问题描述
当我尝试使用Firefox从Sectigo / Comodo下载代码签名证书时,我最终下载了名为CollectCCC的文件,但没有文件扩展名。我不清楚如何使用它来签名二进制文件。当我尝试使用它对二进制文件进行签名(启用/debug时,会得到以下信息:
> .\installation\signtool.exe sign /debug /f 'C:\Users\username\Downloads\CollectCCC' .\DraughtHub_Link.exe
The following certificates were considered:
Issued to: GoDragons
Issued by: Sectigo RSA Code Signing CA
Expires: Fri Oct 22 00:59:59 2021
SHA1 hash: <hash>
Issued to: Sectigo RSA Code Signing CA
Issued by: USERTrust RSA Certification Authority
Expires: Wed Jan 01 00:59:59 2031
SHA1 hash: <hash>
Issued to: USERTrust RSA Certification Authority
Issued by: AAA Certificate Services
Expires: Mon Jan 01 00:59:59 2029
SHA1 hash: <hash>
Issued to: AAA Certificate Services
Issued by: AAA Certificate Services
Expires: Mon Jan 01 00:59:59 2029
SHA1 hash: <hash>
After EKU filter,4 certs were left.
After expiry filter,4 certs were left.
After Private Key filter,0 certs were left.
SignTool Error: No certificates were found that met all the given criteria.
部分问题是我无法使用IE下载他们的证书(他们的推荐方式,叹气),因为我没有使用IE创建代码签名证书请求。我使用openssl创建了代码签名证书请求。
这是我从IE收到的错误消息:
我也尝试将CollectCCC导入IE,但失败了。
免责声明:我不建议将Sectigo和/或Comodo用于代码签名证书!我和他们的经历真糟糕!值得付出更多的钱以获得更好的服务。
解决方法
经过大量的搜索,最终我发现CollectCCC文件的类型为.p7s。
您可以使用.p7s通过以下命令将.pfx文件转换为openssl文件(需要对二进制文件进行签名)(这是一个两步过程):
openssl pkcs7 -inform der -in CollectCCC -print_certs -out CollectCCC.pem
openssl pkcs12 -export -out certificate.pfx -inkey ~/.csr/www.draughthub.com.key -in CollectCCC.pem
在其中将~/.csr/www.draughthub.com.key替换为创建的提出密码签名证书请求的私钥的位置。第二步将提示您输入密码。这是您用于创建请求的密码(以及相应的私钥)。