signtool.exe

Тут в основном рассматривается ситуация - почему не работает алгоритм подписывания программ алгоритмом sha256 на Windows 10.

фотка 1

Справка по ключам signtool.exe:

Usage: signtool sign [options]

Use the "sign" command to sign files using embedded signatures. Signing
protects a file from tampering, and allows users to verify the signer (you)
based on a signing certificate. The options below allow you to specify signing
parameters and to select the signing certificate you wish to use.


Certificate selection options:
/a          Select the best signing cert automatically. SignTool will find all
            valid certs that satisfy all specified conditions and select the
            one that is valid for the longest. If this option is not present,
            SignTool will expect to find only one valid signing cert.
/ac <file>  Add an additional certificate, from <file>, to the signature block.
/c <name>   Specify the Certificate Template Name (Microsoft extension) of the
            signing cert.
/f <file>   Specify the signing cert in a file. If this file is a PFX with
            a password, the password may be supplied with the "/p" option.
            If the file does not contain private keys, use the "/csp" and "/kc"
            options to specify the CSP and container name of the private key.
/i <name>   Specify the Issuer of the signing cert, or a substring.
/n <name>   Specify the Subject Name of the signing cert, or a substring.
/p <pass.>  Specify a password to use when opening the PFX file.
/r <name>   Specify the Subject Name of a Root cert that the signing cert must
            chain to.
/s <name>   Specify the Store to open when searching for the cert. The default
            is the "MY" Store.
/sm         Open a Machine store instead of a User store.
/sha1 <h>   Specify the SHA1 thumbprint of the signing cert.
/fd         Specifies the file digest algorithm to use for creating file
            signatures. (Default is SHA1)
/u <usage>  Specify the Enhanced Key Usage that must be present in the cert.
            The parameter may be specified by OID or by string. The default
            usage is "Code Signing" (1.3.6.1.5.5.7.3.3).
/uw         Specify usage of "Windows System Component Verification"
            (1.3.6.1.4.1.311.10.3.6).

Private Key selection options:
/csp <name> Specify the CSP containing the Private Key Container.
/kc <name>  Specify the Key Container Name of the Private Key.

Signing parameter options:
/as         Append this signature. If no primary signature is present, this
            signature will be made the primary signature instead.
/d <desc.>  Provide a description of the signed content.
/du <URL>   Provide a URL with more information about the signed content.
/t <URL>    Specify the timestamp server's URL. If this option is not present,
            the signed file will not be timestamped. A warning is generated if
            timestamping fails.
/tr <URL>   Specifies the RFC 3161 timestamp server's URL. If this option
            (or /t) is not specified, the signed file will not be timestamped.
            A warning is generated if timestamping fails.  This switch cannot
            be used with the /t switch.
/tseal <URL> Specifies the RFC 3161 timestamp server's URL for timestamping a
            sealed file.
/td <alg>   Used with the /tr or /tseal switch to request a digest algorithm
            used by the RFC 3161 timestamp server.
/sa <OID> <value> Specify an OID and value to be included as an authenticated
                  attribute in the signature. The value will be encoded as an
                  ASN1 UTF8 string. This option may be given multiple times.
/seal       Add a sealing signature if the file format supports it.
/itos       Create a primary signature with the intent-to-seal attribute.
/force      Continue to seal or sign in situations where the existing signature
            or sealing signature needs to be removed to support sealing.
/nosealwarn Sealing-related warnings do not affect SignTool's return code.

Digest options:
/dg <path>   Generates the to be signed digest and the unsigned PKCS7 files.
             The output digest and PKCS7 files will be: <path>\<file>.dig and
             <path>\<file>.p7u. To output an additional XML file, see /dxml.
/ds          Signs the digest only. The input file should be the digest
             generated by the /dg option. The output file will be:
             <file>.signed.
/di <path>   Creates the signature by ingesting the signed digest to the
             unsigned PKCS7 file. The input signed digest and unsigned
             PKCS7 files should be: <path>\<file>.dig.signed and
             <path>\<file>.p7u.
/dxml        When used with the /dg option, produces an XML file. The output
             file will be: <path>\<file>.dig.xml.
/dlib <dll>  Specifies the DLL implementing the AuthenticodeDigestSign or
             AuthenticodeDigestSignEx function to sign the digest with. This
             option is equivalent to using SignTool separately with the
             /dg, /ds, and /di switches, except this option invokes all three
             as one atomic operation.
/dmdf <file> When used with the /dlib option, passes the file's contents to
             the AuthenticodeDigestSign or AuthenticodeDigestSignEx function
             without modification.

PKCS7 options:
/p7 <path>    Specifies that for each specified content file a PKCS7 file is
              produced. The PKCS7 file will be named: <path>\<file>.p7
/p7co <OID>   Specifies the <OID> that identifies the signed content.
/p7ce <Value> Defined values:
                Embedded           - Embeds the signed content in the PKCS7.
                DetachedSignedData - Produces the signed data part of
                                     a detached PKCS7.
                Pkcs7DetachedSignedData - Produces a full detached PKCS7.
              The default is 'Embedded'

Other options:
/ph         Generate page hashes for executable files if supported.
/nph        Suppress page hashes for executable files if supported.
            The default is determined by the SIGNTOOL_PAGE_HASHES
            environment variable and by the wintrust.dll version.
/rmc        Specifies signing a PE file with the relaxed marker check semantic.
            The flag is ignored for non-PE files. During verification, certain
            authenticated sections of the signature will bypass invalid PE
            markers check. This option should only be used after careful
            consideration and reviewing the details of MSRC case MS12-024 to
            ensure that no vulnerabilities are introduced.
/q          No output on success and minimal output on failure. As always,
            SignTool returns 0 on success, 1 on failure, and 2 on warning.
/v          Print verbose success and status messages. This may also provide
            slightly more information on error.
/debug      Display additional debug information.

Примечание: в примерах выше сертификат "BIT driver KKT 03" установлен в хранилище сертификатов в Windows.

Типичная проблема sha1 работает:
signtool sign /as /v /debug /n "BIT driver KKT 03" /td sha1 /tr http://timestamp.digicert.com /fd sha1 BIT_driverKKT.exe

sha256 не работает:
signtool sign /as /v /debug /n "BIT driver KKT 03" /td sha256 /tr http://timestamp.digicert.com /fd sha1 BIT_driverKKT.exe

Наша версия signtool.exe 10.0.19041.685.

Сертификат хранится на рутокене Light 64Kb и прекрасно вызывается из батника, когда надо подписать программу. Для этого надо только код ввести пин рутокена, и далее рутокен сам подставляет пароль от файла pfx, хранящегося на рутокене. Очень удобно.

Устанавливаем Windows 10 SDK, но не весь а достаточно только небольшую часть:

фотка 2