[Mono-devel-list] Authenticode / signcode / chktrust problem

Sébastien Pouliot spouliot at videotron.ca
Thu Apr 21 07:50:40 EDT 2005 

Hello Daryn,

> I'm having a problem signing some code  (the pvk & spc are valid,
> and work
> fine for signing on windows using signcode.exe)
>
> 1. signcode -spc mycert.spc -v mykey.pvk -t
> http://timestamp.verisign.com/scripts/timstamp.dll Setup.exe
>             Mono SignCode - version 1.1.5.0
>             Sign assemblies and PE files using Authenticode(tm).
>             Copyright 2002, 2003 Motus Technologies. Copyright 2004-2005
> Novell. BSD licensed.
>
> 2. chktrust -v /root/Setup.exe
>             Mono CheckTrust - version 1.1.5.0
>             Verify if an PE executable has a valid Authenticode(tm)
> signature
>             Copyright 2002, 2003 Motus Technologies. Copyright 2004-2005
> Novell. BSD licensed.
>
>             Verifying file Setup.exe for Authenticode(tm) signatures...
>
>             WARNING! Setup.exe is not timestamped!
>             ERROR! Setup.exe couldn't find the certificate that
> signed the
> file!
>
>
> My guess is that perhaps this has something to do with CA's,

Maybe but this isn't the error that chktrust would normally display if it
was missing the root certificate.

> and I've
> downloaded the CA Certs from thawte and verisign, but I'm not sure I've
> installed them correctly using certmgr, as I'm not sure the proper use of
> the various stores.

Is your certificate from Thawte or VeriSign ?

Some people had problem with the SPC file supplied by VeriSign because it
use undefined length encoding in it's ASN.1 structure. The "trick" is to
import it in Windows then export it back to a SPC file. Windows will have
converted the structure to "defined" length - which Mono tools can
understand.

Look in bugzilla for #68903 for a detailled workaround.

> This is what I did (for every CA cert I could find):
>
> certmgr -add -c -m CA ThawteServerCA.cer
>             Mono Certificate Manager - version 1.1.5.0
>             Manage X.509 certificates and CRL from stores.
>             Copyright 2002, 2003 Motus Technologies. Copyright 2004-2005
> Novell. BSD licensed.
>
>
>             1 certificate(s) added to store CA.

Wrong store. You must use the Trust store if you want chktrust to validate
your signatures. The CA store can be used for any type of CA (i.e. not only
root CA).

http://www.mono-project.com/FAQ:_Security
or
"man certmgr"

> Also, on Widows, when I look at the properties > digital signatures, the
> signature IS there, but it says it is "not valid".
>
>
> Can anyone provide some guidance?

The FAQ and the man pages of the tools should be able to answers most
questions. Also have a look at the mailing list archives.

Sebastien Pouliot
home: spouliot at videotron.ca
blog: http://pages.infinit.net/ctech/poupou.html

More information about the Mono-devel-list mailing list