sn.exe 可以使用 Windows 证书存储吗?
要在 .NET 中使用 sn.exe 对程序集进行签名,是否可以指定其私钥仅包含在 Windows CryptoAPI 密钥库中的公钥?
我看到用于指定 CSP 名称和容器名称的选项。
是否有可用于访问 Windows 证书的值? (即那些可从 Windows EFS、Outlook、Internet Explorer 等访问的内容)
谢谢。
评论:具体来说,我问这个问题是因为有一些密钥没有将私钥标记为可导出,所以我无法导出 .pfx 并遵循该路线。
For signing an assembly with sn.exe in .NET, is it possible to specify a public key for which the private key is contained only within the Windows CryptoAPI keystore?
I see the option for specifying the CSP name, and the container name.
Are there values to use to access the Windows certificates? (i.e. those accessible from Windows EFS, Outlook, Internet Explorer, etc.)
Thank you.
Comment: Specifically, I am asking this because there are a few keys which do not have the private key marked as exportable, so I cannot export a .pfx and follow that route.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
本周末我也有同样的问题。
是,它可以配置为使用 Windows 证书存储,如果您真正具有安全意识,您绝对应该这样做。 它使得意外泄漏私钥变得非常困难(如果您使用像 Yubikey 这样的智能卡,则不可能泄漏私钥 - 操作系统永远不会看到它)。
我在两个中记录了如何执行此操作 不同,但我博客上的帖子中相关的礼仪。
如果您仅使用个人证书存储中的证书,而不使用智能卡,则相对容易。
在 PowerShell 中,您需要获取证书的详细信息:
您需要确定用于访问该密钥容器的密钥容器名称和 CSP(如果它不是智能卡,则默认 CSP 有效)
这将生成类似于以下内容的内容:以下:
在我的例子中,我使用的是 Yubikey,因此 CSP 是“Microsoft Base Smart Card Crypto Provider”。 这意味着为了对我的代码进行强名称签名,我需要运行:
在构建之前的某个时刻(仅一次,不需要每次构建都运行它,但是我已经链接到一些脚本来帮助解决第二篇文章中的问题)关于这个主题)。
这里有两个选项:告诉 sn.exe 创建一个仅包含公钥的密钥,并使用该密钥延迟签名(选中项目属性中“签名”选项卡底部的框),然后构建,使用
sn.exe -Rc "your-container-name" "key.snk"
进行签名,或者您可以使用简单的方法:AssemblyInfo 中的
文件如下:AssemblyKeyNameAttribute
.cs编译器将为您处理其他所有事情。 请记住,在尝试构建之前,您需要确保使用
sn.exe -c
设置您的 CSP,否则您将遇到 找不到密钥集构建时出现错误(以及密钥容器的名称)。I had the same question at the end of this week.
YES, it can be configured to use the Windows Certificate store and if you're being truly security conscious you should absolutely do this. It makes it very hard to accidentally leak the private key (and if you use a Smart Card like a Yubikey, it makes it impossible to leak the private key -- the OS never sees it).
I documented how to do this in two different, but related, manners in posts on my blog.
If you're just using a certificate in your personal certificate store, but not using a Smart Card, it's relatively easy.
In PowerShell, you need to get the details of your certificate:
You need to determine the Key Container Name and CSP that's used to access that key container (if it's not a smart card, the default CSP works)
This will produce something similar to the following:
In my case, I'm using a Yubikey, so the CSP is "Microsoft Base Smart Card Crypto Provider". This means in order to strong name sign my code, I need to run:
At some point before I build (only once, it needn't be run every build, however I have linked to some scripts to help with that in the second post on this subject).
There are two options from here: you tell sn.exe to create a key that contains only the public key and delay sign with that key (check the box at the bottom of the "Signing" tab in the project properties), then post-build, sign using
sn.exe -Rc "your-container-name" "key.snk"
or you can use the easy way:AssemblyKeyNameAttribute
in theAssemblyInfo.cs
file as follows:The compiler will handle everything else for you. Just bear in mind that you need to make sure your CSP is set using
sn.exe -c
before you try to build or you will get a Keyset not found error on build (along with the name of your key container).