问题
I am using signtool.exe to sign exe file. I am trying to embed my exe file with the .pfx certificate along with the signed hash of exe(generated signed hash using openssl). I am able to sign only with certificate. But I need to embed the signed hash in the exe as well. Probably signtool.exe sign /as could help. /as option does not expect any argument so not able to pass my hash there.
Could someone please help me sign my exe with certificate and hash.
Thanks,
回答1:
The version of Signtool shipped with the Windows 10 SDK includes the capability to embed a signed hash into an exe.
From the following page: https://vcsjones.com/2017/05/07/custom-authenticode-signing/
Starting in the Windows 10 SDK, two new command line switches are available,
dganddi. Recall that a signature is always performed on a hash on Authenticode. Thedgoption changes signtool’s behavior to output a digest that you can sign using anything you’d like. Let’s try this on a copy of notepad.exe.
signtool sign /dg "C:\scratch\dir" /fd SHA256 /f public-cert.cer notepad.exe
This takes a file to a public certificate - there is no key in public-cert.cer. You could also use the
/sha1option to specify a certificate in the certificate store that also has only a public key. This will output a few files in the “C:\scratch\dir” directory. The digest is the one with the “.dig” extension. This file will have the Base64 encoded digest to sign. Next, using your custom tool, sign the digest with the private key for the certificate. You should decode the Base64 signature before signing if the signing API expects a raw binary digest.Next, encode your signature in base64 and place it in a file in the “C:\scratch\dir” directory with the same name as the digest file, with the “signed” extension. For example, “notepad.exe.dig.signed”.
The next step is to ingest the signed digest along with the rest of the Authenticode signature to complete the signing.
signtool sign /di "C:\scratch\dir" notepad.exe
This will complete the signing process, and we now have our own signed copy of notepad.exe. Appending a signature is done just as before, except with the
/asflag.This provides great flexibility for signers to use non CSP / CNG signing options, or offloading the signing process. Signtool can now also sign just a plain digest file using the
/dsoption. If you have a dedicated server for performing Authenticode signing, you can now use the/dg,/ds,/dioptions so that only a very small file needs to be moved to the signing server, instead of the entirely binary if they are large in size.
来源:https://stackoverflow.com/questions/26645842/how-to-embed-hash-in-exe-file-with-signtool-exe