SignTool验证.application和.manifest文件的等效项目吗?
问题描述:
我正在使用signtool.exe v6.2.9200.20527来管理/ tr和/ td开关。在以下示例中,0961 ... 35d2是当前用户的“个人”>“证书”存储中的SHA256代码签名证书的SHA1指纹。SignTool验证.application和.manifest文件的等效项目吗?
示例1:使用SHA256摘要进行代码签名,没有时间戳。
c:signtool.exe sign /fd sha256 /sha1 0961...35d2 CertificateCheck.exe
c:signtool.exe verify /all /pa CertificateCheck.exe
File: CertificateCheck.exe
Index Algorithm Timestamp
========================================
0 sha256 None
Successfully verified: CertificateCheck.exe
示例2:使用SHA1摘要进行代码签名,没有时间戳。
c:signtool.exe sign /fd sha1 /sha1 0961...35d2 CertificateCheck.exe
c:signtool.exe verify /all /pa CertificateCheck.exe
File: CertificateCheck.exe
Index Algorithm Timestamp
========================================
0 sha1 None
Successfully verified: CertificateCheck.exe
示例3:使用SHA256摘要和SHA1摘要和时间戳进行双重签名。
c:signtool.exe sign /fd sha256 /sha1 0961...35d2 /tr http://timestamp.globalsign.com/scripts/timstamp.dll /td sha256 CertificateCheck.exe
c:signtool.exe sign /as /fd sha1 /sha1 0961...35d2 /tr http://timestamp.globalsign.com/scripts/timstamp.dll /td sha1 CertificateCheck.exe
c:signtool.exe verify /all /pa CertificateCheck.exe
File: CertificateCheck.exe
Index Algorithm Timestamp
========================================
0 sha256 RFC3161
1 sha1 RFC3161
使用signtool验证/ V我还可以看到证书的详细信息和证书信任链...
c:signtool.exe verify /all /pa /v CertificateCheck.exe
Verifying: CertificateCheck.exe
Signature Index: 0 (Primary Signature)
Hash of file (sha256): 6774...B2D1
Signing Certificate Chain:
Issued to: GlobalSign
Issued by: GlobalSign
Expires: Sun Mar 18 20:00:00 2029
SHA1 hash: D69B...76AD
Issued to: GlobalSign CodeSigning CA - SHA256 - G2
Issued by: GlobalSign
Expires: Fri Aug 02 20:00:00 2019
SHA1 hash: 4E34...36FF
Issued to: Example Company Pty Ltd
Issued by: GlobalSign CodeSigning CA - SHA256 - G2
Expires: Fri May 11 02:17:24 2018
SHA1 hash: 0961...35D2
The signature is timestamped: Wed May 06 13:51:05 2015
Timestamp Verified by:
Issued to: GlobalSign Root CA
Issued by: GlobalSign Root CA
Expires: Fri Jan 28 22:00:00 2028
SHA1 hash: B1BC...829C
Issued to: GlobalSign Timestamping CA - G2
Issued by: GlobalSign Root CA
Expires: Fri Jan 28 22:00:00 2028
SHA1 hash: C0E4...5B71
Issued to: GlobalSign TSA for Standard - G2
Issued by: GlobalSign Timestamping CA - G2
Expires: Tue Mar 03 10:00:00 2026
SHA1 hash: 19E1...65B6
Signature Index: 1
Hash of file (sha1): CFA4...7863
Signing Certificate Chain:
Issued to: GlobalSign
Issued by: GlobalSign
Expires: Sun Mar 18 20:00:00 2029
SHA1 hash: D69B...76AD
Issued to: GlobalSign CodeSigning CA - SHA256 - G2
Issued by: GlobalSign
Expires: Fri Aug 02 20:00:00 2019
SHA1 hash: 4E34...36FF
Issued to: Example Company Pty Ltd
Issued by: GlobalSign CodeSigning CA - SHA256 - G2
Expires: Fri May 11 02:17:24 2018
SHA1 hash: 0961...35D2
The signature is timestamped: Wed May 06 13:51:06 2015
Timestamp Verified by:
Issued to: GlobalSign Root CA
Issued by: GlobalSign Root CA
Expires: Fri Jan 28 22:00:00 2028
SHA1 hash: B1BC...829C
Issued to: GlobalSign Timestamping CA - G2
Issued by: GlobalSign Root CA
Expires: Fri Jan 28 22:00:00 2028
SHA1 hash: C0E4...5B71
Issued to: GlobalSign TSA for Standard - G2
Issued by: GlobalSign Timestamping CA - G2
Expires: Tue Mar 03 10:00:00 2026
SHA1 hash: 19E1...65B6
Successfully verified: CertificateCheck.exe
Number of signatures successfully Verified: 2
Number of warnings: 0
Number of errors: 0
我们还使用组合双签署我们的ClickOnce。应用和.manifest文件Mage.exe和SignTool.exe但SignTool验证似乎不使用。应用和.manifest文件的工作:
c:signtool.exe verify /all /pa /v CertificateCheck.application
Verifying: CertificateCheck.application
SignTool Error: This file format cannot be verified because it is not recognized.
Number of signatures successfully Verified: 0
Number of warnings: 0
Number of errors: 1
c:signtool.exe verify /all /pa /v CertificateCheck.exe.manifest
Verifying: CertificateCheck.exe.manifest
SignTool Error: This file format cannot be verified because it is not recognized.
Number of signatures successfully Verified: 0
Number of warnings: 0
Number of errors: 1
我们可以在XML-C打开.manifest的和。应用文件一个可编辑的编辑器,看到base64编码的签名实际上已被添加,但是是否有与SignTool Verify的等效项验证允许我查看从命令行附加的签名和/或证书信任链?或者我只是开车错了?我想这样做,以便我们可以添加一个测试步骤到我们的构建脚本。
更多信息...
好了,这似乎是一个版本相关的问题。
我收集了几个不同版本的SignTool来尝试各种事情。 v5系列有各种验证/清单开关,而我所遇到的v6系列都没有。另一方面,v6系列支持SHA2证书和算法,而v5系列不太喜欢它们。
使用signtool.exe v5.2.3790.2568我可以用这个检查强名称(应用程序标识):
signtool verify /manifest /snonly /v CertificateChecker.application
Successfully verified: CertificateChecker.application
Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0
但是,如果我试图表明证书信任链(并有一个SHA256证书它)会报错:
signtool verify /manifest /pa /v CertificateChecker.application
SignTool Error: CryptVerifyManifestFile returned error: 0x800B0004
The subject is not trusted for the specified action.
Signing Certificate Chain:
Issued to: GlobalSign
Issued by: GlobalSign
Expires: 2029-03-18 8:00:00 PM
SHA1 hash: D69B...76AD
Issued to: GlobalSign CodeSigning CA - SHA256 - G2
Issued by: GlobalSign
Expires: 2019-08-02 8:00:00 PM
SHA1 hash: 4E34...A36FF
Issued to: Example Pty Ltd
Issued by: GlobalSign CodeSigning CA - SHA256 - G2
Expires: 2018-05-11 2:17:24 AM
SHA1 hash: 0961...A35D2
File is not timestamped.
SignTool Error: File not valid: CertificateChecker.application
Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1
所以我留下了我原来的问题的变体:有没有SignTool验证替代的ClickOnce。应用和.manifest文件...并支持SHA256?
答
不是我所知道的。有时候,微软的愚蠢依然令我震惊。
旧的signtool.exes不支持SHA256。新版本可以,但不支持签名清单(为什么地狱M $删除该功能?!)。 mage.exe不支持HSM证书服务器,除非您知道私钥(这是使用此类服务器来保护证书的全部要点)。这真的很棒。
答
答
使用此密码进行验证的ClickOnce体现:
// based on tip from http://www.pcreview.co.uk/threads/tool-for-clickonce-maifest-and-application-signature-validation.3308405/#post-11299058
private static ManifestSignatureInformationCollection GetClickOnceManifestSignature(string manifestPath)
{
bool isApplicationManifest;
if (manifestPath.EndsWith(".exe.manifest"))
{
isApplicationManifest = true;
}
else if (manifestPath.EndsWith(".application"))
{
isApplicationManifest = false;
}
else
{
throw new InvalidOperationException("Unrecognized manifest type, expected either application manifest (.exe.manifest) or deployment manifest (.application)");
}
XmlNamespaceManager namespaceManager = new XmlNamespaceManager(new NameTable());
namespaceManager.AddNamespace("asmv1", "urn:schemas-microsoft-com:asm.v1");
XElement assemblyIdentityXml = XDocument.Load(manifestPath).XPathSelectElement("/asmv1:assembly/asmv1:assemblyIdentity", namespaceManager);
string applicationIdentityPart = string.Format(
"{0}, Version={1}, Culture={2}, PublicKeyToken={3}, processorArchitecture={4}",
assemblyIdentityXml.Attribute("name").Value,
assemblyIdentityXml.Attribute("version").Value,
assemblyIdentityXml.Attribute("language").Value,
assemblyIdentityXml.Attribute("publicKeyToken").Value,
assemblyIdentityXml.Attribute("processorArchitecture").Value);
if (isApplicationManifest)
{
applicationIdentityPart += ", type=" + assemblyIdentityXml.Attribute("type").Value;
}
return ManifestSignatureInformation.VerifySignature(
ActivationContext.CreatePartialActivationContext(new ApplicationIdentity(applicationIdentityPart + "/" + applicationIdentityPart),
new[] { manifestPath, manifestPath }),
isApplicationManifest ? ManifestKinds.Application : ManifestKinds.Deployment);
}
private static void Main(string[] args)
{
ManifestSignatureInformationCollection resultDeployment = GetClickOnceManifestSignature(@"path\to\DeploymentManifest.application");
ManifestSignatureInformationCollection resultApplication = GetClickOnceManifestSignature(@"path\to\ApplicationManifest.exe.manifest");
Console.WriteLine("Deployment manifest is trusted: ");
Console.WriteLine(resultDeployment[0].AuthenticodeSignature.TrustStatus == TrustStatus.KnownIdentity || resultDeployment[0].AuthenticodeSignature.TrustStatus == TrustStatus.Trusted);
Console.WriteLine("Application manifest is trusted: ");
Console.WriteLine(resultApplication[0].AuthenticodeSignature.TrustStatus == TrustStatus.KnownIdentity || resultApplication[0].AuthenticodeSignature.TrustStatus == TrustStatus.Trusted);
}
所以,如果我理解正确的话,就不可能创造与硬件安全模块(HSM)签署ClickOnce应用程序的安装程序? –