wix - 如何找到 WiX RemotePayload 的 CertificatePublicKey 哈希

Question

我正在尝试解析 WiX RemotePayload 哈希，但我不确定如何找到 CertificatePublicKey 属性。

以来自 WiX 3.6 源的 .NET 4.0 包定义为例:

  <Fragment>
    <util:RegistrySearchRef Id="NETFRAMEWORK40"/>

    <WixVariable Id="WixMbaPrereqPackageId" Value="NetFx40Redist" />
    <WixVariable Id="WixMbaPrereqLicenseUrl" Value="$(var.NetFx40EulaLink)" />

    <PackageGroup Id="NetFx40Redist">
      <ExePackage
          InstallCommand="/q /norestart /ChainingPackage &quot;[WixBundleName]&quot;"
          RepairCommand="/q /norestart /repair /ChainingPackage &quot;[WixBundleName]&quot;"
          UninstallCommand="/uninstall /q /norestart /ChainingPackage &quot;[WixBundleName]&quot;"
          PerMachine="yes"
          DetectCondition="NETFRAMEWORK40"
          Id="NetFx40Redist"
          Vital="yes"
          Permanent="yes"
          Protocol="netfx4"
          DownloadUrl="$(var.NetFx40RedistLink)"
          Compressed="no"
          Name="redist\dotNetFx40_Full_x86_x64.exe">
        <RemotePayload
            Size="50449456"
            Version="4.0.30319.1"
            ProductName="Microsoft .NET Framework 4"
            Description="Microsoft .NET Framework 4 Setup"
            CertificatePublicKey="672605E36DD71EC6B8325B91C5FE6971390CB6B6"
            CertificateThumbprint="9617094A1CFB59AE7C1F7DFDB6739E4E7C40508F"
            Hash="58DA3D74DB353AAD03588CBB5CEA8234166D8B99"/>
      </ExePackage>
    </PackageGroup>
  </Fragment>

来自 wix36-sources\src\ext\NetFxExtension\wixlib\NetFx4.wxs

我可以用 Hash 找到 sha1 fciv -sha1 dotNetFx40_Full_x86_x64.exe ...

58da3d74db353aad03588cbb5cea8234166d8b99 dotnetfx40_full_x86_x64.exe

我可以通过文件的属性对话框轻松找到匹配的 CertificateThumbprint，或者使用显示以下输出的 signtool

C:\redist>signtool verify /v /ph dotNetFx40_Full_x86_x64.exe

Verifying: dotNetFx40_Full_x86_x64.exe
Signature Index: 0 (Primary Signature)
Hash of file (sha1): 8E8582D10521962F45F33935C38A2412C4F2D4C7

Signing Certificate Chain:
    Issued to: Microsoft Root Authority
    Issued by: Microsoft Root Authority
    Expires:   Thu Dec 31 03:00:00 2020
    SHA1 hash: A43489159A520F0D93D032CCAF37E7FE20A8B419

        Issued to: Microsoft Code Signing PCA
        Issued by: Microsoft Root Authority
        Expires:   Sat Aug 25 03:00:00 2012
        SHA1 hash: 3036E3B25B88A55B86FC90E6E9EAAD5081445166

            Issued to: Microsoft Corporation
            Issued by: Microsoft Code Signing PCA
            Expires:   Mon Mar 07 18:40:29 2011
            SHA1 hash: 9617094A1CFB59AE7C1F7DFDB6739E4E7C40508F

The signature is timestamped: Thu Mar 18 21:13:46 2010
Timestamp Verified by:
    Issued to: Microsoft Root Authority
    Issued by: Microsoft Root Authority
    Expires:   Thu Dec 31 03:00:00 2020
    SHA1 hash: A43489159A520F0D93D032CCAF37E7FE20A8B419

        Issued to: Microsoft Timestamping PCA
        Issued by: Microsoft Root Authority
        Expires:   Sun Sep 15 03:00:00 2019
        SHA1 hash: 3EA99A60058275E0ED83B892A909449F8C33B245

            Issued to: Microsoft Time-Stamp Service
            Issued by: Microsoft Timestamping PCA
            Expires:   Thu Jul 25 15:11:15 2013
            SHA1 hash: 4D6F357F0E6434DA97B1AFC540FB6FDD0E85A89F

SignTool Error: The signing certificate is not valid for the requested usage.
        This error sometimes means that you are using the wrong verification
        policy. Consider using the /pa option.

Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1

什么工具可以提供 CertificatePublicKey 的哈希值？

编辑: 在不使用热量的情况下，我想了解哈希值的来源。

编辑: 我知道这是如何在 WiX 源代码中完成的，并且我可以执行 heat payload file -out file.wxs ，但我正在寻找一些可以在不使用热量的情况下提供预期哈希值的外部工具。这真的只是为了满足我的好奇心。

Answer 1

如果您查看 heat 工具的源代码，它会使用 Microsoft.Tools.WindowsInstallerXml.Cab.Interop.NativeMethods.HashPublicKeyInfo函数生成 CertificatePublicKey .

byte[] publicKeyIdentifierHash = new byte[128];
uint publicKeyIdentifierHashSize = (uint)publicKeyIdentifierHash.Length;

Microsoft.Tools.WindowsInstallerXml.Cab.Interop.NativeMethods.HashPublicKeyInfo(
    certificate.Handle, 
    publicKeyIdentifierHash, 
    ref publicKeyIdentifierHashSize);

StringBuilder sb = new StringBuilder(((int)publicKeyIdentifierHashSize + 1) * 2);
for (int i = 0; i < publicKeyIdentifierHashSize; ++i)
{
    sb.AppendFormat("{0:X2}", publicKeyIdentifierHash[i]);
}

this.PublicKey = sb.ToString();

您显然可以使用此代码生成指纹或根据 Public Key fingerprints 上的维基页面生成指纹。你也可以使用命令行

ssh-keygen -lf /path/to/key.pub

问题是生成符合 RFC4716 的 ssh-keygen pub 文件从证书，这就是我被难住的地方。

我个人只使用 heat 命令行:

heat.exe payload PATH_TO_FILE -o Output.wxs

不用担心它在工作时实际在做什么!! :)