug /v /a /sm ...以便查看出了什么问题。输出看起来像这样(另见问题):
The following certificates were considered:
Issued to: localhost
Issued by: localhost
Expires: Tue Dec 26 00:00:00 2017
SHA1 hash: <...>
Issued to: <...>
Issued by: Symantec Class 3 SHA256 Code Signing CA
Expires: <...>
SHA1 hash: <...>
After EKU filter, 1 certs were left.
After expiry filter, 1 certs were left.
After Root Name filter, 1 certs were left.
After Private Key filter, 0 certs were left.
SignTool Error: No certificates were found that met all the given criteria.
我可以排除丢失的私钥,因为证书存储清楚地表明了这一点我有一个matching私钥:
现在我记得有最近的一些补丁 https://technet.microsoft.com/en-us/library/security/3033929允许 Windows 7 接受使用具有 SHA256 哈希值的证书创建的签名。当然,大多数较旧的文章都会指出 Windows 7 根本无法处理 SHA-2 哈希值。
所以这已经让我朝着“它必须是涉及签名的旧版本”的方向前进。
I still决定删除证书加密钥并使用前面显示的调用重新导入它。
然后,在调查了我的系统(参见答案底部)之后,我发现了一个巨大的问题five不同版本的signtool.exe。所以我开始尝试最新的(6.3.9600.17298,来自 Windows 8.1 SDK)它立即起作用了:
signtool.exe sign /debug /v /a /sm /r VeriSign /ac MSCV-VSClass3.cer /ph /t "http://timestamp.verisign.com/scripts/timstamp.dll" *.exe
The following certificates were considered:
Issued to: localhost
Issued by: localhost
Expires: Tue Dec 26 00:00:00 2017
SHA1 hash: <...>
Issued to: <...>
Issued by: Symantec Class 3 SHA256 Code Signing CA
Expires: <...>
SHA1 hash: <...>
After EKU filter, 1 certs were left.
After expiry filter, 1 certs were left.
After Root Name filter, 1 certs were left.
After Private Key filter, 1 certs were left.
The following certificate was selected:
Issued to: <...>
Issued by: Symantec Class 3 SHA256 Code Signing CA
Expires: <...>
SHA1 hash: <...>
Cross certificate chain (using machine store):
Issued to: Microsoft Code Verification Root
Issued by: Microsoft Code Verification Root
Expires: Sat Nov 01 13:54:03 2025
SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3
Issued to: VeriSign Class 3 Public Primary Certification Authority - G5
Issued by: Microsoft Code Verification Root
Expires: Mon Feb 22 19:35:17 2021
SHA1 hash: 57534CCC33914C41F70E2CBB2103A1DB18817D8B
Issued to: Symantec Class 3 SHA256 Code Signing CA
Issued by: VeriSign Class 3 Public Primary Certification Authority - G5
Expires: Sat Dec 09 23:59:59 2023
SHA1 hash: 007790F6561DAD89B0BCD85585762495E358F8A5
Issued to: <...>
Issued by: Symantec Class 3 SHA256 Code Signing CA
Expires: <...>
SHA1 hash: <...>
The following additional certificates will be attached:
Issued to: VeriSign Class 3 Public Primary Certification Authority - G5
Issued by: Microsoft Code Verification Root
Expires: Mon Feb 22 19:35:17 2021
SHA1 hash: 57534CCC33914C41F70E2CBB2103A1DB18817D8B
Issued to: Symantec Class 3 SHA256 Code Signing CA
Issued by: VeriSign Class 3 Public Primary Certification Authority - G5
Expires: Sat Dec 09 23:59:59 2023
SHA1 hash: 007790F6561DAD89B0BCD85585762495E358F8A5
Done Adding Additional Store
Successfully signed: <...>.exe
Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0
进一步追踪,我认为我已经找到了问题。然而,事实证明我得到的错误并不是我在旧版本中看到的错误signtool.exe版本。相反,旧版本会抱怨/ac, /fd and /ph分别是无法识别的命令行选项。
So I needed to dig a little deeper and it turned out that my (alternative) file manager was the culprit. I usually start my command prompts in the respective folder using that file manager and a handy keyboard shortcut. It turns out that it sometimes does not pass the environment variables - essentially the file manager "forgets" the environment variables. This turned out to be the root cause. A command prompt opened using Win+R and then cmd Enter would not expose this behavior despite executing signtool.exe from the same folder.
我对此的最佳猜测是,由于混乱PATH变量或类似变量,signtool.exe最终选择了错误的 DLL。尤其mssign32.dll and wintrust.dll 陪伴signtool.exeWindows SDK 8.0 和 8.1 位于同一文件夹中,但不适用于任何早期版本signtool.exe它将选择“全局”系统范围的 DLL,无论它们是什么。
在我的系统上我有five不同版本的signtool.exe.
签名工具.exe 5.2.3790.1830
甚至不明白/ac and /ph我正在使用的论点(也不是/fd)。但奇怪的是,没有这两个论点却有效。
C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\v2.0\Bin\signtool.exe
签名工具.exe 6.0.4002.0
甚至不明白/ac and /ph我正在使用的论点(也不是/fd)。但奇怪的是,没有这两个论点却有效。
C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Tools\Bin\signtool.exe
签名工具.exe 6.1.7600.16385
第一个版本需要理解/fd sha256.
C:\WINDDK\7600.16385.1\bin\amd64\SignTool.exeC:\WINDDK\7600.16385.1\bin\x86\SignTool.exeC:\Program Files\Microsoft SDKs\Windows\v7.1\Bin\signtool.exeC:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Bin\signtool.exeC:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Bin\signtool.exe
签名工具.exe 6.2.9200.20789
C:\Program Files (x86)\Windows Kits\8.0\bin\x64\signtool.exeC:\Program Files (x86)\Windows Kits\8.0\bin\x86\signtool.exe
签名工具.exe 6.3.9600.17298
C:\Program Files (x86)\Windows Kits\8.1\bin\arm\signtool.exeC:\Program Files (x86)\Windows Kits\8.1\bin\x64\signtool.exeC:\Program Files (x86)\Windows Kits\8.1\bin\x86\signtool.exe
