Saya menggunakan signtool.exe v6.2.9200.20527 untuk dukungan /tr dan /td switch. Dalam contoh berikut 0961...35d2 adalah cap jempol SHA1 dari sertifikat Penandatanganan Kode SHA256 di penyimpanan Personal > Sertifikat pengguna saat ini.
Contoh 1: Penandatanganan kode dengan intisari SHA256, tanpa stempel waktu.
c:signtool.exe sign /fd sha256 /sha1 0961...35d2 CertificateCheck.exe
c:signtool.exe verify /all /pa CertificateCheck.exe
File: CertificateCheck.exe
Index Algorithm Timestamp
========================================
0 sha256 None
Successfully verified: CertificateCheck.exe
Contoh 2: Penandatanganan kode dengan intisari SHA1, tanpa stempel waktu.
c:signtool.exe sign /fd sha1 /sha1 0961...35d2 CertificateCheck.exe
c:signtool.exe verify /all /pa CertificateCheck.exe
File: CertificateCheck.exe
Index Algorithm Timestamp
========================================
0 sha1 None
Successfully verified: CertificateCheck.exe
Contoh 3: Penandatanganan ganda dengan intisari SHA256 dan intisari SHA1 serta dengan stempel waktu.
c:signtool.exe sign /fd sha256 /sha1 0961...35d2 /tr http://timestamp.globalsign.com/scripts/timstamp.dll /td sha256 CertificateCheck.exe
c:signtool.exe sign /as /fd sha1 /sha1 0961...35d2 /tr http://timestamp.globalsign.com/scripts/timstamp.dll /td sha1 CertificateCheck.exe
c:signtool.exe verify /all /pa CertificateCheck.exe
File: CertificateCheck.exe
Index Algorithm Timestamp
========================================
0 sha256 RFC3161
1 sha1 RFC3161
Menggunakan signtool verifikasi /v Saya juga dapat melihat detail sertifikat dan rantai kepercayaan sertifikat...
c:signtool.exe verify /all /pa /v CertificateCheck.exe
Verifying: CertificateCheck.exe
Signature Index: 0 (Primary Signature)
Hash of file (sha256): 6774...B2D1
Signing Certificate Chain:
Issued to: GlobalSign
Issued by: GlobalSign
Expires: Sun Mar 18 20:00:00 2029
SHA1 hash: D69B...76AD
Issued to: GlobalSign CodeSigning CA - SHA256 - G2
Issued by: GlobalSign
Expires: Fri Aug 02 20:00:00 2019
SHA1 hash: 4E34...36FF
Issued to: Example Company Pty Ltd
Issued by: GlobalSign CodeSigning CA - SHA256 - G2
Expires: Fri May 11 02:17:24 2018
SHA1 hash: 0961...35D2
The signature is timestamped: Wed May 06 13:51:05 2015
Timestamp Verified by:
Issued to: GlobalSign Root CA
Issued by: GlobalSign Root CA
Expires: Fri Jan 28 22:00:00 2028
SHA1 hash: B1BC...829C
Issued to: GlobalSign Timestamping CA - G2
Issued by: GlobalSign Root CA
Expires: Fri Jan 28 22:00:00 2028
SHA1 hash: C0E4...5B71
Issued to: GlobalSign TSA for Standard - G2
Issued by: GlobalSign Timestamping CA - G2
Expires: Tue Mar 03 10:00:00 2026
SHA1 hash: 19E1...65B6
Signature Index: 1
Hash of file (sha1): CFA4...7863
Signing Certificate Chain:
Issued to: GlobalSign
Issued by: GlobalSign
Expires: Sun Mar 18 20:00:00 2029
SHA1 hash: D69B...76AD
Issued to: GlobalSign CodeSigning CA - SHA256 - G2
Issued by: GlobalSign
Expires: Fri Aug 02 20:00:00 2019
SHA1 hash: 4E34...36FF
Issued to: Example Company Pty Ltd
Issued by: GlobalSign CodeSigning CA - SHA256 - G2
Expires: Fri May 11 02:17:24 2018
SHA1 hash: 0961...35D2
The signature is timestamped: Wed May 06 13:51:06 2015
Timestamp Verified by:
Issued to: GlobalSign Root CA
Issued by: GlobalSign Root CA
Expires: Fri Jan 28 22:00:00 2028
SHA1 hash: B1BC...829C
Issued to: GlobalSign Timestamping CA - G2
Issued by: GlobalSign Root CA
Expires: Fri Jan 28 22:00:00 2028
SHA1 hash: C0E4...5B71
Issued to: GlobalSign TSA for Standard - G2
Issued by: GlobalSign Timestamping CA - G2
Expires: Tue Mar 03 10:00:00 2026
SHA1 hash: 19E1...65B6
Successfully verified: CertificateCheck.exe
Number of signatures successfully Verified: 2
Number of warnings: 0
Number of errors: 0
Kami juga menandatangani dua kali file .application dan .manifest ClickOnce kami menggunakan kombinasi Mage.exe dan SignTool.exe tetapi SignTool Verify tampaknya tidak berfungsi dengan file .application dan .manifest:
c:signtool.exe verify /all /pa /v CertificateCheck.application
Verifying: CertificateCheck.application
SignTool Error: This file format cannot be verified because it is not recognized.
Number of signatures successfully Verified: 0
Number of warnings: 0
Number of errors: 1
c:signtool.exe verify /all /pa /v CertificateCheck.exe.manifest
Verifying: CertificateCheck.exe.manifest
SignTool Error: This file format cannot be verified because it is not recognized.
Number of signatures successfully Verified: 0
Number of warnings: 0
Number of errors: 1
Kita dapat membuka file .manifest dan .application dalam editor berkemampuan XML untuk melihat bahwa tanda tangan yang dikodekan base64 sebenarnya telah ditambahkan tetapi apakah ada yang setara dengan SignTool Verify yang memungkinkan saya melihat tanda tangan dan/atau rantai kepercayaan sertifikat terlampir dari baris perintah? Atau apakah saya salah mengendarainya? Saya ingin melakukan ini agar kami dapat menambahkan langkah pengujian ke skrip build kami.
Informasi lebih lanjut...
Oke, sepertinya ini masalah terkait versi.
Saya telah mengumpulkan beberapa versi SignTool yang berbeda untuk mencoba berbagai hal. Seri v5 memiliki berbagai tombol Verifikasi/manifest sedangkan seri v6 yang saya temui tidak memilikinya. Di sisi lain seri v6 mendukung sertifikat dan algoritma SHA2 sedangkan seri v5 tidak terlalu menyukainya.
Menggunakan signtool.exe v5.2.3790.2568 saya dapat memeriksa nama kuat (identitas aplikasi) dengan ini:
signtool verify /manifest /snonly /v CertificateChecker.application
Successfully verified: CertificateChecker.application
Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0
Tetapi jika saya mencoba menunjukkan rantai kepercayaan sertifikat (dan ada sertifikat SHA256 di dalamnya) maka akan terjadi kesalahan:
signtool verify /manifest /pa /v CertificateChecker.application
SignTool Error: CryptVerifyManifestFile returned error: 0x800B0004
The subject is not trusted for the specified action.
Signing Certificate Chain:
Issued to: GlobalSign
Issued by: GlobalSign
Expires: 2029-03-18 8:00:00 PM
SHA1 hash: D69B...76AD
Issued to: GlobalSign CodeSigning CA - SHA256 - G2
Issued by: GlobalSign
Expires: 2019-08-02 8:00:00 PM
SHA1 hash: 4E34...A36FF
Issued to: Example Pty Ltd
Issued by: GlobalSign CodeSigning CA - SHA256 - G2
Expires: 2018-05-11 2:17:24 AM
SHA1 hash: 0961...A35D2
File is not timestamped.
SignTool Error: File not valid: CertificateChecker.application
Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1
Jadi saya memiliki varian dari pertanyaan awal saya: Apakah ada pengganti SignTool Verify untuk file .application dan .manifest ClickOnce... dan mendukung SHA256?