Signtool 停止添加副署 - 怎么了?
我最近遇到了一个非常奇怪的问题。我们产品的编译包括签署内核模式驱动程序并添加副署。这是通过调用 DDK(现在的 WDK)中包含的 Signtool 来完成的:
“%DDKBASE%\6001.18000\bin\SelfSign\signtool.exe” 符号/T http://timestamp.globalsign.com/scripts/timstamp.dll /ac “countercert\MSCV-GlobalSign.cer 路径” /s SPC /n“EldoS 公司”%1
一切都工作正常,直到最近我们发现反证书没有添加到签名的驱动程序中。 Signtool 不会报告任何错误并默默地忽略证书。签名本身和主证书链都已正确应用,只是缺少反证书。
更高版本的 WDK(版本 7600.16385.0)中的 SignTool 使用相同的命令行可以正常工作。
我尝试重新注册 capicom.dll,并附带有问题的signtool(它位于同一文件夹中),但这没有帮助。
我不确定我们是否可以使用 7600.16385.0 中的 Signtool,因为我有一种感觉,它可能会破坏与 Windows 2000 的兼容性。
所以问题是是否有人知道可能出了什么问题?
更新: 嗯,看起来 7600 Signtool 工作正常(即用该版本签名的驱动程序在 XP 和 Windows 7 上工作正常),所以我们现在就走这条路,并将用我们自己的 Signtool 替换未来自制工具可以避免此类意外。
I recently faced a very strange problem. Compilation of our products includes signing the kernel-mode drivers and adding a countersignature. This is done using a call to signtool, included in the DDK (now WDK):
"%DDKBASE%\6001.18000\bin\SelfSign\signtool.exe"
sign /T
http://timestamp.globalsign.com/scripts/timstamp.dll
/ac
"path-to-countercert\MSCV-GlobalSign.cer"
/s SPC /n "EldoS Corporation" %1
Everything worked fine until recently when we discovered that the countercertificate is just not added to the signed driver. signtool doesn't report any errors and silently omits the certificate. The signature itself and main certificate chain are applied properly, and it's only countercertificate that's missing.
SignTool from the later WDK (version 7600.16385.0) works fine using the same command line.
I tried to re-register capicom.dll, coming with signtool in question (it resides in the same folder) but this didn't help.
I am not sure if we can use signtool from 7600.16385.0 because I have a feeling that it might break compatibility with say Windows 2000.
So the question is whether anybody has an idea of what might have gone wrong?
Upd: Well, it looks like 7600 signtool works fine (i.e. drivers signed with that version work fine on XP and Windows 7), so we'll go that route for now and will replace signtool with our own homemade tools in future to avoid such surprises.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
使用7600.16385.0版本的signtool就可以了。它仍然可以在 Windows 2000 上运行。
至于6001.18000版本的问题,请检查您的证书存储中是否有您公司的多个证书。可能会选择错误的一个。
It is OK to use the 7600.16385.0 version of signtool. It will still work on Windows 2000.
As for the issues with the 6001.18000 version, check to see if you have multiple certificates for your company in your certificate store. The wrong one may be selected.