堆栈内存溢出
  简体   繁体   English

如何使用时间戳正确地进行双重签名?

[英]How does one correctly dual-sign code with a timestamp?

 原文  2013-12-16 00:11:55       code-signing/ code-signing-certificate/ authenticode/ verisign

问题描述

I have two code signing certificates (one SHA-1, one SHA-256) which I'd like to apply to the same file. 我有两个代码签名证书(一个SHA-1,一个SHA-256),我想将它们应用于同一个文件。 I tried to append the SHA-256 certificate, but this fails: 我试图附加SHA-256证书,但这失败了: 

:: Signs with the SHA-1 certificate
signtool sign /sha1 8f52fa9db30525dfabb35b08bd1966693a30eccf /t http://timestamp.verisign.com/scripts/timestamp.dll my_app_here.exe
:: Signs with the SHA-2 certificate
signtool sign /sha1 8b0026ecbe5bf245993b26e164f02e1313579e47 /as /t http://timestamp.verisign.com/scripts/timestamp.dll my_app_here.exe

This fails with the error: 这失败并出现错误: 

Done Adding Additional Store
SignTool Error: SignedCode::Sign returned error: 0x80070057
        The parameter is incorrect.
SignTool Error: An error occurred while attempting to sign: my_app_here.exe

If I remove the timestamp URL from the second command, the signing completes successfully, but the SHA-2 signature has no timestamp. 如果从第二个命令中删除时间戳URL,则签名成功完成,但SHA-2签名没有时间戳。 (Whether or not I put a timestamp on the first signature has no effect) (我是否在第一个签名上加上时间戳没有效果)

The intent here is to allow someone to verify the app with the stronger certificate if they are on an operating system that supports this, but to avoid failing validation on operating systems that don't support the stronger certificates (Vista, XP). 这里的目的是允许某人使用更强大的证书验证应用程序,如果他们在支持此功能的操作系统上,但是为了避免在不支持更强版本的操作系统(Vista,XP)上验证失败。

Is this kind of thing even possible? 这种事情甚至可能吗?

1 个解决方案

解决方案1
 12 已采纳  2014-12-07 03:37:48

SHA-2 Authenticode signing requires an RFC 3161 timestamp server. SHA-2 Authenticode签名需要RFC 3161时间戳服务器。 The timestamp.verisign.com URL does not work for this. timestamp.verisign.com URL不适用于此。

The RFC 3161 URL for Symantec/Verisign is: Symantec / Verisign的RFC 3161 URL是: 

http://sha256timestamp.ws.symantec.com/sha256/timestamp

If you are still using the older http://timestamp.geotrust.com/tsa URL, and it is failing (April 2017), you should update it to the above one. 如果您仍在使用较旧的http://timestamp.geotrust.com/tsa网址,并且该网址失败(2017年4月),则应将其更新为上述网址。 GeoTrust, like Verisign, is now part of Symantec. 与Verisign一样,GeoTrust现在也是赛门铁克的一部分。

Source: 资源:

https://knowledge.verisign.com/support/code-signing-support/index?page=content&id=SO5820 https://knowledge.verisign.com/support/code-signing-support/index?page=content&id=SO5820

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 双重标志.cat文件出现错误“主题中没有签名” - Dual-sign .cat file has error “No signature was present in the subject” 如何使用 Authenticode 对二进制文件进行双重签名? - How to dual sign a binary with Authenticode? 如何从可执行文件上的多/双代码签名中检索信息 - How to retrieve information from multiple/dual code signatures on an executable file 如果代码签名过期,IE 是否会引发错误? - Does IE raises error if the code sign expires? Android Studio 未签署调试版本的代码 - Android Studio does not sign the code for debug build 如何使用带有脱机时间戳的signtool.exe对安装程序进行签名? - How to use the signtool.exe with offline timestamp to sign an installer? 如何使用时间戳从 Excel 2016 签署 XLA? - How do I sign an XLA from Excel 2016 with a timestamp? 如何正确签署 C++ dylib 以通过 iOS 中的 dlopen 加载 - How to correctly sign a C++ dylib to be loaded via dlopen in iOS 如何对我的“二进制文件”进行签名? (PHP脚本) - How to code sign my “binaries”? (php scripts) 如何仅使用.SPC文件签名代码? - How to sign code with only a .SPC file?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM