ssl - 使用 GoDaddy 代码签名证书对 ClickOnce 进行签名

问题描述

我们从 GoDaddy 购买了代码签名证书，对我们的软件进行了签名，但是当我尝试安装该应用程序时 - 它仍然显示“未知发布者”，并且防病毒和防火墙正在阻止安装。到今天为止，我已经重新键入证书并完成了四次整个过程。我在整个过程中没有任何问题或错误，并成功使用 signtool 对 setup.exe 进行了签名。我做错了什么？

这是我的做法：

1. 我使用我的 PC 生成的 CSR 重新键入 GoDaddy 颁发的证书，按照以下说明检查“使我的私钥可导出”：https ://www.ssltrust.com.au/help/setup-guides/code-signing-证书

2. 我使用这个 GoDaddy CSR 测试工具测试我的 CSR：https ://ssltools.godaddy.com/views/csrDecoder - 一切正常

3. 我向 GoDaddy 提交 CSR，重新输入我的证书并下载新的 .pem 和 .spc

4. 我按照以下说明使用 MMC->certmgr 导入 .spc 文件并导出 .pfx：https ://ca.godaddy.com/help/windows-install-codedriver-signing-certificate-and-create-pfx-file-第2698章

5. 在 Visual Studio 中，我按照以下说明发布未签名的应用程序： https ://docs.microsoft.com/en-us/visualstudio/deployment/how-to-sign-setup-files-with-signtool-exe-clickonce?view =vs-2019

6. 我按照以下说明使用 signtool 签署 setup.exe：https ://ca.godaddy.com/help/signtool-sign-windows-code-with-a-code-signing-certificate-4778?locale=en

在 cmd 我运行：

C:\Program Files (x86)\Microsoft SDKs\ClickOnce\SignTool>signtool sign /f C:\Users\plvan\Desktop\cert\key.pfx /p MyStrongPwd /tr http://tsa.starfieldtech.com /td SHA256 c:\Users\plvan\source\repos\IAD\DesktopApp1\publish\IAD1.3.0.0\setup.exe

命令成功：

Done Adding Additional Store Successfully signed: c:\Users\plvan\source\repos\IAD\DesktopApp1\publish\IAD1.3.0.0\setup.exe

如果我运行“验证”

C:\Program Files (x86)\Microsoft SDKs\ClickOnce\SignTool>signtool verify /v /pa c:\Users\plvan\source\repos\IAD\DesktopApp1\publish\IAD1.3.0.0\setup.exe

结果是：

Verifying: c:\Users\plvan\source\repos\IAD\DesktopApp1\publish\IAD1.3.0.0\setup.exe
Signature Index: 0 (Primary Signature)
Hash of file (sha1): 90941E5E4178D58CCAC2FA750C861F63440B90A7

Signing Certificate Chain:
Issued to: Starfield Root Certificate Authority - G2
Issued by: Starfield Root Certificate Authority - G2
Expires:   Thu Dec 31 16:59:59 2037
SHA1 hash: B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E

    Issued to: Starfield Secure Certificate Authority - G2
    Issued by: Starfield Root Certificate Authority - G2
    Expires:   Sat May 03 00:00:00 2031
    SHA1 hash: 7EDC376DCFD45E6DDF082C160DF6AC21835B95D4

        Issued to: Matrioshka Ltd.
        Issued by: Starfield Secure Certificate Authority - G2
        Expires:   Tue Sep 28 14:19:47 2021
        SHA1 hash: 5941FE2F9BC8FA31102EAB994F91AE2CEDC1FF34

The signature is timestamped: Thu Oct 01 19:02:04 2020
Timestamp Verified by:
Issued to: Starfield Root Certificate Authority - G2
Issued by: Starfield Root Certificate Authority - G2
Expires:   Thu Dec 31 16:59:59 2037
SHA1 hash: B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E

    Issued to: Starfield Secure Certificate Authority - G2
    Issued by: Starfield Root Certificate Authority - G2
    Expires:   Sat May 03 00:00:00 2031
    SHA1 hash: 7EDC376DCFD45E6DDF082C160DF6AC21835B95D4

        Issued to: Starfield Timestamp Authority - G2
        Issued by: Starfield Secure Certificate Authority - G2
        Expires:   Tue Sep 09 00:00:00 2025
        SHA1 hash: 7280A5FCD8DFE11F01FE8601B15EC41A376F05E2


Successfully verified: c:\Users\plvan\source\repos\IAD\DesktopApp1\publish\IAD1.3.0.0\setup.exe

Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0

我怀疑我做的一切都是正确的，但证书本身就是问题所在。我打电话给 GoDaddy，他们说他们这边没有问题。有任何想法吗？

标签： sslclickoncecode-signing-certificatesigntool