[Mono-devel-list] Authenticode / signcode / chktrust problem

Daryn Nakhuda daryn at spamarrest.com
Thu Apr 21 15:43:11 EDT 2005


Hello,

Sorry to bug the list again, but I haven't been able to find any more useful 
information in the faq, man pages, or archives in regards to this problem.

My cert is from thawte.  If I use an invalid cert or key I get an error, so 
I think they're okay.  I've imported the root CA's into the TRUST store 
(contents of store attached).

However, while the application appears to get signed (no errors from 
signcode),  it doesn't checkout in either chktrust or on windows.

chktrust says:
            WARNING!  Setup.exe is not timestamped!
            ERROR!  Setup.exe couldn't find the certificate that signed the 
file!

chktrust.exe on windows says: "The digital signature of the object did not 
verify".  It does, however, correctly show my name under the signer 
information, and my certificate under "view certificate".

If anyone wants me to sign something so you can see what's happening, just 
let me know.


Thanks,

Daryn



----- Original Message ----- 
From: "Sébastien Pouliot" <spouliot at videotron.ca>
To: "Daryn Nakhuda" <daryn at spamarrest.com>; 
<mono-devel-list at lists.ximian.com>
Sent: Thursday, April 21, 2005 4:50 AM
Subject: RE: [Mono-devel-list] Authenticode / signcode / chktrust problem


> Hello Daryn,
>
>> I'm having a problem signing some code  (the pvk & spc are valid,
>> and work
>> fine for signing on windows using signcode.exe)
>>
>> 1. signcode -spc mycert.spc -v mykey.pvk -t
>> http://timestamp.verisign.com/scripts/timstamp.dll Setup.exe
>>             Mono SignCode - version 1.1.5.0
>>             Sign assemblies and PE files using Authenticode(tm).
>>             Copyright 2002, 2003 Motus Technologies. Copyright 2004-2005
>> Novell. BSD licensed.
>>
>> 2. chktrust -v /root/Setup.exe
>>             Mono CheckTrust - version 1.1.5.0
>>             Verify if an PE executable has a valid Authenticode(tm)
>> signature
>>             Copyright 2002, 2003 Motus Technologies. Copyright 2004-2005
>> Novell. BSD licensed.
>>
>>             Verifying file Setup.exe for Authenticode(tm) signatures...
>>
>>             WARNING! Setup.exe is not timestamped!
>>             ERROR! Setup.exe couldn't find the certificate that
>> signed the
>> file!
>>
>>
>> My guess is that perhaps this has something to do with CA's,
>
> Maybe but this isn't the error that chktrust would normally display if it
> was missing the root certificate.
>
>> and I've
>> downloaded the CA Certs from thawte and verisign, but I'm not sure I've
>> installed them correctly using certmgr, as I'm not sure the proper use of
>> the various stores.
>
> Is your certificate from Thawte or VeriSign ?
>
> Some people had problem with the SPC file supplied by VeriSign because it
> use undefined length encoding in it's ASN.1 structure. The "trick" is to
> import it in Windows then export it back to a SPC file. Windows will have
> converted the structure to "defined" length - which Mono tools can
> understand.
>
> Look in bugzilla for #68903 for a detailled workaround.
>
>> This is what I did (for every CA cert I could find):
>>
>> certmgr -add -c -m CA ThawteServerCA.cer
>>             Mono Certificate Manager - version 1.1.5.0
>>             Manage X.509 certificates and CRL from stores.
>>             Copyright 2002, 2003 Motus Technologies. Copyright 2004-2005
>> Novell. BSD licensed.
>>
>>
>>             1 certificate(s) added to store CA.
>
> Wrong store. You must use the Trust store if you want chktrust to validate
> your signatures. The CA store can be used for any type of CA (i.e. not 
> only
> root CA).
>
> http://www.mono-project.com/FAQ:_Security
> or
> "man certmgr"
>
>> Also, on Widows, when I look at the properties > digital signatures, the
>> signature IS there, but it says it is "not valid".
>>
>>
>> Can anyone provide some guidance?
>
> The FAQ and the man pages of the tools should be able to answers most
> questions. Also have a look at the mailing list archives.
>
> Sebastien Pouliot
> home: spouliot at videotron.ca
> blog: http://pages.infinit.net/ctech/poupou.html
>
> _______________________________________________
> Mono-devel-list mailing list
> Mono-devel-list at lists.ximian.com
> http://lists.ximian.com/mailman/listinfo/mono-devel-list 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: truststore.txt
Url: http://lists.ximian.com/pipermail/mono-devel-list/attachments/20050421/50905207/attachment.txt 


More information about the Mono-devel-list mailing list