如何对 Visual Studio .msi 的安装文件进行签名
我最近从 globalsign 购买了authenticode 证书,但在签署部署文件时遇到问题。有几个由项目生成的 .exe 文件,然后放入 .msi 中。当我使用 Signtool 签署 .exe 文件时,证书有效并且运行正常。问题是,当我构建 .msi(使用 Visual Studio 安装项目)时,.exe 文件丢失了签名。因此,我可以在构建后对 .msi 进行签名,但安装的 .exe 文件会继续整个“未知发布者”业务。如何保留这些文件的签名以便在客户端计算机上安装?
I recently purchased an authenticode certificate from globalsign and am having problems signing my files for deployment. There are a couple of .exe files that are generated by a project and then put into a .msi. When I sign the .exe files with the signtool the certificate is valid and they run fine. The problem is that when I build the .msi (using the visual studio setup project) the .exe files lose their signatures. So I can sign the .msi after it is built, but the installed .exe files continue the whole "unknown publisher" business. How can I retain the signature on these files for installation on the client machine?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
Visual Studio 在编译时创建两个文件夹:obj 和 bin。事实证明,至少在我的情况下,输出始终会从 obj 文件夹复制到 bin 文件夹中。我对 bin 文件夹中的可执行文件进行了签名,只是为了将它们覆盖然后打包到 msi 中。对 obj 文件夹中的可执行文件进行签名解决了问题。
Visual Studio creates two folders at compile time: obj and bin. Turns out, at least in my case, the output will always be copied from the obj folder into the bin folder. I was signing the executables in the bin folder only to have them overwritten and then packaged into the msi. Signing the executables in the obj folder solved the problem.
您可以将以下 PostBuildEvent 添加到 VS 安装项目(项目属性):
Windows 8.0:
Windows 10:
请参阅此 MSDN 文档了解 Signtool 的用法。您可以使用 /f 标志来指定签名证书,使用 /p 来指定证书的密码等。
另外,请注意 $(BuildOuputPath) 拼写错误。 这是故意的。 谢谢微软...
You can add the following PostBuildEvent to your VS Setup project (project properties):
Windows 8.0:
Windows 10:
See this MSDN documentation for signtool usage. You can use the /f flag to specify the signing certificate, /p to specify the cert's password, etc
Also, note that $(BuildOuputPath) is misspelled. This is on purpose. Thanks microsoft...
其他选项(我正在做的选项)是首先创建 .msi,然后使用 pfx(证书)对其进行签名。
(我使用的是在 globalsign.com 购买的代码签名证书)
打开 CMD:
运行-> powershell
证书所在位置运行并保存指纹:
PS C:\Windows\system32> Get-PfxCertificate -FilePath .\CompanyCertificate.pfx
将得到类似 ABCFEDRABF229B78BF9C40EC47007C1234567890 的内容,您必须在以下执行行中替换您的值。
然后找到 singtool.exe 所在位置并转到那里(在我的情况下为 Win 10,msi 也必须位于同一路径中)并执行以下命令:
成功签名的文件数: 1
警告数量:0
错误数量:0
恭喜您成功!
您将在 .msi 属性下看到这个新选项卡:
最后尝试安装它:
Other option (The one that I'm doing) is creating the .msi first and then sign it using a pfx (certificate).
(I'm using a Code Signing Certificate that I bought at globalsign.com)
Open CMD:
run -> powershell
Where the certificate is located run and save the thumbprint:
PS C:\Windows\system32> Get-PfxCertificate -FilePath .\CompanyCertificate.pfx
Will get something like this ABCFEDRABF229B78BF9C40EC47007C1234567890, you must replace your value in the following execution line.
Then find where the singtool.exe is located and go there (Win 10 in my case, the msi must be in the same path as well) and execute the following:
Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0
Congrats you got it!
You will see this new tab under .msi properties:
And finally try to install it: