我不能使用我的代码证书来签署我的 .exe 文件(EKU 过滤器)
I can't I use my code certificate to sign my .exe file (EKU filter)
我使用以下方法创建了代码证书:
$cert = New-SelfSignedCertificate -CertStoreLocation "Cert:\CurrentUser\My" -dnsname testcert.test.io
$cert
$secPassword = ConvertTo-SecureString -String 'password1234' -Force -AsPlainText
$certPath = "Cert:\CurrentUser\My$($cert.Thumbprint)"
Export-PfxCertificate -Cert $certPath -FilePath C:\selfcert.pfx -Password $secPassword
我正在尝试使用它来为我的 .exe 签名:
"C:\Program Files (x86)\Windows Kits\bin.0.19041.0\x86\signtool.exe" sign /debug /f "C:\selfcert.pfx" /p password1234 "A:\mysoft\sign\myexe.EXE"
调试抛出这个:
The following certificates were considered:
Issued to: testcert.test.io
Issued by: testcert.test.io
Expires: Fri Aug 12 15:25:13 2022
SHA1 hash: 0CDA91D628CA855B49FA1CB8DFD0F53C121BEB27
After EKU filter, 0 certs were left.
After expiry filter, 0 certs were left.
After Private Key filter, 0 certs were left.
SignTool Error: No certificates were found that met all the given criteria.
运行 certmgr 在 Personal>certificates 中将我的证书显示为 testcert.test.io(我想是因为 dnsname)
我认为(这是我第一次尝试对 .exe 进行认证,所以我可能是错的)这意味着我的证书没有通过 EKU 过滤器,afaik EKU 过滤器意味着被列为受信任的证书(我不确定那个)
我做错了什么?或者我错过了什么?
您需要一个Code Signing-证书,这意味着它有一个带有代码签名对象标识符 (OID) 的扩展密钥用法 (EKU)。
$ku_codeSigning = "1.3.6.1.5.5.7.3.3";
$codeSignCert = New-SelfSignedCertificate `
-Type "CodeSigningCert" `
-KeyExportPolicy "Exportable" `
-Subject "..." `
-KeyUsageProperty @("Sign") `
-KeyUsage @("DigitalSignature") `
-TextExtension @("2.5.29.37={text}$($ku_codeSigning)", "2.5.29.19={text}false") `
-CertStoreLocation cert:\CurrentUser\My `
-KeyLength 2048 `
-NotAfter ([DateTime]::Now.AddDays(90)) `
-Provider "Microsoft Software Key Storage Provider" `
-Signer $subCaCert;
-Signer 参数用于创建由根和子 CA 证书组成的信任链。
$rootCaCert = New-SelfSignedCertificate `
-Type "Custom" `
-KeyExportPolicy "Exportable" `
-KeyUsageProperty "All" `
-KeyUsage @("CertSign", "CrlSign") `
-Subject "My Fake Root CA" `
-CertStoreLocation cert:\LocalMachine\My `
-NotAfter ([DateTime]::Now.AddYears(20)) `
-Provider "Microsoft Software Key Storage Provider" `
-KeyLength 4096 `
-TextExtension @("2.5.29.19={text}cA=true&pathLength=1");
$subCaCert = New-SelfSignedCertificate `
-Type "Custom" `
-KeyExportPolicy "Exportable" `
-KeyUsageProperty "All" `
-KeyUsage @("CertSign", "CrlSign") `
-Subject "My Fake Sub CA" `
-CertStoreLocation cert:\LocalMachine\My `
-NotAfter ([DateTime]::Now.AddYears(5)) `
-Provider "Microsoft Software Key Storage Provider" `
-KeyLength 4096 `
-TextExtension @("2.5.29.19={text}cA=true&pathLength=0") `
-Signer $rootCaCert;
我使用以下方法创建了代码证书:
$cert = New-SelfSignedCertificate -CertStoreLocation "Cert:\CurrentUser\My" -dnsname testcert.test.io
$cert
$secPassword = ConvertTo-SecureString -String 'password1234' -Force -AsPlainText
$certPath = "Cert:\CurrentUser\My$($cert.Thumbprint)"
Export-PfxCertificate -Cert $certPath -FilePath C:\selfcert.pfx -Password $secPassword
我正在尝试使用它来为我的 .exe 签名:
"C:\Program Files (x86)\Windows Kits\bin.0.19041.0\x86\signtool.exe" sign /debug /f "C:\selfcert.pfx" /p password1234 "A:\mysoft\sign\myexe.EXE"
调试抛出这个:
The following certificates were considered:
Issued to: testcert.test.io
Issued by: testcert.test.io
Expires: Fri Aug 12 15:25:13 2022
SHA1 hash: 0CDA91D628CA855B49FA1CB8DFD0F53C121BEB27
After EKU filter, 0 certs were left.
After expiry filter, 0 certs were left.
After Private Key filter, 0 certs were left.
SignTool Error: No certificates were found that met all the given criteria.
运行 certmgr 在 Personal>certificates 中将我的证书显示为 testcert.test.io(我想是因为 dnsname)
我认为(这是我第一次尝试对 .exe 进行认证,所以我可能是错的)这意味着我的证书没有通过 EKU 过滤器,afaik EKU 过滤器意味着被列为受信任的证书(我不确定那个)
我做错了什么?或者我错过了什么?
您需要一个Code Signing-证书,这意味着它有一个带有代码签名对象标识符 (OID) 的扩展密钥用法 (EKU)。
$ku_codeSigning = "1.3.6.1.5.5.7.3.3";
$codeSignCert = New-SelfSignedCertificate `
-Type "CodeSigningCert" `
-KeyExportPolicy "Exportable" `
-Subject "..." `
-KeyUsageProperty @("Sign") `
-KeyUsage @("DigitalSignature") `
-TextExtension @("2.5.29.37={text}$($ku_codeSigning)", "2.5.29.19={text}false") `
-CertStoreLocation cert:\CurrentUser\My `
-KeyLength 2048 `
-NotAfter ([DateTime]::Now.AddDays(90)) `
-Provider "Microsoft Software Key Storage Provider" `
-Signer $subCaCert;
-Signer 参数用于创建由根和子 CA 证书组成的信任链。
$rootCaCert = New-SelfSignedCertificate `
-Type "Custom" `
-KeyExportPolicy "Exportable" `
-KeyUsageProperty "All" `
-KeyUsage @("CertSign", "CrlSign") `
-Subject "My Fake Root CA" `
-CertStoreLocation cert:\LocalMachine\My `
-NotAfter ([DateTime]::Now.AddYears(20)) `
-Provider "Microsoft Software Key Storage Provider" `
-KeyLength 4096 `
-TextExtension @("2.5.29.19={text}cA=true&pathLength=1");
$subCaCert = New-SelfSignedCertificate `
-Type "Custom" `
-KeyExportPolicy "Exportable" `
-KeyUsageProperty "All" `
-KeyUsage @("CertSign", "CrlSign") `
-Subject "My Fake Sub CA" `
-CertStoreLocation cert:\LocalMachine\My `
-NotAfter ([DateTime]::Now.AddYears(5)) `
-Provider "Microsoft Software Key Storage Provider" `
-KeyLength 4096 `
-TextExtension @("2.5.29.19={text}cA=true&pathLength=0") `
-Signer $rootCaCert;