对于Thawte证书，不能验证签名中的证书。

Question

我需要用存储在Application.exe中的证书对company.pfx文件进行签名。所以，我用了签名工具：

signtool.exe sign /p password /f company.pfx /t http://timestamp.verisign.com/scripts/timestamp.dll /v Application.exe

The following certificate was selected:
    Issued to: Company, Inc.
    Issued by: Thawte Code Signing CA - G2
    Expires:   Wed Aug 27 02:59:59 2014
    SHA1 hash: A2A0BD7C4516BF8C88AECC3A568CE9BB5D63902D

Done Adding Additional Store
Successfully signed and timestamped: App1_old.exe

Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0

路标工具说没有错误。但是在数字签名细节中有一条消息：“签名中的证书不能被验证”。也没有认证途径。

详细地说，有一个属性"Extended“，上面写着”吊销状态:由于吊销服务器离线，吊销函数无法检查吊销。“

Application.exe图像

为了研究这个问题，我在应用程序上使用了sigcheck (-a密钥)，它说：“已验证:不能将证书链构建到受信任的根权威。”

然后，我已经将pfx文件导入到临时存储库中，并且该证书似乎没有问题。

证书图像

我搜索了关于我的主题的堆叠溢出，并找到了一些链接，这是有帮助的。

如何使用我的证书链创建PFX？

如何使用代码签名证书对ActiveX控件进行签名，并使其成为经过验证的发布服务器？

解决方案是从pfx中提取证书(使用OpenSSL)，并使用/ac参数应用它。

openssl pkcs12 -in company.pfx -out company_cl.pem -nodes -clcerts
openssl x509 -in company_cl.pem -out company_cl.cer -outform DER
signtool sign /ac company_cl.cer /p password  /f company.pfx /t http://timestamp.verisign.com/scripts/timstamp.dll /v Application.exe

The following certificate was selected:
    Issued to: Company, Inc.
    Issued by: Thawte Code Signing CA - G2
    Expires:   Wed Aug 27 02:59:59 2014
    SHA1 hash: A2A0BD7C4516BF8C88AECC3A568CE9BB5D63902D

Cross certificate chain (using machine store):
    Issued to: thawte Primary Root CA
    Issued by: thawte Primary Root CA
    Expires:   Thu Jul 17 02:59:59 2036
    SHA1 hash: 91C6D6EE3E8AC86384E548C299295C756C817B81

        Issued to: Thawte Code Signing CA - G2
        Issued by: thawte Primary Root CA
        Expires:   Sat Feb 08 02:59:59 2020
        SHA1 hash: 808D62642B7D1C4A9A83FD667F7A2A9D243FB1C7

            Issued to: Company, Inc.
            Issued by: Thawte Code Signing CA - G2
            Expires:   Wed Aug 27 02:59:59 2014
            SHA1 hash: A2A0BD7C4516BF8C88AECC3A568CE9BB5D63902D

Done Adding Additional Store
Successfully signed and timestamped: Application.exe

Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0

现在数字安全细节中的信息是“数字签名是可以的”。

但是我不明白为什么我需要使用/ac参数。有人有什么想法吗？

编辑。

我已经用/ac验证了应用程序的第一个版本(没有Application.exe )，它给了我更多的信息：

signtool.exe verify /v /kp Application.exe

Verifying: Application.exe
Hash of file (sha1): 5CBB228F4F206C65AAC829ACF40C297F291FE0A7

Signing Certificate Chain:
    Issued to: Company, Inc.
    Issued by: Thawte Code Signing CA - G2
    Expires:   Wed Aug 27 02:59:59 2014
    SHA1 hash: A2A0BD7C4516BF8C88AECC3A568CE9BB5D63902D

The signature is timestamped: Fri Mar 29 18:42:56 2013
Timestamp Verified by:
    Issued to: Thawte Timestamping CA
    Issued by: Thawte Timestamping CA
    Expires:   Fri Jan 01 02:59:59 2021
    SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656

        Issued to: Symantec Time Stamping Services CA - G2
        Issued by: Thawte Timestamping CA
        Expires:   Thu Dec 31 02:59:59 2020
        SHA1 hash: 6C07453FFDDA08B83707C09B82FB3D15F35336B1

            Issued to: Symantec Time Stamping Services Signer - G4
            Issued by: Symantec Time Stamping Services CA - G2
            Expires:   Wed Dec 30 02:59:59 2020
            SHA1 hash: 65439929B67973EB192D6FF243E6767ADF0834E4

SignTool Error: WinVerifyTrust returned error: 0x800B010A
        A certificate chain could not be built to a trusted root authority.

Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1

“无法将证书链构建到受信任的根授权机构。”但是为什么呢？

Answer 1

我找到了一篇关于使用Thawte证书签名文件的文章：http://codingexpedition.wordpress.com/2011/04/21/thawte-code-signing-pfx/

似乎总是需要/ac签名工具选项。因此，我已经将Thawte证书提取到.cer文件中，并使用/ac参数应用它。

openssl pkcs12 -in company.pfx -out company_ca.pem -nokeys -cacerts
openssl x509 -in company_ca.pem -out company_ca.cer -outform DER
signtool sign /ac company_ca.cer /p password /f company.pfx /t timeserver /v Application.exe

而且效果很好！

Answer 2

它看起来像是使用了一个旧版本的

C:\Program Files\Microsoft SDKs\Windows\v6.0\Bin\signtool.exe 

也解决了这个问题。

Answer 3

此问题可能是由于缺少中间证书造成的。比较两台机器中的证书(通过双击同一台机器)并观察证书路径选项卡。如果缺少任何中间证书节点，则从旧机器导出相同的证书并将其导入到新机器上。