stackoom
  简体   繁体   中英

Signtool.exe succeeds but zero signatures are added to the file

 原文  2020-03-31 06:32:41       windows/ cryptography/ signtool/ cng/ authenticode

Question

I'm writing a custom CNG provider (Key Storage Provider) to allow signing using our private HSM API in Signtool.exe I implemented the APIs in my CNG provider and successfully installed in my Windows 10 system.

Command:

signtool.exe sign /v /debug /f cert.cer /csp "Sample Key Storage Provider" /k "keyid" /t http://timestamp.digicert.com /fd sha256 helloworld.exe

Signtool.exe succeeds with return code 0 but ends up adding no signatures to the file.

Verify Output:

signtool.exe verify /v /pa helloworld.exe

Verifying: helloworld.exe
Signature Index: 0 (Primary Signature)
Hash of file (sha256): 3338A11DDAB9CBB7B39E65C30F235C2DF8EDE17BB5BE759A3213D25EC286F390

Signing Certificate Chain:
    Issued to: Sample Certificate Authority
    Issued by: Sample Certificate Authority
    Expires:   Fri Feb 07 21:37:36 2070
    SHA1 hash: 2B5B37DADFCBD018BDB2789176A69708FFCA25E0

        Issued to: Sample test certificate
        Issued by: Sample Certificate Authority
        Expires:   Thu May 28 13:40:10 2020
        SHA1 hash: A679DF5E89B9C23E57E89AEB434CA98230F52DC3

The signature is timestamped: Sun Mar 29 16:44:01 2020
Timestamp Verified by:
    Issued to: DigiCert Assured ID Root CA
    Issued by: DigiCert Assured ID Root CA
    Expires:   Sun Nov 09 17:00:00 2031
    SHA1 hash: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43

        Issued to: DigiCert SHA2 Assured ID Timestamping CA
        Issued by: DigiCert Assured ID Root CA
        Expires:   Tue Jan 07 05:00:00 2031
        SHA1 hash: 3BA63A6E4841355772DEBEF9CDCF4D5AF353A297

            Issued to: TIMESTAMP-SHA256-2019-10-15
            Issued by: DigiCert SHA2 Assured ID Timestamping CA
            Expires:   Wed Oct 16 17:00:00 2030
            SHA1 hash: 0325BD505EDA96302DC22F4FA01E4C28BE2834C5

SignTool Error: No signature found.

Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1

However, when i look at the Digital Signatures tab in the file properties, it does show an entry. When i select the entry it say "no signature was present in the subject".

What am i missing here?

1 answers

solution1
 0  2020-09-04 22:25:36

signtool.exe sign 
   /v 
   /debug 
   /f cert.cer 
   /csp "Sample Key Storage Provider" 
   /k "keyid" 
   /t http://timestamp.digicert.com 
   /fd sha256 
   helloworld.exe

The documentation says when using /f SignCertFile :

  • if the file is a .pfx , you must use /p to specify the password
  • if the file does not contain private keys, you must specify
    • /csp CSPName
    • /kc PrivKeyContainerName

I see you do specify /csp :

/csp "Sample Key Storage Provider"

But you don't specify /kc .

I do see you specify /k - which is nothing.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to list all signatures with signtool.exe while verifying against the kernel signing policy requestedExecutionLevel reset after using signtool.exe Sign multiple files with signtool.exe Signing .exe with .cer file (what is my certificate's name that signtool.exe is asking for?) Signing executable with PKCS #7 SPC file using console version of signtool.exe Windows signtool.exe sign command /s option What RFC 3161 public timeserver URLs can be used with signtool.exe? Why does signtool.exe only find certificate when run as admin? SignTool Error: File not found - pfx tkinter exe added to startup shows console window
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM