签名工具PKCS7分离签名失败，错误为: pkcs7签名

Question

我在使用windows的signtool.exe创建Zip文件的分离PKCS#7签名时遇到问题。

我设法签署了一个带有嵌入签名的exe文件，但我正在努力使用命令来分离签名Zip文件。我可能遗漏了一些明显的东西。

PS C:\somewhere> Get-ChildItem -path cert:\LocalMachine\My


   PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\My

Thumbprint         Subject
----------         -------
0ABCD...01234      CN=my-signing-cert.example.com, OU=(obfuscated), O=(obfuscated)...



PS C:\somewhere> & "C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x64\signtool.exe" sign /debug /v /tr http://timestamp.digicert.com /fd sha256 /sha1 0ABCD...01234 /sm /p7ce DetachedSignedData /p7co 1.2.840.113549.1.7.2 /p7 "C:\somewhere\test-tiny-zip-file.zip.sig" "C:\somewhere\test-zip-file.zip"


The following certificates were considered:
    Issued to: my-signing-cert.example.com
    Issued by: my-ca-cert.example.com
    Expires:   Wed Mar 23 15:33:34 2022
    SHA1 hash: 0ABCD...01234

After EKU filter, 1 certs were left.
After expiry filter, 1 certs were left.
After Hash filter, 1 certs were left.
After Private Key filter, 1 certs were left.
The following certificate was selected:
    Issued to: my-signing-cert.example.com
    Issued by: my-ca-cert.example.com
    Expires:   Wed Mar 23 15:33:34 2022
    SHA1 hash: 0ABCD...01234

Done Adding Additional Store
SignTool Error: An unexpected internal error has occurred.
Error information: "Error: pkcs7 sign." (-2147024893/0x80070003)

Answer 1

问题出在/p7参数中。它采用一条to a folder, not to a file路径。

/p7 Path指定为每个指定的内容文件生成公钥加密标准(PKCS) #7文件。PKCS #7文件被命名为path\filename.p7。

此外：

RFC参数/p7ce可以具有以下两个值之一:对于分离的signature.

• the参数，DetachedSignedData和pkcs7DetachedSignedData采用值1.2.840.113549.1.7.2，该值映射到DetachedSignedData

• RFC。

& "C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x64\signtool.exe" `
    sign /debug /v /tr http://timestamp.digicert.com `
    /fd sha256 /sha1 0ABCD...01234 /sm /p7ce DetachedSignedData `
    /p7co 1.2.840.113549.1.7.2 /p7 "C:\somewhere\" `
    "C:\somewhere\test-zip-file.zip"