如何使用代码签名证书对 ActiveX 控件进行签名并成为经过验证的发布者?

发布于 2024-09-01 00:11:29 字数 346 浏览 11 评论 0原文

我正在尝试使用 Thawte 颁发的代码签名证书对 ActiveX 控件进行签名。我能够使用signtool.exe 成功签署控件。

当我查看文件属性时,它显示“无法验证签名中的证书”。

当我查看证书时,它显示“Windows 没有足够的信息来验证证书”。

在证书路径选项卡上,显示“找不到此证书的颁发者”。

在 Internet Explorer 中,证书被识别为已签名,但用户会收到发布者未经验证的警告。

我尝试创建一个包含我的证书以及链接到我的 Thawte 开发人员证书的根证书和中间证书的单个 PFX 文件,然后使用该 PFX 文件重新签署控件。没有骰子。

有什么建议吗?

I'm trying to sign an ActiveX control with a code signing certificate issued by Thawte. I was able to successfully sign the control using signtool.exe.

When I look at the file properties, it says "The certificate in the signature cannot be verified."

When I view the certificate it says "Windows does not have enough information to verify the certificate."

On the certification path tab, it says "The issuer of this certificate cannot be found."

In internet explorer, the certificate is recognized as signed but the user receives warnings that the publisher is not verified.

I've tried creating a single PFX file containing my certificate along with the root and intermediate certificates that chain to my Thawte developer certificate, and then re-signing the control using that PFX file. No dice.

Any suggestions?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

羅雙樹 2024-09-08 00:11:29

该问题实际上包含正确的过程 - 使用包含根证书、中间证书、开发人员证书和私钥的 PFX 文件进行签名。另外,使用时间戳服务器。我的问题是我的 PFX 中包含错误的根证书,因此用于签名的证书无法链接回根。

根据请求,以下是有关如何创建 PFX 文件的信息。我下面使用的cert2spc和pvk2pfx也在平台SDK中。

cert2spc certpath1.cer certpath2.cer certpath3.cer codesign.spc

其中 .cer 文件列表包括根证书、中间证书和代码签名证书,codesign.spc 是输出文件。然后:

pvk2pfx -pvk privkey.pvk -spc codesign.spc

以这种方式运行 pvk2pfx 会启动一个向导,提示输入私钥密码、输出文件的位置以及输出文件的密码。

最后,signtool 执行实际的代码签名:

signtool sign /f my_certificates.pfx /p my_passphrase /t http://timestamp.verisign.com/scripts/timstamp.dll my_activex_control.ocx

回想起来,我可能通过使用直接使用 .spc 和 .pvk 文件的 signcode.exe 又名代码签名向导(我认为它是 .NET SDK 的一部分)节省了时间。

The question actually contains the correct procedure-- do the signing using a PFX file that contains the root certificate, intermediate certificate, developer certificate, and private key. Also, use a timestamp server. My problem was that I had the wrong root certificate included in my PFX, so the certificate used to sign couldn't chain back to the root.

By request, here's the information about how to create the PFX file. The cert2spc and pvk2pfx that I use below are also in the platform SDK.

cert2spc certpath1.cer certpath2.cer certpath3.cer codesign.spc

Where the list of .cer files includes the root, intermediate, and code signing certificates, and codesign.spc is the output file. Then:

pvk2pfx -pvk privkey.pvk -spc codesign.spc

Running pvk2pfx in this manner starts a wizard that prompts for the private key passphrase, and the location of the output file, and the passphrase for the output file.

Finally, signtool does the actual code signing:

signtool sign /f my_certificates.pfx /p my_passphrase /t http://timestamp.verisign.com/scripts/timstamp.dll my_activex_control.ocx

In retrospect, I might have saved time by using signcode.exe aka the Code Signing wizard (which I think is part of the .NET SDK) which uses .spc and .pvk files directly.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文