Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
682 views
in Technique[技术] by (71.8m points)

windows - signtool failing to dual sign SHA2 and SHA1 with timestamps

We need to dual sign our binaries with SHA1 and SHA2 using signtool.exe, our certificate supports 256-bit SHA2.

Using the Windows 8 SDK's signtool:

e.g.:

signtool.exe sign /as /fd sha256 /t http://timestamp.verisign.com/scripts/timstamp.dll /f "certificate.pfx" /p XXXXXXX "file.dll"

(where XXXXXXX is our password for the certificate)

fails with the cryptic error:

SignTool Error: SignedCode::Sign returned error: 0x80070057 The parameter is incorrect. SignTool Error: An error occurred while attempting to sign: file.dll

Signing without a timestamp works, signing individually as SHA1 or SHA256 works, but we need to dual sign, and imagine not having a timestamp is a no no.

I've tried the 32 and 64-bit versions of signtool.exe, tried it on a Win7 and Win8 machine, and tried playing around with the command line options but to no avail. Has anyone hit on this issue before?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

I know it's a bit old, but I landed in this thread and maybe someone else will too.

It will work if you sign first with SHA1 and then with SHA256:

signtool.exe sign /f cert_file.pfx /t http://timestamp.comodoca.com/authenticode /p cert_password
signtool.exe sign /f cert_file.pfx /as /fd sha256 /tr http://timestamp.comodoca.com/rfc3161 /td sha256 /p cert_password 

It worked using the same certificate in both signatures. I used the signtool from Windows 10 SDK, don't know if it will work with previous versions.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...