[Mono-devel-list] Authenticode / signcode / chktrust problem
Sébastien Pouliot
spouliot at videotron.ca
Fri Apr 22 08:40:03 EDT 2005
Daryn,
Open a bug report at bugzilla.ximian.com and attach the following...
(a) the unsigned EXE file (as small as possible, e.g. an hello world);
(b) the Mono signed EXE file (i.e. not working);
(c) the Windows signed EXE file (i.e. working);
(d) the SPC file (which contains only public stuff);
(e) the private key _ONLY_IF_ it's a test key (NOT if you paid for it);
Thanks,
Sebastien Pouliot
home: spouliot at videotron.ca
blog: http://pages.infinit.net/ctech/poupou.html
> -----Original Message-----
> From: Daryn Nakhuda [mailto:daryn at spamarrest.com]
> Sent: 21 avril 2005 15:43
> To: spouliot at videotron.ca; mono-devel-list at lists.ximian.com
> Subject: Re: [Mono-devel-list] Authenticode / signcode / chktrust
> problem
>
>
> Hello,
>
> Sorry to bug the list again, but I haven't been able to find any
> more useful
> information in the faq, man pages, or archives in regards to this problem.
>
> My cert is from thawte. If I use an invalid cert or key I get an
> error, so
> I think they're okay. I've imported the root CA's into the TRUST store
> (contents of store attached).
>
> However, while the application appears to get signed (no errors from
> signcode), it doesn't checkout in either chktrust or on windows.
>
> chktrust says:
> WARNING! Setup.exe is not timestamped!
> ERROR! Setup.exe couldn't find the certificate that
> signed the
> file!
>
> chktrust.exe on windows says: "The digital signature of the
> object did not
> verify". It does, however, correctly show my name under the signer
> information, and my certificate under "view certificate".
>
> If anyone wants me to sign something so you can see what's
> happening, just
> let me know.
>
>
> Thanks,
>
> Daryn
>
>
>
> ----- Original Message -----
> From: "Sébastien Pouliot" <spouliot at videotron.ca>
> To: "Daryn Nakhuda" <daryn at spamarrest.com>;
> <mono-devel-list at lists.ximian.com>
> Sent: Thursday, April 21, 2005 4:50 AM
> Subject: RE: [Mono-devel-list] Authenticode / signcode / chktrust problem
>
>
> > Hello Daryn,
> >
> >> I'm having a problem signing some code (the pvk & spc are valid,
> >> and work
> >> fine for signing on windows using signcode.exe)
> >>
> >> 1. signcode -spc mycert.spc -v mykey.pvk -t
> >> http://timestamp.verisign.com/scripts/timstamp.dll Setup.exe
> >> Mono SignCode - version 1.1.5.0
> >> Sign assemblies and PE files using Authenticode(tm).
> >> Copyright 2002, 2003 Motus Technologies. Copyright
> 2004-2005
> >> Novell. BSD licensed.
> >>
> >> 2. chktrust -v /root/Setup.exe
> >> Mono CheckTrust - version 1.1.5.0
> >> Verify if an PE executable has a valid Authenticode(tm)
> >> signature
> >> Copyright 2002, 2003 Motus Technologies. Copyright
> 2004-2005
> >> Novell. BSD licensed.
> >>
> >> Verifying file Setup.exe for Authenticode(tm) signatures...
> >>
> >> WARNING! Setup.exe is not timestamped!
> >> ERROR! Setup.exe couldn't find the certificate that
> >> signed the
> >> file!
> >>
> >>
> >> My guess is that perhaps this has something to do with CA's,
> >
> > Maybe but this isn't the error that chktrust would normally
> display if it
> > was missing the root certificate.
> >
> >> and I've
> >> downloaded the CA Certs from thawte and verisign, but I'm not sure I've
> >> installed them correctly using certmgr, as I'm not sure the
> proper use of
> >> the various stores.
> >
> > Is your certificate from Thawte or VeriSign ?
> >
> > Some people had problem with the SPC file supplied by VeriSign
> because it
> > use undefined length encoding in it's ASN.1 structure. The "trick" is to
> > import it in Windows then export it back to a SPC file. Windows
> will have
> > converted the structure to "defined" length - which Mono tools can
> > understand.
> >
> > Look in bugzilla for #68903 for a detailled workaround.
> >
> >> This is what I did (for every CA cert I could find):
> >>
> >> certmgr -add -c -m CA ThawteServerCA.cer
> >> Mono Certificate Manager - version 1.1.5.0
> >> Manage X.509 certificates and CRL from stores.
> >> Copyright 2002, 2003 Motus Technologies. Copyright
> 2004-2005
> >> Novell. BSD licensed.
> >>
> >>
> >> 1 certificate(s) added to store CA.
> >
> > Wrong store. You must use the Trust store if you want chktrust
> to validate
> > your signatures. The CA store can be used for any type of CA (i.e. not
> > only
> > root CA).
> >
> > http://www.mono-project.com/FAQ:_Security
> > or
> > "man certmgr"
> >
> >> Also, on Widows, when I look at the properties > digital
> signatures, the
> >> signature IS there, but it says it is "not valid".
> >>
> >>
> >> Can anyone provide some guidance?
> >
> > The FAQ and the man pages of the tools should be able to answers most
> > questions. Also have a look at the mailing list archives.
> >
> > Sebastien Pouliot
> > home: spouliot at videotron.ca
> > blog: http://pages.infinit.net/ctech/poupou.html
> >
> > _______________________________________________
> > Mono-devel-list mailing list
> > Mono-devel-list at lists.ximian.com
> > http://lists.ximian.com/mailman/listinfo/mono-devel-list
>
More information about the Mono-devel-list
mailing list