我正在编写一个自定义的CNG提供程序(密钥存储提供程序),以允许使用我们的私有HSM API在Signtool.exe中进行签名。
我在我的CNG提供程序中实现了API,并已成功安装在我的Windows 10系统中。
命令:
signtool.exe sign /v /debug /f cert.cer /csp "Sample Key Storage Provider" /k "keyid" /t http://timestamp.digicert.com /fd sha256 helloworld.exe
Signtool.exe返回代码0,但最终未将任何签名添加到文件中。
验证输出:
signtool.exe verify /v /pa helloworld.exe
Verifying: helloworld.exe
Signature Index: 0 (Primary Signature)
Hash of file (sha256): 3338A11DDAB9CBB7B39E65C30F235C2DF8EDE17BB5BE759A3213D25EC286F390
Signing Certificate Chain:
Issued to: Sample Certificate Authority
Issued by: Sample Certificate Authority
Expires: Fri Feb 07 21:37:36 2070
SHA1 hash: 2B5B37DADFCBD018BDB2789176A69708FFCA25E0
Issued to: Sample test certificate
Issued by: Sample Certificate Authority
Expires: Thu May 28 13:40:10 2020
SHA1 hash: A679DF5E89B9C23E57E89AEB434CA98230F52DC3
The signature is timestamped: Sun Mar 29 16:44:01 2020
Timestamp Verified by:
Issued to: DigiCert Assured ID Root CA
Issued by: DigiCert Assured ID Root CA
Expires: Sun Nov 09 17:00:00 2031
SHA1 hash: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
Issued to: DigiCert SHA2 Assured ID Timestamping CA
Issued by: DigiCert Assured ID Root CA
Expires: Tue Jan 07 05:00:00 2031
SHA1 hash: 3BA63A6E4841355772DEBEF9CDCF4D5AF353A297
Issued to: TIMESTAMP-SHA256-2019-10-15
Issued by: DigiCert SHA2 Assured ID Timestamping CA
Expires: Wed Oct 16 17:00:00 2030
SHA1 hash: 0325BD505EDA96302DC22F4FA01E4C28BE2834C5
SignTool Error: No signature found.
Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1
然而,当我查看文件属性中的数字签名选项卡时,确实显示了一条记录。当我选择该条目时,它会显示“主体中没有签名”。在这里我漏掉了什么?
pbSignature的一部分进行编写(请参见 https://learn.microsoft.com/en-us/windows/win32/api/ncrypt/nf-ncrypt-ncryptsignhash)。相反,我提供了一个新的内存地址来存储签名。Signtool可能会抱怨我返回了一个新地址而不是编写签名,但它没有这样做。 - GAR