How to sign exe file using signtool from windows - windows

When I try to sign my exe file using signtool from windows, I used this command in a command line:
C:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x86>SignTool sign /debug /fd SHA1 /a /f certificate.crt xone.exe
But I got this:
The following certificates were considered:
Issued to: ***********
Issued by: ZeroSSL RSA Domain Secure Site CA
Expires: Sat May 28 01:59:59 2022
SHA1 hash: 71A05C21AC6C48EB5C253811D9E66D7E3D2443B2
After EKU filter, 0 certs were left.
After expiry filter, 0 certs were left.
After Private Key filter, 0 certs were left.
SignTool Error: No certificates were found that met all the given criteria.
I don't understand where the problem is.

Related

sign a .dll file using signtool, failed with Error: A certificate chain processed

I signed a .dll file with the help of those doc, makecert, pvk2pfx, signtool.
And the step as follow:
C:\Windows\System32>Makecert -pe -eku 1.3.6.1.5.5.7.3.3 -sv test.pvk -r -n "CN=forTest" test.cer
Succeeded
C:\Windows\System32>Cert2spc test.cer test.spc
Succeeded
C:\Windows\System32>pvk2pfx -pvk test.pvk -pi qweasdzxc -spc test.spc -pfx test.pfx -f
C:\Windows\System32>signtool sign /fd sha1 /f test.pfx /p qweasdzxc
D:\testDotDLL.dll
Done Adding Additional Store
Successfully signed: D:\testDotDLL.dll
Each step return success. but when I do verify, I get the error as below. Noticed, as shown in the below figure, I have added this cert to Trusted Certification Authorities store.
C:\Windows\System32>signtool verify D:\testDotDLL.dll
Index Algorithm Timestamp
========================================
SignTool Error: A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.
Number of errors: 1

Codesign an executable and allow the modification of some bytes

I use signtool.exe to codesign a Windows executable.
Which options of this tool can be used to define that a few bytes should be omitted from the hash calculation, and thus allowing that a digitally signed executable can have 8 or 16 bytes modified later?
This technique has been used by Mozilla (their .exe installer is different for each download, but has the same digital signature), see How can a .exe be modified and still keep a valid digital signature?.
The WinAPI function ImageGetDigestStream has an option DigestLevel to exclude resource information from the hash computation, but how to use this option when actually with signtool.exe or a similar tool?
This is explained by Didier Stevens in an article here: It's in the signature and he also provides a tool "disitool" to manipulate the signature.
Here are the steps to sign a file using Authenticode, and to append some data to it without breaking the signature:
A) Create a code siging certificate (you'll be required to enter passwords):
MakeCert /n "CN=MyOrg" /r /h 0 /eku "1.3.6.1.5.5.7.3.3,1.3.6.1.4.1.311.10.3.13" /sv MyOrg.pvk MyOrg.cer
note: 1.3.6.1.5.5.7.3.3 is szOID_PKIX_KP_CODE_SIGNING and 1.3.6.1.4.1.311.10.3.13 is szOID_KP_LIFETIME_SIGNING. This will create a private key file and a certificate file.
B) Add certificate to store (needs admin rights, could be a different store):
Certutil -addStore TrustedPeople MyOrg.cer
C) Create a Pfx file to sign:
Pvk2Pfx /pvk MyOrg.pvk /pi [Password goes here] /spc MyOrg.cer /pfx MyOrg.pfx
D) Sign your file:
SignTool.exe sign /fd SHA256 /v /a /f MyOrg.pfx /p [Password goes here] MyFile.exe
At this point MyFile.exe is signed using Authenticode:
E) Create some data.txt file. I've created one that just contains the "[Kilroy was here!]" text.
F) Now run disitool:
python.exe disitool.py inject --paddata MyFile.exe data.txt MyFile2.exe
And here is the result, MyFile2.exe is still valid without resigning the file:
While you can see data.txt's content added to its end:
From the original file's end:

SignTool Error: An unexpected internal error has occurred. (0x80080209)

I'm trying to sign appx file, but have this error:
SignTool Error: An unexpected internal error has occurred.
Error information: "Error: SignerSign() failed." (-2146958839/0x80080209)
I found that the error means: The SIP_SUBJECTINFO structure used to sign the package didn't contain the required data
Any idea how to fix it?
The certificate is made using commands:
MakeCert /n "CN=..." /r /h 0 /eku 1.3.6.1.5.5.7.3.3 /pe /sv MyKey.pvk MyKey.cer
Pvk2Pfx /pvk MyKey.pvk /pi 123456 /spc MyKey.cer /pfx MyKey.pfx /po 123456
And used as:
signtool.exe sign -f MyKey.pfx -p "123456" -fd SHA256 -v my.appx
But result is as already mentioned:
The following certificate was selected:
Issued to: ...
Issued by: ...
Expires: Sun Jan 01 01:59:59 2040
SHA1 hash: 7D760C6DF55749803CF0E0DF0F9615F607822B12
Done Adding Additional Store
SignTool Error: An unexpected internal error has occurred.
Error information: "Error: SignerSign() failed." (-2146958839/0x80080209)
As a note I should add, that application is signed as an output from DesktopAppConverter.exe, but I need to repack it and the signing is not working even when I use the auto-generated pfx file used by the converter.
Ok... so I found that I was probably using some wrong signtool.exe. I found location of the tool which is used with the DesktopAppConverter in its log. In my case it is:
"C:\Program Files (x86)\Windows Kits\10\bin\10.0.16299.0\x64\signtool.exe"
With this file the signing is successful.

Makecert: a certificate basic constraints extension has not been observed

I'm trying to create a self sign certificate by makecert Here is what I do:
makecert -n "CN=TuyenTk CA, C=VN, ST=Hanoi, L=Hoan Kiem" -cy authority
-h 1 -a sha1 -sv "D:\TuyenTk CA.pvk" -r "D:\TuyenTk CA.cer"
makecert -n "CN=TuyenTk" -ic "D:\TuyenTk CA.cer" -iv "D:\TuyenTk CA.pvk"
-eku "1.3.6.1.5.5.7.3.3" -cy end -a sha1 -h 0 -sky exchange -pe "D:\TuyenTk.cer"
pvk2pfx -pvk "D:\TuyenTk CA.pvk" -spc "D:\TuyenTk CA.cer"
-pfx "D:\TuyenTk.pfx" -pi "myPassWord"
The first line is make self sign cert (CA cert), The second line is use CA cert sign other cert, and the last is generate pfx file to sign the exe file.
Though all above 3 commands is reported success, when I double click to TuyenTk CA.cer and TuyenTk.cer, in the Details tab windows tell that the basic constraints is critical. So when I use the TuyenTk.pfx file to sign my exe file, in the Digital Signatures Tab, the certificate is not valid: a certificate basic constraints extension has not been observed
I view cert's details before install it, and after install in trusted root or personal location of cert store, I still see the error.
How can I fix this problem? Thank!
To create your self-signed root CA certificate, try these options:
makecert -r -pe -m 1200 -len 2048 -n "CN=TuyenTk CA, C=VN, ST=Hanoi, L=Hoan Kiem" -ss CA -sr CurrentUser -a sha1 -sky signature -cy authority -sv "D:\TuyenTk_CA.pvk" "D:\TuyenTk_CA.cer"
I left off "-h 1" to give you unlimited signing depth in the basic constraints; some SSL packages don't like unlimited path lengths, so you can either have layers of keys or put in "-h 5" or whatever value you feel will serve your needs. Switches I added:
-pe Make private key exportable
-m 1200 Make CA key valid for 100 years (1200 months)
-ss CA This key goes into the CA certificate store
-sr CurrentUser Certificate store location
-sky signature Key type (use for signing)
I also added an underscore (instead of a blank) in the name; may not be necessary, but my certificate files do not have spaces (these utilities can be odd sometimes).
When you import the CA certificate, make sure you do so into the "Trusted Root Certification Authorities\Local Computer" physical store location. For instance, use this from an Admin cmd prompt:
certutil -addstore -v root "D:\TuyenTk_CA.cer"
These steps worked for me on XP and work today on Windows 7. Hope this helps!
drac

How does one inspect X509 public key certificates from the command line in bash or unix

X509 public key certificates are pretty cryptic when you look at them with a normal editor. Are there any unix standard command line tools that allow one to view a X509 certificates or at least list and selectively extract their fields??? If there are not how would one go about doing this another way?
openssl x509 -in $CERTIFICATE_FILE -text
(One may have to add the -inform parameter if the certificate is not in PEM format)
Output looks exactly like the RFCs' description:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=765d52947c71fdd569321f117d5b3ea2618f41b9
Validity
Not Before: Sep 10 13:22:53 2013 GMT
Not After : Jul 1 00:00:00 2014 GMT
Subject: CN=ef2dea1c4e2d54acbe102b7b8c3bd4f542cda72c
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:94:c8:0e:72:f8:63:f5:be:aa:6d:79:91:3b:f0:
bf:06:68:7e:c1:bc:f1:f
..etc etc

Resources