如何在 Windows 上创建用于代码签名的自签名证书?
如何使用 Windows SDK 创建用于代码签名的自签名证书?
How do I create a self-signed certificate for code signing using the Windows SDK?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(7)
对于设备驱动程序,您可以在 Visual Studio 2019 的项目属性中生成一个。 在“驱动程序签名”部分中,“测试证书”字段有一个下拉列表。 生成测试证书是选项之一。 该证书将位于扩展名为“cer”的文件中,通常与可执行文件或驱动程序位于同一输出目录中。
打开项目的属性:
然后打开“驱动程序签名”部分,然后单击左侧的“常规”。
单击“测试证书”右侧的下拉菜单,然后选择“<创建测试证书...>”
For device drivers, you can generate one in Visual Studio 2019, in the project properties. In the Driver Signing section, the Test Certificate field has a drop-down. Generating a test certificate is one of the options. The certificate will be in a file with the 'cer' extension typically in the same output directory as your executable or driver.
Open your project's properties:
Then open the 'Driver Signing' section and click on General on the left side.
Click on the drop down to the right of 'Test Certificate' and select '<Create Test Certificate...>'
这篇文章将仅回答“如果有证书,如何签署 EXE 文件”部分:
签名一个 Windows EXE 文件
为了对 exe 文件进行签名,我使用了 MS“signtool.exe”。 为此,您需要下载臃肿的 MS Windows SDK,其大小高达 1GB。 幸运的是,您不必安装它。 只需打开 ISO 并提取“Windows SDK Signing Tools-x86_en-us.msi”即可。 它只有 400 KB。
然后我构建了这个小脚本文件:
__
This post will only answer the "how to sign an EXE file if you have the certificate" part:
Signing a Windows EXE file
To sign the exe file, I used MS "signtool.exe". For this you will need to download the bloated MS Windows SDK which has a whooping 1GB. FORTUNATELY, you don't have to install it. Just open the ISO and extract "Windows SDK Signing Tools-x86_en-us.msi". It has a merely 400 KB.
Then I built this tiny script file:
__
从 PowerShell 4.0 (Windows 8.1/Server 2012 R2) 开始,可以在Windows 没有 makecert.exe< /a>.
您需要的命令是 New-SelfSignedCertificate 和 导出 PfxCertificate。
说明位于使用 PowerShell 创建自签名证书 。
As of PowerShell 4.0 (Windows 8.1/Server 2012 R2) it is possible to make a certificate in Windows without makecert.exe.
The commands you need are New-SelfSignedCertificate and Export-PfxCertificate.
Instructions are in Creating Self Signed Certificates with PowerShell.
罗杰的回答非常有帮助。
不过,我在使用它时遇到了一些麻烦,并且不断出现红色的“Windows 无法验证此驱动程序软件的发布者”错误对话框。 关键是安装测试根证书,
罗杰的答案并没有完全涵盖。
这是一个对我有用的批处理文件(带有我的 .inf 文件,不包括在内)。
它展示了如何从头到尾完成这一切,根本不需要 GUI 工具
(除了一些密码提示之外)。
Roger's answer was very helpful.
I had a little trouble using it, though, and kept getting the red "Windows can't verify the publisher of this driver software" error dialog. The key was to install the test root certificate with
which Roger's answer didn't quite cover.
Here is a batch file that worked for me (with my .inf file, not included).
It shows how to do it all from start to finish, with no GUI tools at all
(except for a few password prompts).
使用
New-SelfSignedCertificate
Powershell 中的命令。打开 powershell 并运行这 3 个命令。
您的证书
selfsigncert.pfx
将位于 @D:/
可选步骤: 您还需要将证书密码添加到系统环境变量中。 通过在 cmd 中输入以下内容来执行此操作:
It's fairly easy using the
New-SelfSignedCertificate
command in Powershell.Open powershell and run these 3 commands.
Your certificate
selfsigncert.pfx
will be located @D:/
Optional step: You would also require to add certificate password to system environment variables. do so by entering below in cmd:
正如答案中所述,为了使用一种未弃用的方式来签署自己的脚本,应该使用 新的 SelfSignedCertificate。
[0] 将使此工作适用于您拥有多个证书的情况...显然使索引与您要使用的证书匹配...或使用一种方法过滤(按指纹或发行人)。
显然,一旦设置了密钥,您就可以简单地用它签署任何其他脚本。
您可以在 这篇文章。
As stated in the answer, in order to use a non deprecated way to sign your own script, one should use New-SelfSignedCertificate.
The [0] will make this work for cases when you have more than one certificate... Obviously make the index match the certificate you want to use... or use a way to filtrate (by thumprint or issuer).
Obviously once you have setup the key, you can simply sign any other scripts with it.
You can get more detailed information and some troubleshooting help in this article.
更新的答案
如果您使用以下 Windows 版本或更高版本:Windows Server 2012、Windows Server 2012 R2 或 Windows 8.1,则 MakeCert 现已弃用,Microsoft 建议使用 PowerShell Cmdlet New-SelfSignedCertificate。
如果您使用的是旧版本(例如 Windows 7),则需要坚持使用 MakeCert 或其他解决方案。 有些人建议公钥基础设施 Powershell (PSPKI) 模块。
原始答案
虽然您可以创建自签名代码签名证书(SPC - 软件发行商证书)一次性,我更喜欢执行以下操作:
创建自签名证书颁发机构(CA)
(^ =允许批处理命令行换行)
这将创建一个自签名(-r)证书,带有可导出的私钥 (-pe)。 它名为“My CA”,应放置在当前用户的 CA 存储中。 我们使用 SHA-256 算法。 密钥用于签名(-sky)。
私钥应存储在 MyCA.pvk 文件中,证书应存储在 MyCA.cer 文件中。
导入 CA 证书
如果您不信任 CA 证书,那么它就没有意义,因此您需要将其导入到 Windows 证书存储中。 您可以使用证书MMC管理单元,但是从命令行:
创建代码签名证书(SPC)
它与上面几乎相同,但是我们提供了颁发者密钥和证书( -ic 和 -iv 开关)。
我们还需要将证书和密钥转换为 PFX 文件:
如果您使用密码,请使用以下内容
如果您想保护 PFX 文件,请添加 -po 开关,否则 PVK2PFX 将创建一个没有密码的 PFX 文件。
使用证书对代码进行签名
(了解为什么时间戳可能很重要)
如果您将 PFX 文件导入到证书存储中(您可以使用 PVKIMPRT 或 MMC 管理单元),您可以按如下方式对代码进行签名:
signtool /t
的一些可能的时间戳 URL 为:http://timestamp.verisign.com/scripts/timstamp.dll
http://timestamp.globalsign.com/scripts/timstamp.dll
http://timestamp.comodoca.com/authenticode
http:// /timestamp.digicert.com
完整的 Microsoft 文档
下载
For those who are not .NET developers, you will need a copy of the Windows SDK and .NET framework. A current link is available here: [SDK & .NET][5] (which installs makecert in `C:\Program Files\Microsoft SDKs\Windows\v7.1`). Your mileage may vary.
MakeCert 可从 Visual Studio 命令提示符获取。 Visual Studio 2015 确实有它,并且可以从 Windows 7 中的“开始”菜单中的“VS 2015 开发人员命令提示符”或“VS2015 x64 本机工具命令提示符”(可能全部都在同一文件夹中)下启动。
Updated Answer
If you are using the following Windows versions or later: Windows Server 2012, Windows Server 2012 R2, or Windows 8.1 then MakeCert is now deprecated, and Microsoft recommends using the PowerShell Cmdlet New-SelfSignedCertificate.
If you're using an older version such as Windows 7, you'll need to stick with MakeCert or another solution. Some people suggest the Public Key Infrastructure Powershell (PSPKI) Module.
Original Answer
While you can create a self-signed code-signing certificate (SPC - Software Publisher Certificate) in one go, I prefer to do the following:
Creating a self-signed certificate authority (CA)
(^ = allow batch command-line to wrap line)
This creates a self-signed (-r) certificate, with an exportable private key (-pe). It's named "My CA", and should be put in the CA store for the current user. We're using the SHA-256 algorithm. The key is meant for signing (-sky).
The private key should be stored in the MyCA.pvk file, and the certificate in the MyCA.cer file.
Importing the CA certificate
Because there's no point in having a CA certificate if you don't trust it, you'll need to import it into the Windows certificate store. You can use the Certificates MMC snapin, but from the command line:
Creating a code-signing certificate (SPC)
It is pretty much the same as above, but we're providing an issuer key and certificate (the -ic and -iv switches).
We'll also want to convert the certificate and key into a PFX file:
If you are using a password please use the below
If you want to protect the PFX file, add the -po switch, otherwise PVK2PFX creates a PFX file with no passphrase.
Using the certificate for signing code
(See why timestamps may matter)
If you import the PFX file into the certificate store (you can use PVKIMPRT or the MMC snapin), you can sign code as follows:
Some possible timestamp URLs for
signtool /t
are:http://timestamp.verisign.com/scripts/timstamp.dll
http://timestamp.globalsign.com/scripts/timstamp.dll
http://timestamp.comodoca.com/authenticode
http://timestamp.digicert.com
Full Microsoft documentation
Downloads
For those who are not .NET developers, you will need a copy of the Windows SDK and .NET framework. A current link is available here: [SDK & .NET][5] (which installs makecert in `C:\Program Files\Microsoft SDKs\Windows\v7.1`). Your mileage may vary.
MakeCert is available from the Visual Studio Command Prompt. Visual Studio 2015 does have it, and it can be launched from the Start Menu in Windows 7 under "Developer Command Prompt for VS 2015" or "VS2015 x64 Native Tools Command Prompt" (probably all of them in the same folder).