如何在作为服务运行的 hudson 中正确使用signtool.exe?
我刚刚从 THAWTE 购买了代码签名证书(MSauthenticode),并且显然已将其安装在我的构建机器上。我以用户身份登录,当我打开 cmd 提示符时,我可以使用带有 Signtool.exe 的证书来签署 EXE。
不幸的是,这个命令行在机器上运行的 hudson 进程中不起作用。
我收到的错误消息是:
SignTool 错误:没有证书 发现满足所有给定的标准。
我认为这是因为 hudson 服务运行在与我从 thawte 获取证书的帐户运行signtool.exe 的帐户不同的帐户下。
所以,我的问题是:如何解决这个问题?我以为我要从 thawte 下载一个文件,但它只是使用 IE 以某种方式神奇地将证书安装在用户的缓存中。我可能想导出(或任何正确的术语)到一个可以在任何其他机器上存储/保存或使用的文件。
我该如何做到这一点以及如何使用系统/服务帐户中其他用户的文件或证书正确调用signtool?
I just purchased a code signing cert (MS authenticode) from THAWTE and have installed it apparently on my build machine. I am logged in as a user and when I open a cmd prompt I can sign EXEs using the cert with signtool.exe.
Unfortunately this same command line does not work in the hudson process that is running on the machine.
the error message I get is:
SignTool Error: No certificates were
found that met all the given criteria.
I presume this is because the hudson service is running under a different account than the account that I ran signtool.exe from and from the account I used to get the cert from thawte.
So, my question is: How do I fix this problem? I thought i was going to download a file from thawte, but instead it just used IE somehow to install the cert in the user's cache magically. I probably want to export (or whatever the correct term is) to a file that I can store/save or use on any other machine.
How do i do that and how do I call signtool correctly with either the file or the cert from another user in the system/services account?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
取自
signtool sign -h输出:让它工作有点痛苦...我能够通过将证书添加到本地计算机存储并使用 /sm 让它工作转变。
/s 开关允许您选择要使用的预定义存储。不幸的是,我找不到任何列出可用选项实际是什么的文档(@Microsoft Signtool 维护者:请记录下来!)。另一个复杂之处是很难确定 Hudson 提供对哪家商店的访问权限 - 它不是您可能期望的本地安全 hudson 帐户。
注意:从signtool 访问时,mmc 视图中列出的“个人”存储是“MY”存储。
值得庆幸的是 /sm 开关为我们提供了一张免狱卡。不幸的是,如果您的构建服务器为多个组织或部门运行作业,这将是一个安全风险。就我而言,它仅供我的团队使用,所以这不会打扰我。
Taken from
signtool sign -houtput:Getting this to work is a bit of a pain... I was able to get it to work by adding the certificates to the local machine store and using the /sm switch.
The /s switch allows you to select which pre-defined store to use. Unfortunately I can't find any documentation that lists what the available options actually are (@Microsoft signtool maintainer: please document this!). An additional complication is that it is hard to determine which store Hudson provides access to - it isn't the local security hudson account as you might expect.
Note: The "Personal" store listed in mmc views is the "MY" store when accessed from signtool.
Thankfully the /sm switch provides us with a get-out-of-jail-free card. Unfortunately this would be a security risk if your build server runs jobs for multiple organizations or departments. In my case it is only used by my group, so this doesn't bother me.
作为参考,我将在这里添加我们的经验。我们正在使用 TeamCity 构建签名的 ClickOnce 应用程序。我花了几个小时才把这件事做好,所以我希望这可以节省其他人的时间。
注意:我在 Windows 2k3 服务器上运行此程序,该服务器也是域服务器(是的,我知道)。
我们使用 来自 GoDaddy 的代码签名证书 。 CSR 是使用 Internet Explorer 生成的。因此,使用 Internet Explorer 完成颁发后,我基本上就在自己的帐户下安装了代码签名证书。
因为我需要构建服务器上的证书,所以我在 IE 中选择了:
[额外]> [互联网选项]>> [内容]>> [证书]
然后我右键单击该证书并[导出]。我勾选了[导出个人密钥]并选择了[导出所有证书]和[导出所有属性]的PFX格式(不确定是否最后一项确实有必要)。最后,指定位置后,我有了我的 Precious。
现在我已经准备好承受一些真正的痛苦了,但为了不向您透露细节,我将跳过那些令人讨厌的小问题。由于 TeamCity 在系统帐户下运行,因此我需要在构建服务器上的同一帐户下拥有此证书。因此,在构建服务器上,我调用了:
C:\>; psexec -i -s cmd
这向我抛出了一个命令行,以系统用户身份运行。现在我再次调用我生锈的IE:
C:\>; C:\Program Files (x86)\Internet Explorer\iexplore.exe
我导航到证书,我没有导出,而是选择了导入并选择我之前导出的证书。我让 Windows 选择存储它们的位置。
现在一切都已就绪,让 ClickOnce 使用证书来签署我们的应用程序。我们只需确保 ClickOnce 知道这一点。我不想将密钥文件放入代码存储库中,因此在本地 Visual Studio 的项目属性的 [Signing] 选项卡上,我勾选了 [ClickOnce 清单] 并使用[从存储中选择...]而不是[从文件中选择...]。这使我可以选择本地安装的证书。就在那一刻,VS 创建了一个属性这是让它在构建服务器上运行的最重要的事情。
请注意,我还添加了一个时间戳服务器,它不是必需的,但强烈建议用于签名软件。否则,当您的证书过期时,您的软件可能会停止验证。对于 GoDaddy,时间服务器为 http://tsa.starfieldtech.com。
另请注意,我尚未签署程序集。只是告诉您这是可能的。
现在,构建服务器将获取项目文件和新的 ManifestCertificateThumbprint 属性,并将其提供给 SignTool 任务。为了让该程序运行,我必须将signtool.exe从C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Bin复制到构建上的同一位置服务器。
严重令人讨厌的调试已进入找出签名工具无法工作的原因。我拿出了诸如 ProcMon 和 Process Explorer 找出哪些命令行正在请求哪些注册表项。我重新创建了 SignTool 调用的实际命令行,并使用这些工具观察了效果。
最后,经过大量的紧张开发和系统管理员的痛苦,我能够部署我们签名的 ClickOnce 应用程序。干杯!
For reference purposes, I'll add our experiences here. We are using TeamCity to build a signed ClickOnce app. It took me several hours to get this right, so I hope this saves someone else some time.
Note: I'm running this on a Windows 2k3 server which is also a domain server (yeah, I know).
We use a Code Signing Certificate from GoDaddy. The CSR was generated with Internet Explorer. So completing the issueing with Internet Explorer, I basically ended up with the Code Signing Certificate installed under my own account.
Because I needed the certificate on the build server, I picked in IE:
[Extra] > [Internet Options] > [Content] > [Certificates]
Then I right-clicked the certificate and [Export]'ed. I ticked [Export personal key] and chose the PFX format with [Export all certificates] and [Export all properties] on (not sure if that last one is really necessary). Finally, after specifying the location, I had my Precious.
Now I was ready for some real pain, but to spare you the details, I'll skip the nasty hickups. As TeamCity was running under the System account, I needed to have this certificate on our build server under that very same account. So on the build server, I invoked:
C:\> psexec -i -s cmd
That threw a command line at me, running as the System user. Now I called my rusty IE again:
C:\> C:\Program Files (x86)\Internet Explorer\iexplore.exe
I navigated my way to the certificates, and instead of exporting, I chose Import and selected the certificate that I earlier exported. I let Windows choose where to store them.
Now everything was in place to have ClickOnce use the certificate to sign our app. We just had to make sure that ClickOnce knew about it. I did not want to put our key file in a code repository, so in my local Visual Studio on the [Signing] tab of the Project properties, I ticked [ClickOnce manifests] and used [Select from Store...] instead of [Select from File...]. This allowed me to pick my locally installed certificate. At that very moment, VS created a property <ManifestCertificateThumbprint> which is the single most important thing in getting this to run on the build server.
Note that I also added a Timestamp server which is not obligated, but strongly advised for signing software. Otherwise, your software might stop validating when your certificate expires. For GoDaddy, the time server is http://tsa.starfieldtech.com.
Also note that I did not Sign the assembly (yet). Just telling so you know that this is possible.
Now the build server would pick up the project file and the fresh ManifestCertificateThumbprint property, and feed it to the SignTool task. In order to get that one running, I had to copy over signtool.exe from C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Bin to the same location on the build server.
Serious nasty debugging has gone into figuring out why the signtool was not working. I pulled out tools like ProcMon and Process Explorer to find out which registry keys were being requested by which command lines. I recreated the actual command line invoked by the SignTool, and watched the effects with those tools.
Finally, after a lot of intense development and sysadmin pain, I was able to deploy our signed ClickOnce app. Cheers!
这现在有点旧了,但我刚刚遇到了一个类似的问题,我认为值得记录下来。
我有一个在 Win2008R2 上运行的 Jenkins CI 服务器作为服务,在运行作业时找不到证书,但我可以手动在同一台计算机上签署任何内容。
问题是 Jenkins 服务作为本地计算机运行 - 所以我认为使用上面的答案是可行的。
同样的错误。
/a也没有做任何事情。我通过创建用户“Jenkins”作为管理员组成员、以用户“Jenkins”运行服务、以 Jenkins 用户身份登录并在用户存储中安装证书来使其正常工作。
是的,我确实安装了本地机器存储的证书。我什至通过使用 mmc 并添加服务帐户 - Jenkins 商店来确认服务商店拥有证书。
This is a bit old now but I just had a similar problem that is worth documenting I thought.
I have a Jenkins CI server running on Win2008R2 as service that couldn't find a the certificate when running a job, but manually I could sign anything on the same machine.
The problem was that the Jenkins service was running as Local Machine - so I thought that using the above answer would work.
Same error.
/adidn't do anything either.I got it working by creating a user 'Jenkins' as Administrators group member, running the service as the user 'Jenkins', logging in as Jenkins user and installing the certificate in the user store.
Yes, I did install the certificate as to the local machine store. I even confirmed that the service store had the certificate by using
mmcand adding the Service Account - Jenkins store.我认为这是一个很容易解决的问题。相反,它正在变成一场希腊悲剧。
提供商 Thawte 显然认为要求所有证书操作发生在发起请求的同一台计算机和浏览器上是有用的。不幸的是,就我而言,我是在 Windows7 机器上完成的。由于 MS 的一些废话,这意味着当我获得证书时,我无法使用私钥导出它。这只能在 Win2000 和 XP 上实现。因此,我需要使用一个已有 7 年历史的操作系统来为我的业务做一些基本的事情。这是令人兴奋的。
事实证明,现在我正在等待证书的第三个请求得到满足。
I thought this would be a simple issue to resolve. Instead, it is turning into a greek tragedy.
The provider, Thawte, apparently thinks it is useful to require all certificate actions to occur on the same machine and browser that the request was initiated from. Unfortunately in my case I did it from a Windows7 machine. Due to some MS nonsense that means when I obtained the certificate I cannot export it with the private key. That is only possible on Win2000 an XP. So I need to use a 7 year old OS to do something fundamental for my business. This is mind-blowing.
It turns out that now I am waiting for the third request of the certificate to be fulfilled.
当我尝试在 Windows 上通过 Jenkins Slave 签署可执行文件时,我遇到了类似的问题。问题是,由于 jenkins 作为 Windows 从站上的服务运行,签名工具无法在个人证书存储上找到导入的证书(根据 microsoft 参考)
我从 jenkins 控制台收到以下错误:
SignTool 错误:未找到满足所有给定条件的证书。通过以下解决方法,我能够修复 jenkins 上的签名问题:
证书管理单元并添加它计算机帐户的证书确定,然后单击完成确定添加新的管理单元受信任的根证书颁发机构,右键单击“证书”->“所有任务”->“导入”导入I had a similar issue when trying to sign an executable via Jenkins slave on windows. Problem was that since jenkins was running as a service on the windows slave, the signing tool failed finding the imported certificate on the Personal Certificate store (which is supposed to be the default store picked by the signing tool according to microsoft Reference)
I was getting the following error from jenkins console:
SignTool Error: No certificates were found that met all the given criteria.With the following workaround I was able to fix the signing issue on jenkins:
Certificatessnap-in and add itComputer AccountOKand thenFinishOKTrusted Root Certificates Authorities, right-click on Certificats->All Tasks->Import