我正在嘗試編寫從DLL或EXE讀取簽名(證書)的代碼。大多數DLL或EXE只有一個簽名,我的代碼正確讀取與此簽名關聯的所有證書。更具體地說,它讀取簽名證書,它是頒發者(不是根),簽署證書(帶有時間戳)及其頒發者(不是根)。我在C++和C#中有2個示例程序,它們都返回相同的證書。這是C#代碼,C++是長:)從可執行文件讀取多個簽名
static void Main(string[] args)
{
X509Certificate2Collection collection = new X509Certificate2Collection();
collection.Import(args[0]);
}
100倍但也有有2個簽名,如圖文件屬性的DLL /數字簽名,例如C:\ Program Files文件(x86)的\微軟SQL服務器\ 80個\ TOOLS \ BINN \ MSVCR71.DLL:
對於此DLL我的代碼讀取僅與第一簽名相關聯的證書。
我也嘗試過使用signtool,並且它返回與我的代碼相同的信息:第一個cert(與它的路徑)和countersignature(與它的路徑)。但最後還要注意錯誤。
C:\Windows>signtool verify /d /v "C:\Program Files (x86)\Microsoft SQL Server\80\Tools\Binn\msvcr71.dll"
Verifying: C:\Program Files (x86)\Microsoft SQL Server\80\Tools\Binn\msvcr71.dll
Signature Index: 0 (Primary Signature)
Hash of file (sha1): 33BBCCF6326276B413A1ECED1BF7842A6D1DDA07
Signing Certificate Chain:
Issued to: Microsoft Root Certificate Authority
Issued by: Microsoft Root Certificate Authority
Expires: Sun May 09 19:28:13 2021
SHA1 hash: CDD4EEAE6000AC7F40C3802C171E30148030C072
Issued to: Microsoft Code Signing PCA
Issued by: Microsoft Root Certificate Authority
Expires: Wed Jan 25 19:32:32 2017
SHA1 hash: FDD1314ED3268A95E198603BA8316FA63CBCD82D
Issued to: Microsoft Corporation
Issued by: Microsoft Code Signing PCA
Expires: Fri Feb 01 18:49:17 2013
SHA1 hash: 8849D1C0F147A3C8327B4038783AEC3E06C76F5B
The signature is timestamped: Sat Feb 11 14:03:12 2012
Timestamp Verified by:
Issued to: Microsoft Root Certificate Authority
Issued by: Microsoft Root Certificate Authority
Expires: Sun May 09 19:28:13 2021
SHA1 hash: CDD4EEAE6000AC7F40C3802C171E30148030C072
Issued to: Microsoft Time-Stamp PCA
Issued by: Microsoft Root Certificate Authority
Expires: Sat Apr 03 09:03:09 2021
SHA1 hash: 375FCB825C3DC3752A02E34EB70993B4997191EF
Issued to: Microsoft Time-Stamp Service
Issued by: Microsoft Time-Stamp PCA
Expires: Thu Oct 25 16:42:17 2012
SHA1 hash: FC33104FAE31FB538749D5F2D17FA0ECB819EAE5
SignTool Error: The signing certificate is not valid for the requested usage.
This error sometimes means that you are using the wrong verification
policy. Consider using the /pa option.
Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1
我有2個問題: - 什麼是第二個簽名 的目的 - 如何讀它(到目前爲止只有Windows資源管理器文件屬性對話框可以顯示它)。
謝謝!
你看那些雙簽名的原因是[微軟將棄用](http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code -signing-and-timestamping.aspx)由於SHA-1的[不足的碰撞抵抗]而產生的SHA-1簽名(http://crypto.stackexchange.com/questions/845/what-is-wrong-with-using- SHA1功能於數字簽名 - 爲什麼 - 是 - 一 - 魯棒哈希functi)。他們今天離開後向兼容。 – ahmd0