如何在没有 signtool.exe 的情况下创建 .vbs 签名?
How to create a .vbs signature without signtool.exe?
引用 jsign bug report related How to validate authenticode for Javascript in C#.
I've played a bit with VBScript and JScript files, it looks like the hashing method is different from the PowerShell scripts. For PowerShell the content is converted to UTF-16LE before being hashed. For VB and JS it doesn't work, the hash generated differs from the one computed by signtool. I tried various encodings (UTF-8, UTF-16BE, UTF-32BE/LE, with or without byte order marks) but it still doesn't match.
如何在没有 signtool.exe(并且没有任何专有 and/or Microsoft 工具的情况下创建 .vbs 签名块?)
编辑:
到目前为止,我观察到以下内容:
- 默认情况下,
signtool.exe 使用 SHA-1 签名。可以使用 /fd sha256 强制使用 SHA-256 签名
- 默认情况下,JSign 将 some additional properties 添加到签名中,这会导致签名完全匹配。
供参考,这是使用 signtool.exe 时最终产品签名通常的样子。
'' SIG '' Begin signature block
'' SIG '' MIIM4AYJKoZIhvcNAQcCoIIM0TCCDM0CAQExCzAJBgUr
' ... (a bunch of bas64 data) ...
'' SIG '' cSu0HJyT7v9OctFKlKj7aCB6JHPrR0il9GFdoZrQFNuU
'' SIG '' End signature block
此签名的目的是允许 Windows 验证文件的发布者。它不是一个有据可查的标准,但可以在 .
中找到
现代用途可能包括 运行 .vbs 文件作为独立脚本或作为应用程序的一部分。利用 Windows' 内置验证机制为需要它的环境的脚本添加了一层信任。
引用 Don Jones 的第 28 章 "Managing Windows with VBScript and WMI."
Running Only Signed Scripts
If you don't want to mess around with software restriction policies, you can also rely on WSH's own built-in form of security policy. This policy allows you to specify that only signed scripts will be run; unsigned scripts won't be. This is probably the easiest and most effective way to prevent most unauthorized scripts.
数字签名非常普遍,因此我们不应受到 signtool.exe.
等封闭源实用程序的限制
引用 bug 中 JSign 的作者 Emmanuel Bourg 的话启发了这个问题:
I got it, the script is indeed hashed in UTF-16LE, but the size of the unsigned file encoded as a 4 bytes little endian integer is added to the hash.
因此,常见的哈希算法将针对 hashable content(SHA-1、SHA-256),但为了传递 WinVerifyTrust,额外的 4 个字节需要添加到散列数据中。
引用 jsign bug report related How to validate authenticode for Javascript in C#.
I've played a bit with VBScript and JScript files, it looks like the hashing method is different from the PowerShell scripts. For PowerShell the content is converted to
UTF-16LEbefore being hashed. For VB and JS it doesn't work, the hash generated differs from the one computed by signtool. I tried various encodings (UTF-8,UTF-16BE,UTF-32BE/LE, with or without byte order marks) but it still doesn't match.
如何在没有 signtool.exe(并且没有任何专有 and/or Microsoft 工具的情况下创建 .vbs 签名块?)
编辑:
到目前为止,我观察到以下内容:
- 默认情况下,
signtool.exe使用 SHA-1 签名。可以使用/fd sha256 强制使用 SHA-256 签名
- 默认情况下,JSign 将 some additional properties 添加到签名中,这会导致签名完全匹配。
供参考,这是使用 signtool.exe 时最终产品签名通常的样子。
'' SIG '' Begin signature block
'' SIG '' MIIM4AYJKoZIhvcNAQcCoIIM0TCCDM0CAQExCzAJBgUr
' ... (a bunch of bas64 data) ...
'' SIG '' cSu0HJyT7v9OctFKlKj7aCB6JHPrR0il9GFdoZrQFNuU
'' SIG '' End signature block
此签名的目的是允许 Windows 验证文件的发布者。它不是一个有据可查的标准,但可以在
现代用途可能包括 运行 .vbs 文件作为独立脚本或作为应用程序的一部分。利用 Windows' 内置验证机制为需要它的环境的脚本添加了一层信任。
引用 Don Jones 的第 28 章 "Managing Windows with VBScript and WMI."
Running Only Signed Scripts
If you don't want to mess around with software restriction policies, you can also rely on WSH's own built-in form of security policy. This policy allows you to specify that only signed scripts will be run; unsigned scripts won't be. This is probably the easiest and most effective way to prevent most unauthorized scripts.
数字签名非常普遍,因此我们不应受到 signtool.exe.
引用 bug 中 JSign 的作者 Emmanuel Bourg 的话启发了这个问题:
I got it, the script is indeed hashed in
UTF-16LE, but the size of the unsigned file encoded as a 4 bytes little endian integer is added to the hash.
因此,常见的哈希算法将针对 hashable content(SHA-1、SHA-256),但为了传递 WinVerifyTrust,额外的 4 个字节需要添加到散列数据中。