我正在使用Windows SDK 8.1中的signtool对二进制文件进行签名:
"C:\Program Files (x86)\Windows Kits\8.1\bin\x64\signtool.exe" sign /a /i Symantec /ac C:\utils\MSCV-VSClass3.cer /ph /t "http://timestamp.verisign.com/scripts/timstamp.dll" "foo.exe"
Done Adding Additional Store
Successfully signed: foo.exe
"C:\Program Files (x86)\Windows Kits\8.1\bin\x64\signtool.exe" sign /a /i Symantec /ac C:\utils\MSCV-VSClass3.cer /ph /fd sha256 /tr "http://timestamp.geotrust.com/tsa" /td sha256 /as "foo.exe"
Done Adding Additional Store
Successfully signed: foo.exe
当我查看文件属性时,可以看到正确的结果。
然而,当我使用此 signtool
进行 verify
时,根据传递的参数,我会得到不同的结果:
"C:\Program Files (x86)\Windows Kits\8.1\bin\x64\signtool.exe" verify /all "foo.exe"
File: foo.exe
Index Algorithm Timestamp
========================================
SignTool Error: A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.
SignTool Error: A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.
使用/pa
和/pa /all
命令,我可以看到两个时间戳:
"C:\Program Files (x86)\Windows Kits\8.1\bin\x64\signtool.exe" verify /pa "foo.exe"
File: foo.exe
Index Algorithm Timestamp
========================================
0 sha1 Authenticode
Successfully verified: foo.exe
"C:\Program Files (x86)\Windows Kits\8.1\bin\x64\signtool.exe" verify /pa /all "foo.exe"
File: foo.exe
Index Algorithm Timestamp
========================================
0 sha1 Authenticode
1 sha256 RFC3161
在尝试使用/kp
来验证内核签名策略时,signtool
拒绝运行并出现/all
的错误提示:
"C:\Program Files (x86)\Windows Kits\8.1\bin\x64\signtool.exe" verify /kp /all "foo.exe"
SignTool Error: The /all option is incompatible with the /kp option.
所以我有两个问题:
- 这是一个缺陷吗(
/kp
和/all
不能一起使用)? - 是否有比调用
signtool verify
两次更好的方法,一次使用/pa /all
,一次使用/kp
来查看所有时间戳并根据内核签名策略进行验证?