Openssl &引用；签名中的证书无法验证“；申请解冻证书

我需要使用company.pfx中存储的证书对Application.exe文件进行签名。因此，我使用了signtool：

signtool.exe sign /p password /f company.pfx /t http://timestamp.verisign.com/scripts/timestamp.dll /v Application.exe

The following certificate was selected:
    Issued to: Company, Inc.
    Issued by: Thawte Code Signing CA - G2
    Expires:   Wed Aug 27 02:59:59 2014
    SHA1 hash: A2A0BD7C4516BF8C88AECC3A568CE9BB5D63902D

Done Adding Additional Store
Successfully signed and timestamped: App1_old.exe

Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0

signtool说没有错误。但是在数字签名详细信息中有一条消息“签名中的证书无法验证”，并且没有证书路径

详细地说，有一个属性“扩展错误信息”，上面写着“吊销状态：吊销功能无法检查吊销，因为吊销服务器处于脱机状态。”

为了调查这个问题，我在应用程序上使用了sigcheck（-a key），它说“已验证：无法将证书链构建到受信任的根颁发机构。”

然后我将pfx文件导入到reporitory中，看起来证书还可以

我搜索了有关我的主题的stackoverflow，找到了一些链接，这很有帮助

解决方案是从pfx中提取证书（使用OpenSSL）并使用/ac参数应用它

openssl pkcs12 -in company.pfx -out company_cl.pem -nodes -clcerts
openssl x509 -in company_cl.pem -out company_cl.cer -outform DER
signtool sign /ac company_cl.cer /p password  /f company.pfx /t http://timestamp.verisign.com/scripts/timstamp.dll /v Application.exe

The following certificate was selected:
    Issued to: Company, Inc.
    Issued by: Thawte Code Signing CA - G2
    Expires:   Wed Aug 27 02:59:59 2014
    SHA1 hash: A2A0BD7C4516BF8C88AECC3A568CE9BB5D63902D

Cross certificate chain (using machine store):
    Issued to: thawte Primary Root CA
    Issued by: thawte Primary Root CA
    Expires:   Thu Jul 17 02:59:59 2036
    SHA1 hash: 91C6D6EE3E8AC86384E548C299295C756C817B81

        Issued to: Thawte Code Signing CA - G2
        Issued by: thawte Primary Root CA
        Expires:   Sat Feb 08 02:59:59 2020
        SHA1 hash: 808D62642B7D1C4A9A83FD667F7A2A9D243FB1C7

            Issued to: Company, Inc.
            Issued by: Thawte Code Signing CA - G2
            Expires:   Wed Aug 27 02:59:59 2014
            SHA1 hash: A2A0BD7C4516BF8C88AECC3A568CE9BB5D63902D

Done Adding Additional Store
Successfully signed and timestamped: Application.exe

Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0

现在，“数字安全详细信息”中的信息是“数字签名没有问题。”

但我不明白为什么我需要使用/ac参数。有人有什么想法吗

---

编辑

我已经用application.exe验证了应用程序的第一个版本（不带/ac），它为我提供了更多信息：

signtool.exe verify /v /kp Application.exe

Verifying: Application.exe
Hash of file (sha1): 5CBB228F4F206C65AAC829ACF40C297F291FE0A7

Signing Certificate Chain:
    Issued to: Company, Inc.
    Issued by: Thawte Code Signing CA - G2
    Expires:   Wed Aug 27 02:59:59 2014
    SHA1 hash: A2A0BD7C4516BF8C88AECC3A568CE9BB5D63902D

The signature is timestamped: Fri Mar 29 18:42:56 2013
Timestamp Verified by:
    Issued to: Thawte Timestamping CA
    Issued by: Thawte Timestamping CA
    Expires:   Fri Jan 01 02:59:59 2021
    SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656

        Issued to: Symantec Time Stamping Services CA - G2
        Issued by: Thawte Timestamping CA
        Expires:   Thu Dec 31 02:59:59 2020
        SHA1 hash: 6C07453FFDDA08B83707C09B82FB3D15F35336B1

            Issued to: Symantec Time Stamping Services Signer - G4
            Issued by: Symantec Time Stamping Services CA - G2
            Expires:   Wed Dec 30 02:59:59 2020
            SHA1 hash: 65439929B67973EB192D6FF243E6767ADF0834E4

SignTool Error: WinVerifyTrust returned error: 0x800B010A
        A certificate chain could not be built to a trusted root authority.

Number of files successfully Verified: 0
Number of warnings: 0
Number of errors: 1

---

“无法将证书链构建到受信任的根颁发机构。”但原因是什么？

我发现了一篇关于使用Thawte的证书签名文件的文章：

似乎总是需要/ac符号工具选项。因此，我已将解冻证书提取到.cer文件中，并使用/ac参数应用它

openssl pkcs12 -in company.pfx -out company_ca.pem -nokeys -cacerts
openssl x509 -in company_ca.pem -out company_ca.cer -outform DER
signtool sign /ac company_ca.cer /p password /f company.pfx /t timeserver /v Application.exe

---

而且效果很好

它看起来像是使用了来自

C:\Program Files\Microsoft SDKs\Windows\v6.0\Bin\signtool.exe 

---

也解决了此问题。

此问题可能是因为缺少中间证书。 比较两台计算机中的证书（通过双击同一台计算机）并观察“证书路径”选项卡。如果缺少任何中间证书节点，则从旧计算机导出相同的证书并将其导入新计算机

同样的问题