windows - 指定 pwszTimestampURL 时 CryptUIWizDigitalSign 失败

Question

我在调用 CryptUIWizDigitalSign 时遇到问题使用我们的公共(public)代码签名证书以编程方式对可执行文件进行签名，而不显示任何 UI。该证书是Comodo代码签名证书。

当时间戳 URL 参数设置为 null 时它工作正常，但每当我传递 null 以外的任何内容时，调用都会失败(返回零)。

问题是没有时间戳就没有副署，因此进一步存在签名有效性问题。

环境是 Windows 7 x64。有一个工作标准的互联网连接。从嗅探网络流量来看，CryptUIWizDigitalSign 并未尝试联系时间戳服务器。

我是通过 PInvoke 从 .NET 调用它，但我怀疑这会有什么不同。

网上关于此功能的信息不多...

Dim cert As X509Certificate2 = New X509Certificate2("mycert.pfx", "password")
Dim pSigningCertContext As IntPtr = cert.Handle

Dim digitalSignInfo As CRYPTUI_WIZ_DIGITAL_SIGN_INFO 
    = New CRYPTUI_WIZ_DIGITAL_SIGN_INFO
digitalSignInfo.dwSize = Marshal.SizeOf(digitalSignInfo)
digitalSignInfo.dwSubjectChoice = CRYPTUI_WIZ_DIGITAL_SIGN_SUBJECT_FILE
digitalSignInfo.pwszFileName = "C:\temp\installer.exe"
digitalSignInfo.dwSigningCertChoice = CRYPTUI_WIZ_DIGITAL_SIGN_CERT
digitalSignInfo.pSigningCertContext = pSigningCertContext
digitalSignInfo.pwszTimestampURL = "http://timestamp.comodoca.com/authenticode"
digitalSignInfo.dwAdditionalCertChoice = 0
digitalSignInfo.pSignExtInfo = IntPtr.Zero

If (Not CryptUIWizDigitalSign(CRYPTUI_WIZ_NO_UI, IntPtr.Zero, vbNullString, 
                              digitalSignInfo, pSignContext)) Then
    Throw New Win32Exception(Marshal.GetLastWin32Error(), 
        "CryptUIWizDigitalSign")
End If

CRYPTUI_WIZ_DIGITAL_SIGN_INFO 类型定义为:

<StructLayout(LayoutKind.Sequential)> _
Public Structure CRYPTUI_WIZ_DIGITAL_SIGN_INFO
    Public dwSize As Int32
    Public dwSubjectChoice As Int32
    <MarshalAs(UnmanagedType.LPWStr)> Public pwszFileName As String
    Public dwSigningCertChoice As Int32
    Public pSigningCertContext As IntPtr
    Public pwszTimestampURL As String
    Public dwAdditionalCertChoice As Int32
    Public pSignExtInfo As IntPtr
End Structure

Public Const CRYPTUI_WIZ_DIGITAL_SIGN_SUBJECT_FILE As Int32 = 1
Public Const CRYPTUI_WIZ_DIGITAL_SIGN_CERT As Int32 = 1
Public Const CRYPTUI_WIZ_NO_UI As Int32 = 1

Answer 1

您在 pwszFileName 上应用了 MarshalAs 属性，但没有在 pwszTimestampURL 上应用，这有什么原因吗？它们在 documentation for CRYPTUI_WIZ_DIGITAL_SIGN_INFO 中的描述相同:

pwsz文件名:

A pointer to a null-terminated Unicode string that contains the path and file name of the file to sign. This member is used if CRYPTUI_WIZ_DIGITAL_SIGN_SUBJECT_FILE is specified for the dwSubjectChoice member.

pwszTimestampURL:

A pointer to a null-terminated Unicode string that contains the URL for the time stamp.