我正在尝试用我拥有的pfx文件签署Windows 8 appx包。我使用如下命令:
signtool.exe sign /fd sha256 /f "key.pfx" "app.appx"
由此,我得到:
SignTool错误:没有找到符合所有给定标准的证书。
我没有达到什么“标准”?这仅用于测试,因此这些是自签名证书。我尝试过导入密钥,然后对其进行签名,但它总是导致相同的错误。我怎么解决这个问题?
当前回答
我有同样的“私钥过滤后,0 certs被留下”的消息,我花了太多的时间试图弄清楚这条消息的意思。
问题是我在Windows证书存储中错误地安装了证书,因此没有与代码签名证书相关联的私钥。
我应该做的是:
Using either Firefox or Internet Explorer, submit the request to the issuer. This generates a PRIVATE KEY which is stored silently by the browser (a dialog appears for a fraction of a second in Firefox). Note that other browsers may not work: your life is too short to find out if they do. Submit the request, jump through the issuer's validation hoops and loops, sacrifice a goat, pray to the gods, submit a signed statement from your great grandparents, etc. Download the certificate (.crt) and import it into the same browser. The browser now has both the private key and the certificate. Export the certificate from the browser as a Personal Information Exchange (.p12) file. You will be asked to supply a password to protect this file. Keep a backup copy of the .p12 file. Run the Certificate Manager (certmgr.msc), right click on the Personal certificate store, select All Tasks/Import... and import the .p12 file into Windows. You will be asked for the password you used to protect the file. At this point, depending upon your security requirements, you can mark the key as exportable so you can restore a copy from the Windows store. You can also mark that a password is required before use if you want to break batch scripts. Run signtool successfully, breathe a sigh of relief, and ponder how much of your life you have wasted due to bad error messages and poor or missing documentation.
其他回答
尝试使用/debug。1,2如:
signtool sign /debug /f mypfxfile.pfx /p <password> (mydllexectuable).exe
它将帮助您了解发生了什么。你应该得到这样的输出:
The following certificates were considered:
Issued to: <issuer>
Issued by: <certificate authority> Class 2 Primary Intermediate Server CA
Expires: Sun Mar 01 14:18:23 2015
SHA1 hash: DD0000000000000000000000000000000000D93E
Issued to: <certificate authority> Certification Authority
Issued by: <certificate authority> Certification Authority
Expires: Wed Sep 17 12:46:36 2036
SHA1 hash: 3E0000000000000000000000000000000000000F
After EKU filter, 2 certs were left.
After expiry filter, 2 certs were left.
After Private Key filter, 0 certs were left.
SignTool Error: No certificates were found that met all the given criteria.
您可以查看是哪个过滤器导致您的证书无法工作,或者是否没有考虑证书。
我改变了哈希值和其他信息,但你应该明白。
1请注意:signtool对/debug选项放置的位置有特殊要求。它需要跟在sign语句后面。 另外注意:/debug选项只适用于某些版本的signtool。WDK版本有这个选项,而Windows SDK版本没有。
以防其他人遇到这种情况:我的问题是,在使用signtool.exe应用程序之前,我需要以管理员身份运行命令提示符。然后一切都很好地工作。
我也有同样的问题,读了一些答案(贴在这里),我看到我的证书过期了。
只需从我的启动项目创建一个新的。然后在证书管理器删除了过期的证书。
现在一切都编译好了。
在我的情况下,我有错误的证书类型,我试图关联。我选择了“服务器认证”而不是“代码签名”。 您应该能够在预期用途部分的Certificate snap中看到这一点。在那之后,它就可以正常工作了。
转到项目属性,在初始化编译之前取消选中Firm中的所有字段
