SignTool Verifikasi yang setara untuk file .application dan .manifest?

Saya menggunakan signtool.exe v6.2.9200.20527 untuk dukungan /tr dan /td switch. Dalam contoh berikut 0961...35d2 adalah cap jempol SHA1 dari sertifikat Penandatanganan Kode SHA256 di penyimpanan Personal > Sertifikat pengguna saat ini.

Contoh 1: Penandatanganan kode dengan intisari SHA256, tanpa stempel waktu.

c:signtool.exe sign /fd sha256 /sha1 0961...35d2 CertificateCheck.exe
c:signtool.exe verify /all /pa CertificateCheck.exe

File: CertificateCheck.exe
Index  Algorithm  Timestamp
========================================
0      sha256     None

Successfully verified: CertificateCheck.exe

Contoh 2: Penandatanganan kode dengan intisari SHA1, tanpa stempel waktu.

c:signtool.exe sign /fd sha1 /sha1 0961...35d2 CertificateCheck.exe
c:signtool.exe verify /all /pa CertificateCheck.exe

File: CertificateCheck.exe
Index  Algorithm  Timestamp
========================================
0      sha1       None

Successfully verified: CertificateCheck.exe

Contoh 3: Penandatanganan ganda dengan intisari SHA256 dan intisari SHA1 serta dengan stempel waktu.

c:signtool.exe sign /fd sha256 /sha1 0961...35d2 /tr http://timestamp.globalsign.com/scripts/timstamp.dll /td sha256 CertificateCheck.exe
c:signtool.exe sign /as /fd sha1 /sha1 0961...35d2 /tr http://timestamp.globalsign.com/scripts/timstamp.dll /td sha1  CertificateCheck.exe
c:signtool.exe verify /all /pa CertificateCheck.exe

File: CertificateCheck.exe
Index  Algorithm  Timestamp
========================================
0      sha256     RFC3161
1      sha1       RFC3161

Menggunakan signtool verifikasi /v Saya juga dapat melihat detail sertifikat dan rantai kepercayaan sertifikat...

c:signtool.exe verify /all /pa /v CertificateCheck.exe

Verifying: CertificateCheck.exe
Signature Index: 0 (Primary Signature)
Hash of file (sha256): 6774...B2D1

Signing Certificate Chain:
    Issued to: GlobalSign
    Issued by: GlobalSign
    Expires:   Sun Mar 18 20:00:00 2029
    SHA1 hash: D69B...76AD

        Issued to: GlobalSign CodeSigning CA - SHA256 - G2
        Issued by: GlobalSign
        Expires:   Fri Aug 02 20:00:00 2019
        SHA1 hash: 4E34...36FF

            Issued to: Example Company Pty Ltd
            Issued by: GlobalSign CodeSigning CA - SHA256 - G2
            Expires:   Fri May 11 02:17:24 2018
            SHA1 hash: 0961...35D2

The signature is timestamped: Wed May 06 13:51:05 2015
Timestamp Verified by:
    Issued to: GlobalSign Root CA
    Issued by: GlobalSign Root CA
    Expires:   Fri Jan 28 22:00:00 2028
    SHA1 hash: B1BC...829C

        Issued to: GlobalSign Timestamping CA - G2
        Issued by: GlobalSign Root CA
        Expires:   Fri Jan 28 22:00:00 2028
        SHA1 hash: C0E4...5B71

            Issued to: GlobalSign TSA for Standard - G2
            Issued by: GlobalSign Timestamping CA - G2
            Expires:   Tue Mar 03 10:00:00 2026
            SHA1 hash: 19E1...65B6

Signature Index: 1
Hash of file (sha1): CFA4...7863

Signing Certificate Chain:
    Issued to: GlobalSign
    Issued by: GlobalSign
    Expires:   Sun Mar 18 20:00:00 2029
    SHA1 hash: D69B...76AD

        Issued to: GlobalSign CodeSigning CA - SHA256 - G2
        Issued by: GlobalSign
        Expires:   Fri Aug 02 20:00:00 2019
        SHA1 hash: 4E34...36FF

            Issued to: Example Company Pty Ltd
            Issued by: GlobalSign CodeSigning CA - SHA256 - G2
            Expires:   Fri May 11 02:17:24 2018
            SHA1 hash: 0961...35D2

The signature is timestamped: Wed May 06 13:51:06 2015
Timestamp Verified by:
    Issued to: GlobalSign Root CA
    Issued by: GlobalSign Root CA
    Expires:   Fri Jan 28 22:00:00 2028
    SHA1 hash: B1BC...829C

        Issued to: GlobalSign Timestamping CA - G2
        Issued by: GlobalSign Root CA
        Expires:   Fri Jan 28 22:00:00 2028
        SHA1 hash: C0E4...5B71

            Issued to: GlobalSign TSA for Standard - G2
            Issued by: GlobalSign Timestamping CA - G2
            Expires:   Tue Mar 03 10:00:00 2026
            SHA1 hash: 19E1...65B6


Successfully verified: CertificateCheck.exe

Number of signatures successfully Verified: 2
Number of warnings: 0
Number of errors: 0

Kami juga menandatangani dua kali file .application dan .manifest ClickOnce kami menggunakan kombinasi Mage.exe dan SignTool.exe tetapi SignTool Verify tampaknya tidak berfungsi dengan file .application dan .manifest:

c:signtool.exe verify /all /pa /v CertificateCheck.application

Verifying: CertificateCheck.application
SignTool Error: This file format cannot be verified because it is not recognized.

Number of signatures successfully Verified: 0
Number of warnings: 0
Number of errors: 1

c:signtool.exe verify /all /pa /v CertificateCheck.exe.manifest

Verifying: CertificateCheck.exe.manifest
SignTool Error: This file format cannot be verified because it is not recognized.

Number of signatures successfully Verified: 0
Number of warnings: 0
Number of errors: 1

Kita dapat membuka file .manifest dan .application dalam editor berkemampuan XML untuk melihat bahwa tanda tangan yang dikodekan base64 sebenarnya telah ditambahkan tetapi apakah ada yang setara dengan SignTool Verify yang memungkinkan saya melihat tanda tangan dan/atau rantai kepercayaan sertifikat terlampir dari baris perintah? Atau apakah saya salah mengendarainya? Saya ingin melakukan ini agar kami dapat menambahkan langkah pengujian ke skrip build kami.

Informasi lebih lanjut...

Oke, sepertinya ini masalah terkait versi.

Saya telah mengumpulkan beberapa versi SignTool yang berbeda untuk mencoba berbagai hal. Seri v5 memiliki berbagai tombol Verifikasi/manifest sedangkan seri v6 yang saya temui tidak memilikinya. Di sisi lain seri v6 mendukung sertifikat dan algoritma SHA2 sedangkan seri v5 tidak terlalu menyukainya.

Menggunakan signtool.exe v5.2.3790.2568 saya dapat memeriksa nama kuat (identitas aplikasi) dengan ini:

signtool verify /manifest /snonly /v CertificateChecker.application
Successfully verified: CertificateChecker.application

Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0

Tetapi jika saya mencoba menunjukkan rantai kepercayaan sertifikat (dan ada sertifikat SHA256 di dalamnya) maka akan terjadi kesalahan:

signtool verify /manifest /pa /v CertificateChecker.application
SignTool Error: CryptVerifyManifestFile returned error: 0x800B0004
        The subject is not trusted for the specified action.
Signing Certificate Chain:
    Issued to: GlobalSign
    Issued by: GlobalSign
    Expires:   2029-03-18 8:00:00 PM
    SHA1 hash: D69B...76AD

        Issued to: GlobalSign CodeSigning CA - SHA256 - G2
        Issued by: GlobalSign
        Expires:   2019-08-02 8:00:00 PM
        SHA1 hash: 4E34...A36FF

            Issued to: Example Pty Ltd
            Issued by: GlobalSign CodeSigning CA - SHA256 - G2
            Expires:   2018-05-11 2:17:24 AM
            SHA1 hash: 0961...A35D2

File is not timestamped.
SignTool Error: File not valid: CertificateChecker.application

Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1

Jadi saya memiliki varian dari pertanyaan awal saya: Apakah ada pengganti SignTool Verify untuk file .application dan .manifest ClickOnce... dan mendukung SHA256?


clickonce code-signing signtool mage
person AlwaysLearning    schedule 06.05.2015    source sumber

Jawaban (3)


arrow_upward
0
arrow_downward

mage.exe Alat Pembuatan dan Pengeditan Manifes

mage -s CertificateCheck.application

Saya belum mengetahui cara memverifikasi dari CLI.

person Remus Rusanu    schedule 05.04.2016

arrow_upward
0
arrow_downward

Gunakan kode ini untuk memverifikasi manifes ClickOnce:

// based on tip from http://www.pcreview.co.uk/threads/tool-for-clickonce-maifest-and-application-signature-validation.3308405/#post-11299058
private static ManifestSignatureInformationCollection GetClickOnceManifestSignature(string manifestPath)
{
    bool isApplicationManifest;
    if (manifestPath.EndsWith(".exe.manifest"))
    {
        isApplicationManifest = true;
    }
    else if (manifestPath.EndsWith(".application"))
    {
        isApplicationManifest = false;
    }
    else
    {
        throw new InvalidOperationException("Unrecognized manifest type, expected either application manifest (.exe.manifest) or deployment manifest (.application)");
    }

    XmlNamespaceManager namespaceManager = new XmlNamespaceManager(new NameTable());
    namespaceManager.AddNamespace("asmv1", "urn:schemas-microsoft-com:asm.v1");

    XElement assemblyIdentityXml = XDocument.Load(manifestPath).XPathSelectElement("/asmv1:assembly/asmv1:assemblyIdentity", namespaceManager);

    string applicationIdentityPart = string.Format(
        "{0}, Version={1}, Culture={2}, PublicKeyToken={3}, processorArchitecture={4}",
        assemblyIdentityXml.Attribute("name").Value,
        assemblyIdentityXml.Attribute("version").Value,
        assemblyIdentityXml.Attribute("language").Value,
        assemblyIdentityXml.Attribute("publicKeyToken").Value,
        assemblyIdentityXml.Attribute("processorArchitecture").Value);
    if (isApplicationManifest)
    {
        applicationIdentityPart += ", type=" + assemblyIdentityXml.Attribute("type").Value;
    }

    return ManifestSignatureInformation.VerifySignature(
        ActivationContext.CreatePartialActivationContext(new ApplicationIdentity(applicationIdentityPart + "/" + applicationIdentityPart),
            new[] { manifestPath, manifestPath }),
        isApplicationManifest ? ManifestKinds.Application : ManifestKinds.Deployment);
}


private static void Main(string[] args)
{
    ManifestSignatureInformationCollection resultDeployment = GetClickOnceManifestSignature(@"path\to\DeploymentManifest.application");
    ManifestSignatureInformationCollection resultApplication = GetClickOnceManifestSignature(@"path\to\ApplicationManifest.exe.manifest");

    Console.WriteLine("Deployment manifest is trusted: ");
    Console.WriteLine(resultDeployment[0].AuthenticodeSignature.TrustStatus == TrustStatus.KnownIdentity || resultDeployment[0].AuthenticodeSignature.TrustStatus == TrustStatus.Trusted);

    Console.WriteLine("Application manifest is trusted: ");
    Console.WriteLine(resultApplication[0].AuthenticodeSignature.TrustStatus == TrustStatus.KnownIdentity || resultApplication[0].AuthenticodeSignature.TrustStatus == TrustStatus.Trusted);
}
person Rafał Kłys    schedule 26.04.2016

arrow_upward
-1
arrow_downward

Tidak yang saya tahu. Kebodohan Microsoft terkadang masih membuat saya takjub.

Signtool.exe lama tidak mendukung SHA256. Versi baru mendukungnya tetapi tidak mendukung penandatanganan manifes (mengapa M$ menghapus fungsi itu?!). mage.exe tidak mendukung server sertifikat HSM kecuali Anda mengetahui kunci pribadinya (yang merupakan inti penggunaan server tersebut untuk mengamankan sertifikat). Sungguh menakjubkan.

person Joe Coder    schedule 27.01.2016
comment
Jadi, jika saya memahaminya dengan benar, tidak mungkin membuat penginstal aplikasi ClickOnce yang ditandatangani dengan modul keamanan perangkat keras (HSM)? - person Eric Hewitt; 04.04.2017