Home  Home  Home  Blog  Blog  Blog  Contact  Contact  Contact
 Home  Home  Home  Blog  Blog  Blog  Contact  Contact  Contact
 Home  Home  Home  Blog  Blog  Blog  Contact  Contact  Contact

exe文件签名

 Sun, 11-Jun-2023 22:26:26
program windows edit

打开visual studio的命令行工具,执行下面命令

makecert -r -pe -n "CN=My CA" -ss CA -sr CurrentUser  -a sha256 -cy authority -sky signature -sv MyCA.pvk MyCA.cer

makecert -pe -n "CN=My SPC" -a sha256 -cy end -sky signature  -ic MyCA.cer -iv MyCA.pvk -sv MySPC.pvk MySPC.cer

pvk2pfx -pvk MySPC.pvk -spc MySPC.cer -pfx MySPC.pfx -po fess
其中fess是密码,可以随便设


signtool sign /debug /f MySPC.pfx -p fess /fd SHA256 /t http://timestamp.digicert.com auto-excel.exe

 

 

--------------------------------------------------------------------------------------------------------------------------

下面是网络搜索来的凌碎材料,先保留下来,可能以后或有所启发。

-------------------------------------------------------------------------------------------------------------------------

要生成pfx证书,您可以使用Microsoft Management Console (MMC)中的证书管理器来创建自签名证书。以下是一些步骤:

打开MMC,单击“文件”>“添加/删除管理单元”。
在“可用的管理单元”列表中,选择“证书”,然后单击“添加”。
选择“计算机帐户”,然后单击“下一步”。
选择“本地计算机”,然后单击“完成”。
单击“确定”以关闭添加/删除管理单元对话框。
在MMC中,展开“证书-当前用户”>“个人”>“证书”,然后右键单击空白处,选择“所有任务”>“请求新证书”。
在“证书请求向导”中,单击“下一步”,然后选择要包含在证书中的信息。
在“选择加密算法”页面上,选择您要使用的加密算法,然后单击“下一步”。
在“名称和安全性设置”页面上,为您的证书输入一个名称,并选择是否要将私钥导出到文件中。然后单击“下一步”。
在“证书请求概述”页面上,确认您的设置是否正确,然后单击“完成”。
这将创建一个自签名的证书,并将其添加到您的计算机上。您可以使用此证书来签署代码或其他文件。

希望这能帮到您。还有其他问题吗?

 

signtool sign /f certificate.pfx -p cm6860498 /t http://timestamp.digicert.com auto-excel.exe

 

openssl pkcs12 -export -out certificate.pfx -inkey privatekey.pem -in cert.pem


d:\code\build-auto-excel-Desktop_Qt_5_15_2_MinGW_32_bit-Debug

signtool sign /debug /f certificate.pfx -p cm6860498 /fd SHA256 auto-excel.exe

certmgr.msc

 


You need aCode Signing-Certificate, which means that it has an Extended Key Usage (EKU) with the Code signing Object Identifier (OID).

$ku_codeSigning = "1.3.6.1.5.5.7.3.3";

  $codeSignCert = New-SelfSignedCertificate `
    -Type "CodeSigningCert" `
    -KeyExportPolicy "Exportable" `
    -Subject "..." `
    -KeyUsageProperty @("Sign") `
    -KeyUsage @("DigitalSignature") `
    -TextExtension @("2.5.29.37={text}$($ku_codeSigning)", "2.5.29.19={text}false") `
    -CertStoreLocation cert:\CurrentUser\My `
    -KeyLength 2048 `
    -NotAfter ([DateTime]::Now.AddDays(90)) `
    -Provider "Microsoft Software Key Storage Provider" `
    -Signer $subCaCert;
The -Signer argument is used to create a trust chain consisting of a root and a sub CA certificate.

  $rootCaCert = New-SelfSignedCertificate `
    -Type "Custom" `
    -KeyExportPolicy "Exportable" `
    -KeyUsageProperty "All" `
    -KeyUsage @("CertSign", "CrlSign") `
    -Subject "My Fake Root CA" `
    -CertStoreLocation cert:\LocalMachine\My `
    -NotAfter ([DateTime]::Now.AddYears(20)) `
    -Provider "Microsoft Software Key Storage Provider" `
    -KeyLength 4096 `
    -TextExtension @("2.5.29.19={text}cA=true&pathLength=1");

 $subCaCert = New-SelfSignedCertificate `
    -Type "Custom" `
    -KeyExportPolicy "Exportable" `
    -KeyUsageProperty "All" `
    -KeyUsage @("CertSign", "CrlSign") `
    -Subject "My Fake Sub CA" `
    -CertStoreLocation cert:\LocalMachine\My `
    -NotAfter ([DateTime]::Now.AddYears(5)) `
    -Provider "Microsoft Software Key Storage Provider" `
    -KeyLength 4096 `
    -TextExtension @("2.5.29.19={text}cA=true&pathLength=0") `
    -Signer $rootCaCert;


chenmin@DESKTOP-VIB3O4E MINGW64 /d/cert
$ openssl genrsa -out private.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.........................................................................................+++++
........................................................................................+++++
e is 65537 (0x010001)

chenmin@DESKTOP-VIB3O4E MINGW64 /d/cert
$ ls
certificate.pfx  private.key  www.miaolimin.crt

其中CN是必填信息,如果是网站的证书,就填域名

chenmin@DESKTOP-VIB3O4E MINGW64 /d/cert
$ openssl req -new -key private.key -out cert.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:guangdong
Locality Name (eg, city) []:SZ
Organization Name (eg, company) [Internet Widgits Pty Ltd]:www.miaolimin.com
Organizational Unit Name (eg, section) []:RD
Common Name (e.g. server FQDN or YOUR name) []:chenmin
Email Address []:gdutcm@163.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:hw

chenmin@DESKTOP-VIB3O4E MINGW64 /d/cert
$ ls
cert.csr  certificate.pfx  private.key  www.miaolimin.crt

chenmin@DESKTOP-VIB3O4E MINGW64 /d/cert
$ openssl req -new -x509 -key private.key -out root.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:guangdong
Locality Name (eg, city) []:sz
Organization Name (eg, company) [Internet Widgits Pty Ltd]:hw
Organizational Unit Name (eg, section) []:rd
Common Name (e.g. server FQDN or YOUR name) []:mint
Email Address []:gudutcm@163.com

chenmin@DESKTOP-VIB3O4E MINGW64 /d/cert
$ openssl x509 -req -in cert.csr -CA root.crt -CAkey private.key -CAcreateserial -out cert.crt -days 3650
Signature ok
subject=C = CN, ST = guangdong, L = SZ, O = www.miaolimin.com, OU = RD, CN = chenmin, emailAddress = gdutcm@163.com
Getting CA Private Key

chenmin@DESKTOP-VIB3O4E MINGW64 /d/cert

 

您可以使用以下命令生成带有EUK的证书:
openssl req -new -key server.key -out server.csr -subj “/C=US/ST=CA/L=SanFrancisco/O=MyCompany/OU=MyDivision/CN=mydomain.com” -addext “subjectAltName = DNS:mydomain.com” -addext “keyUsage = digitalSignature, keyEncipherment” -addext “extendedKeyUsage = serverAuth”
请注意,您需要将“server.key”替换为您的私钥文件名

您可以使用以下命令将EUK添加到现有证书:
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 3650 -addext “subjectAltName = DNS:mydomain.com” -addext “keyUsage = digitalSignature, keyEncipherment” -addext “extendedKeyUsage = serverAuth”。
请注意,您需要将“server.csr”替换为您的证书签名请求文件名,“ca.crt”和“ca.key”替换为您的CA证书和私钥文件名。


https://stackoverflow.com/questions/17089889/openssl-x509v3-extended-key-usage
https://learn.microsoft.com/zh-cn/dotnet/framework/tools/signtool-exe

https://stackoverflow.com/questions/28690986/code-signing-with-signtool-fails-due-to-private-key-filter

 

 Categories: people(1) program(38)
 Tags: android(6) c/c++(24) go(3) html(2) java(4) javascript(2) linux(8) python(2) shell(3) windows(7)