我正在使用Windows SDK 8.1中的signtool对二进制文件进行签名:
"C:\Program Files (x86)\Windows Kits\8.1\bin\x64\signtool.exe" sign /a /i Symantec /ac C:\utils\MSCV-VSClass3.cer /ph /t "http://timestamp.verisign.com/scripts/timstamp.dll" "foo.exe"
Done Adding Additional Store
Successfully signed: foo.exe
"C:\Program Files (x86)\Windows Kits\8.1\bin\x64\signtool.exe" sign /a /i Symantec /ac C:\utils\MSCV-VSClass3.cer /ph /fd sha256 /tr "http://timestamp.geotrust.com/tsa" /td sha256 /as "foo.exe"
Done Adding Additional Store
Successfully signed: foo.exe
当我查看文件属性时,可以看到正确的结果。
然而,当我使用此 signtool 进行 verify 时,根据传递的参数,我会得到不同的结果:
"C:\Program Files (x86)\Windows Kits\8.1\bin\x64\signtool.exe" verify /all "foo.exe"
File: foo.exe
Index Algorithm Timestamp
========================================
SignTool Error: A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.
SignTool Error: A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.
使用/pa和/pa /all命令,我可以看到两个时间戳:
"C:\Program Files (x86)\Windows Kits\8.1\bin\x64\signtool.exe" verify /pa "foo.exe"
File: foo.exe
Index Algorithm Timestamp
========================================
0 sha1 Authenticode
Successfully verified: foo.exe
"C:\Program Files (x86)\Windows Kits\8.1\bin\x64\signtool.exe" verify /pa /all "foo.exe"
File: foo.exe
Index Algorithm Timestamp
========================================
0 sha1 Authenticode
1 sha256 RFC3161
在尝试使用/kp来验证内核签名策略时,signtool拒绝运行并出现/all的错误提示:
"C:\Program Files (x86)\Windows Kits\8.1\bin\x64\signtool.exe" verify /kp /all "foo.exe"
SignTool Error: The /all option is incompatible with the /kp option.
所以我有两个问题:
- 这是一个缺陷吗(
/kp和/all不能一起使用)? - 是否有比调用
signtool verify两次更好的方法,一次使用/pa /all,一次使用/kp来查看所有时间戳并根据内核签名策略进行验证?