代码签名证书过期后会发生什么?
我正在考虑从 VeriSign 或 Thawte 购买代码签名证书来签署 XBAP。 我的问题是:证书过期后会发生什么? 对于 1 年/2 年证书来说,299 美元和 599 美元是相当高的价格,如果我必须在证书到期时向客户提供新签名的版本,那么我只需处理为证书创建自己的证书的麻烦。现在。
我不喜欢创建自己的证书,因为很难将其分发到将使用我的 XBAP 的所有客户端计算机。 我的应用程序只能在 LAN 上使用,所以我想我总是可以使用 Windows Installer 来安装我的自制证书(尽管我不确定如何执行此操作 - 有人有任何想法吗?)。
如果我交付部分信任应用程序,这实际上不会成为问题 - 但我的应用程序需要 Web 权限,因为它将与 WCF 服务通信,因此它处于部分信任和完全信任之间的灰色区域,并且没有证书,当我尝试加载 XBAP 时,我收到有趣的 ole Trust Not Granted 消息。
有任何想法吗?
I am considering purchasing a code signing certificate from VeriSign or Thawte to sign an XBAP with. My question is this: What happens when that certificate expires? $299 and $599 are pretty hefty prices for 1-year/2-year cerificates, and if I have to deliver a newly signed build to my customers whenever my certificate expires, then I'll just deal with the hassle of creating my own certificate for now.
What I don't like about creating my own certificate is the difficulty in distributing it to all of the client machines that will be using my XBAP. My application will only ever be used on a LAN, so I suppose I could always use Windows Installer to install my home brewed certificate (although I'm unsure on how to do this - anyone have any ideas?).
This wouldn't really be a problem if I was delivering a partial trust application - but my application needs Web permissions, since it will be talking to WCF services, so it is in that grey area between partial trust and full trust, and without a certificate, I get that fun ole Trust Not Granted message when I try to load my XBAP.
Any ideas?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(8)
如果您在证书有效时为代码添加时间戳,那么过期的证书仍然有效。
来自 Thawte 代码签名证书常见问题解答:
代码签名证书可以使用多长时间?
代码签名证书过期后带时间戳的代码是否有效?
If you timestamp your code while the certificate is valid the effect is that your expired certificates are good.
From Thawte Code Signing Certificate FAQs:
How long can I use a Code Signing Certificate for?
Is timestamped code valid after a Code Signing Certificate expires?
留意设置了 WTD_LIFETIME_SIGNING_FLAG 的证书:这意味着(不管您从名称中想到什么)使用该证书签名的程序在证书过期后无效,即使该程序没有更改,并且证书在签署时有效。
这也会影响更新,因为即使客户选中该框以信任您公司的所有程序,如果您的更新程序未使用相同的证书进行签名(或该证书过期),那么信任就会失败。
从:
http://download.microsoft.com/download/ 9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/Authenticode_PE.docx
使用生命周期签名语义进行时间戳处理
不希望时间戳签名成功验证的应用程序或证书颁发机构无限期的时间有两种选择:
• 在发布者的签名证书中设置生命周期签名者 OID。
如果发布者的签名证书除了 PKIX 代码签名 OID 之外还包含生命周期签名者 OID,则当发布者的签名证书过期时,即使签名带有时间戳,签名也会变得无效。 生命周期签名者 OID 定义如下:
szOID_KP_LIFETIME_SIGNING 1.3.6.1.4.1.311.10.3.13
• 调用 WinVerifyTrust 时,在 WINTRUST_DATA 结构中设置 WTD_LIFETIME_SIGNING_FLAG。
如果 WinVerifyTrust 调用方在 WINTRUST_DATA 结构中设置 WTD_LIFETIME_SIGNING_FLAG 并且发布者的签名证书已过期,则即使签名带有时间戳,WinVerifyTrust 也会报告签名无效。
如果发布者撤销包含生命周期签名者 OID 的代码签名证书,或者 WinVerifyTrust 调用者在 WINTRUST_DATA 结构中设置 WTD_LIFETIME_SIGNING_FLAG,则在满足以下两个条件的情况下,WinVerifyTrust 会将签名报告为有效:
• 签名的时间戳早于撤销日期。
• 签名证书仍在有效期内。 有效期届满后,签名失效。
例如:
https://forum.startcom.org/ viewtopic.php?f=15&t=2215&p=6827&hilit=lifetime+signing#p6827
这是 StartSSL 证书的一个严重问题。 对于成本如此之低的证书存在限制,我并不感到惊讶,但是将这种限制埋在精美的印刷品或旧的论坛帖子中,而不是在产品描述中明确说明是很糟糕的生意。 他们可能会在将来修复它,而其他人可能有也可能没有相同的限制,因此在您消费之前检查电子邮件可能是明智的选择。
猜猜谁不知道要问? 哈哈……好吧,活到老,学到老。
Watch out for certificates with WTD_LIFETIME_SIGNING_FLAG set: It means (despite what you mind assume from the name) that a program signed with the certificate is invalid after the certificate expires, even though the program hasn’t changed, and the certificate was valid when it was signed.
This also affects updates, in that even if the customer checks the box to trust all programs from your company, if your update program isn't signed with the same cert (or that cert expires) then the trust fails.
From:
http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/Authenticode_PE.docx
Timestamp Processing with Lifetime Signing Semantics
Applications or certification authorities that do not want timestamped signatures to verify successfully for an indefinite period of time have two options:
• Set the lifetime signer OID in the publisher’s signing certificate.
If the publisher’s signing certificate contains the lifetime signer OID in addition to the PKIX code signing OID, the signature becomes invalid when the publisher’s signing certificate expires, even if the signature is timestamped. The lifetime signer OID is defined as follows:
szOID_KP_LIFETIME_SIGNING 1.3.6.1.4.1.311.10.3.13
• Set the WTD_LIFETIME_SIGNING_FLAG in the WINTRUST_DATA structure when calling WinVerifyTrust.
If a WinVerifyTrust caller sets WTD_LIFETIME_SIGNING_FLAG in the WINTRUST_DATA structure and the publisher’s signing certificate has expired, WinVerifyTrust reports the signature as invalid even if the signature is timestamped.
If a publisher revokes a code signing certificate that contains the lifetime signer OID or a WinVerifyTrust caller sets WTD_LIFETIME_SIGNING_FLAG in the WINTRUST_DATA structure, WinVerifyTrust reports the signature as valid if both of the following conditions are met:
• The signature was timestamped before the revocation date.
• The signing certificate is still within its validity period. After the validity period expires, the signature becomes invalid.
For Example:
https://forum.startcom.org/viewtopic.php?f=15&t=2215&p=6827&hilit=lifetime+signing#p6827
That is a serious problem with StartSSL certificates. It doesn't surprise me that there are limitations in a certificate that cost so little, but burying this limitation in the fine print or in an old forum post instead of making it clear in the product description is poor business. They may fix it in the future, and others may or may not have the same limitation so an email to check before you spend might be wise.
Guess who didn't know to ask? LOL... oh well, live and learn.
如果您确保在签署二进制文件时添加时间戳,则在证书过期时无需重新签署它们。 只需添加“/t http://timestamp.verisign.com/scripts/timstamp.dll”到signtool的命令行,数字签名将始终被标记为有效,除非证书被吊销并且CA是可信的。
代码签名证书如此昂贵的原因是必须有人验证您的身份。 就我而言,他们核实了地址和电话号码,并给我打电话。 不过 Comodo 的证书似乎稍微便宜一些。
If you make sure to add a time stamp when signing binaries, you won't have to re-sign them when the certificate expires. Just add "/t http://timestamp.verisign.com/scripts/timstamp.dll" to the command line of signtool and the digital signature will always be marked as valid unless the certificate is revoked and the CA is trusted.
The reason code signing certificates are so expensive is that someone has to verify that you are who you say you are. In my case they verified the address and phone number, and phoned me up. Comodo's certificates appear to be slightly cheaper though.
如果您计划在封闭(LAN)环境中使用它,您应该做的是设置您自己的 CA。 Windows Server 版本包括易于使用的证书颁发机构,但更简单的是通过 openssl,它由几个脚本组成。 您可以在 Windows 上的 Cygwin 或 本机。 这个 demoCA 由几个 perl/bash 脚本组成,这些脚本调用 openssl 命令来生成请求、签署证书/crls 等。
当您拥有自己的 CA 时,您需要安装的是您的 CA 根证书,这样就不会再有更新用户的麻烦了证书,因为 CA 证书将保持不变。 通常,CA 证书的有效期应为 5-10 年,但您可以根据需要进行配置(请记住,这是您自己的 CA)。
CA 证书将安装在每台客户端计算机上。 如果您的应用程序信任 Windows 系统安全性,则应将其安装在 IExplorer 证书颁发机构密钥库上。 如果您使用 Java 应用程序,那么您应该在您使用的 Java 密钥库中分发 CA 证书。
What you should do if you plan to use it in a closed (LAN) environment is to setup your own CA. Windows Server versions include easy to use Certification Authority but even easier is to setup a minimal CA by means of the demoCA provided by openssl, which consists of several scripts. You can run openssl demoCA in Cygwin on Windows or natively. This demoCA consists of several perl/bash scripts that call openssl commands to generate requests, sign certificates/crls, etc.
When you have your own CA what you need to install is your CA root certificate so there will be no more hassles to update user certificates since the CA certificate will stay the same. Typically a CA certificate should last for 5-10 years, but you can configure as much as you want (remember that it is your own CA).
The CA certificate will be installed on every client machine. If your application trusts Windows System security it should be installed on IExplorer Certificate Authorities keystore. If you use a Java Application then you should distribute the CA certificate inside the Java keystore you use.
刚刚遇到这个问题。 我在这篇文章中找到了 解释并结合 @BCran 的回答 我解决了它。 总结:
例如,您可以在 VS.NET 2017 中执行此操作:
如果该 URL 不起作用,您可以使用任何服务,以下是一堆有效的 URL:https://stackoverflow.com/a/9714864/72350
Just had this problem. I found in this article the explanation and together with @BCran's answer I solved it. Summary:
This is how you would do it in VS.NET 2017 for example:
If the URL doesn't work, you can use any service, here are a bunch of URLs that work: https://stackoverflow.com/a/9714864/72350
当心Windows Defender。
您永远不希望您的证书过期,或者尽可能长地过期,这似乎是 10 年。
一旦您的证书过期,Windows 将无法识别替换证书。 您的应用程序会到达队列末尾,就好像它是由完全不同的组织签署的一样。
这意味着用户在下载时会收到令人讨厌的消息,并且可能根本无法运行您的代码,具体取决于组策略。 这种情况将持续下去,直到大量不同的人忽略了可怕的警告并安装了您的软件。
当然,时间戳服务器将使现有程序能够在证书过期后运行,但升级将是一个问题。
对于本地使用的软件来说这不是问题,但如果您想广泛分发您的软件,这就是一个大问题。
BEWARE WINDOWS DEFENDER.
You never want your cert to expire, or as long as possible, which seems to be 10 years.
Once your cert expires, windows will not recognize a replacement cert as such. Your applications goes to the end of the queue, as if it was signed by a completely different organization.
This means that users will get nasty messages if they download, and may not be able to run your code at all depending upon group policies. This will continue until a large number of different people have ignored the dire warnings and installed your software.
Sure, a timestamp server will enable existing programs to run after the cert expires, but upgrades will be a problem.
This is not an issue for locally used software, but a big issue if you want to distribute your software widely.
BCran 写道:“代码签名证书如此昂贵的原因是必须有人验证你的身份。”
你可以说我很愚蠢,但是有没有人想过这样的想法:开发人员可以在构建时自己计算可执行应用程序的确切大小,以及是否在计算出的数字中包含开发人员的身份,将哈希值插入与应用程序进行加密形式,并决定是否对应用程序进行时间限制或使其永久运行(因为用户计算机上已有的可执行代码在 1、3、5、10 年后不太可能自行恶化或更改) 、100、100 万年)?
此外,如果有人可以验证您的电话号码和/或地址,也没有任何区别。 如果开发人员选择的话,这些事情可以很容易地改变,但应用程序的代码却不能。
优势:
开发人员执行此任务无需花费任何费用。 同时,只要用户愿意使用(或开发者允许使用)并且应用程序不被篡改,他们仍然可以放心使用有效且安全的应用程序。 或者苹果和微软等大玩家以及证书颁发者是否必须哄骗开发者接受为这项服务持续付费?
注意:我对代码签名应用程序的天真和原始理解是防止任何人篡改应用程序的代码。 但我越看越觉得,这更像是第三方个人和组织从开发者那里赚钱的机会,无论是富人还是不那么富有的人。 好吧,必须有人去做努力找出你是谁。 但我在互联网上看到的这项服务的价格存在巨大差异,而且如此强调 1 或 3 年期限,没有选择永久终身签名的应用程序,这表明我们有人在城市里拥有非常昂贵的办公室来支付他们的费用。房租和他们高额的工资。
为什么开发人员不要求 Apple 和 Microsoft 提供对开发人员来说更加友好且对用户来说同样安全可靠的安全解决方案? 或者在下载时在开发人员的网站上提供最终安装程序文件的确切大小(以字节为单位),以便用户可以检查。 任何额外或丢失的字节都足以告诉用户存在问题。 迫使开发人员拥有自己的网站,这样每个人都可以看到他们是谁,以及在哪里可以获得合法且未经篡改的软件副本,并杜绝软件下载网站抓取开发人员软件的副本以从其网站下载。 一切都应该在开发人员的网站上完成,而不是在其他地方。
BCran wrote: "The reason code signing certificates are so expensive is that someone has to verify that you are who you say you are."
Call me stupid, but has anyone thought of the idea that developers can do their own calculating of the exact size of their executable apps at time of being built and whether or not to include a developer's identity with the calculated number, insert the hash number in encrypted form with the app, and decide whether or not to time-limit the app or make it work in perpetuity (since the executable code already on a user's machine is unlikely to deteriorate or change on its own after 1, 3, 5, 10 , 100, 1 million years)?
Furthermore, it doesn't make any difference if someone can verify your phone number and/or address. Those things can change very easily if a developer chooses, but not the app's code.
Advantage:
It costs nothing to the developer to perform this task. At the same time, users can still be assured of a valid and safe app for as long as they wish to use it (or allowed to use it by the developer) and the app remains untampered with. Or must the big players, such as Apple and Microsoft and certificate issuers, cajole developers into accepting to pay continuously for this service?
NOTE: My naive and original understanding of a code-signed app is to prevent tampering of the app's code by anyone. But the more I look at this, it looks more like it is an opportunity for third-party individuals and organisations to make money off of developers, from the rich and not so rich. Okay, someone has to do the work of trying to find out you are who you are. But the vast differences in prices I see across the internet for this service and so much emphasis on 1 or 3 year periods with no option of a perpetual lifetime signed app suggests that we have people out there with very expensive offices in the city to pay their rent and their hefty salaries.
Why don't developers demand the type of security solution from Apple and Microsoft that is far friendlier on the developers' pockets and just as secure and safe for the users? Or else give the exact size in bytes of the final installer file on the developer's web site at time of download and users can check. Any extra or loss of bytes from what's stated should be enough to tell users there is a problem. Force developers to have their own web site so everyone can see who they are and where to get a legitimate and untampered copy of the software and put an end to software download sites grabbing copies of the developer software to download from their sites. Everything should be done from the developer's site and no where else.
代码签名证书不是“托管”的,这意味着它们不会自行更新...一旦过期,您很可能必须购买新的证书。
您可以设置一个证书颁发机构 (CA) - 如果您是一家仅使用 Windows 的商店,请坚持使用基于 Windows 的 CA,但除此之外,我建议使用类似 DogTag 证书系统。
请注意,如果您创建自己的 CA,则需要导出公共 CA 证书并将其安装在任何将运行由该颁发的代码签名证书签名的代码/脚本的服务器上(因此它作为根 CA 受到信任)加利福尼亚州。 与每 X 年支付一次证书相比,这要便宜得多(免费?) - 更不用说您可能因各种原因/用途而颁发的其他证书了!
Code signing certs are not "managed" meaning they do not update themselves... chances are you have to purchase a new one once it expires.
You can set up a Certification Authority (CA) - stick with a windows-based CA if you're a windows-only shop but otherwise I'd recommend Linux with something like DogTag Certificate System.
Note that if you create your own CA, you'll need to export the public CA cert and install that (so it's trusted as a root CA) on any server that will run code/scripts signed by a code-signing cert issued by that CA. This is far, far cheaper (free?) compared to paying for a cert every X years - not to mention the other certs you could issue for various reasons/uses!