在 Docker 容器内签署可执行文件失败
Signing executables fails inside Docker container
我正在尝试使用 docker image:
使用 docker-windows
设置在 Gitlab Pipeline 中签署 .exe
和 .dll
文件
mcr.microsoft.com/dotnet/framework/sdk:4.8-windowsservercore-ltsc2019
我尝试调用这些命令:
> sn.exe -R myfile.exe myKey.snk
> signtool.exe sign /v /f myCert.p12 /p myPassword /fd sha256 /tr "http://sha256timestamp.ws.symantec.com/sha256/timestamp" /td sha256 myFile.exe
在我的机器上本地执行时,文件成功签名:
> sn.exe -R myfile.exe myKey.snk
Microsoft (R) .NET Framework Strong Name Utility Version 4.0.30319.0
Copyright (c) Microsoft Corporation. All rights reserved.
Assembly 'myFile.exe' successfully re-signed
> signtool.exe sign /v /f myCert.p12 /p myPassword /fd sha256 /tr "http://sha256timestamp.ws.symantec.com/sha256/timestamp" /td sha256 myFile.exe
The following certificate was selected:
Issued to: someone
Issued by: some-private-ca
Expires: Fri Aug 28 09:40:11 2020
SHA1 hash: hash
Done Adding Additional Store
Successfully signed: myFile.exe
Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0
但是,使用强名称工具 (sn.exe
) 和 signtool.exe
都失败了:
> sn.exe -R myfile.exe myKey.snk
Microsoft (R) .NET Framework Strong Name Utility Version 4.0.30319.0
Copyright (c) Microsoft Corporation. All rights reserved.
Failed to re-sign the assembly -- Error code: 80131701
> signtool.exe sign /v /f myCert.p12 /p myPassword /fd sha256 /tr "http://sha256timestamp.ws.symantec.com/sha256/timestamp" /td sha256 myFile.exe
The following certificate was selected:
Done Adding Additional Store
我不知道错误代码 80131701
指的是什么。
在某些情况下,人们会在 System.Runtime.InteropServices.COMException (0x80131701)
.
上收到错误代码
这可能是由于 docker 图像中缺少某些证书造成的,该证书存在于我的计算机上吗?
为了修复 sn 命令,我不得不将本地 sn.exe
文件替换为 C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\sn.exe
:
> C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\sn.exe -R myfile.exe myKey.snk
要修复 signtool 命令,需要在 docker 容器中导入证书:
> Set-Content myCert.pfx -Encoding Byte -Value ([System.Convert]::FromBase64String(myCert.p12))
> Import-PfxCertificate -FilePath myCert.pfx -Password (ConvertTo-SecureString -String myPassword -AsPlainText -Force) -CertStoreLocation Cert:\LocalMachine\Root
> $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
> $cert.Import(myCert.pfx, myPassword, 'DefaultKeySet')
> Set-AuthenticodeSignature -Cert myCert.pfx -TimeStampServer http://sha256timestamp.ws.symantec.com/sha256/timestamp -FilePath myFile.exe -HashAlgorithm SHA256
我正在尝试使用 docker image:
使用 docker-windows
设置在 Gitlab Pipeline 中签署 .exe
和 .dll
文件
mcr.microsoft.com/dotnet/framework/sdk:4.8-windowsservercore-ltsc2019
我尝试调用这些命令:
> sn.exe -R myfile.exe myKey.snk
> signtool.exe sign /v /f myCert.p12 /p myPassword /fd sha256 /tr "http://sha256timestamp.ws.symantec.com/sha256/timestamp" /td sha256 myFile.exe
在我的机器上本地执行时,文件成功签名:
> sn.exe -R myfile.exe myKey.snk
Microsoft (R) .NET Framework Strong Name Utility Version 4.0.30319.0
Copyright (c) Microsoft Corporation. All rights reserved.
Assembly 'myFile.exe' successfully re-signed
> signtool.exe sign /v /f myCert.p12 /p myPassword /fd sha256 /tr "http://sha256timestamp.ws.symantec.com/sha256/timestamp" /td sha256 myFile.exe
The following certificate was selected:
Issued to: someone
Issued by: some-private-ca
Expires: Fri Aug 28 09:40:11 2020
SHA1 hash: hash
Done Adding Additional Store
Successfully signed: myFile.exe
Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0
但是,使用强名称工具 (sn.exe
) 和 signtool.exe
都失败了:
> sn.exe -R myfile.exe myKey.snk
Microsoft (R) .NET Framework Strong Name Utility Version 4.0.30319.0
Copyright (c) Microsoft Corporation. All rights reserved.
Failed to re-sign the assembly -- Error code: 80131701
> signtool.exe sign /v /f myCert.p12 /p myPassword /fd sha256 /tr "http://sha256timestamp.ws.symantec.com/sha256/timestamp" /td sha256 myFile.exe
The following certificate was selected:
Done Adding Additional Store
我不知道错误代码 80131701
指的是什么。
在某些情况下,人们会在 System.Runtime.InteropServices.COMException (0x80131701)
.
这可能是由于 docker 图像中缺少某些证书造成的,该证书存在于我的计算机上吗?
为了修复 sn 命令,我不得不将本地 sn.exe
文件替换为 C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\sn.exe
:
> C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\sn.exe -R myfile.exe myKey.snk
要修复 signtool 命令,需要在 docker 容器中导入证书:
> Set-Content myCert.pfx -Encoding Byte -Value ([System.Convert]::FromBase64String(myCert.p12))
> Import-PfxCertificate -FilePath myCert.pfx -Password (ConvertTo-SecureString -String myPassword -AsPlainText -Force) -CertStoreLocation Cert:\LocalMachine\Root
> $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
> $cert.Import(myCert.pfx, myPassword, 'DefaultKeySet')
> Set-AuthenticodeSignature -Cert myCert.pfx -TimeStampServer http://sha256timestamp.ws.symantec.com/sha256/timestamp -FilePath myFile.exe -HashAlgorithm SHA256