Authenticode、SPC 和 Java CodeSign 之间的区别?
大多数 CA 都在不同的“产品”中销售代码签名证书,例如 Verisign 或 Certum:
Microsoft Authenticode - “允许您签署 EXE、OCX、DLL、bla...”
Java CodeSign - "允许您签署 Java 代码"
软件发行商证书 - "允许您签署软件”
好吧,我对此感到非常困惑。除了价格之外,所有这些产品之间有什么区别?由于好奇,我多次询问了 Verisign 和其他 CA,但没有得到答复。
我从 Certum CA 获得了 Authenticode 证书。我在 Internet Explorer 中注册了它,将其导出为 PKCS#12 PFX,并且可以按照承诺签署 EXE、DLL...。
现在...我尝试使用 keytool 将此 PFX 导入到 Java 中,然后尝试签署 JAR。它成功了!
还有神秘的“软件发行商证书”作为产品。我不知道我可以/应该用它签署什么...Mac? Linux? “Microsoft Authenticode”不是也是软件发行商证书吗? EXE不是“软件”吗?这真的让我很困惑。
所以,我现在的问题是:当我订购了 Microsoft Authenticode 证书后,使用它来签署 JAR 文件或其他内容(如果可能)是否违法?这些证书之间似乎没有技术差异。所有这些产品都应该具有相同的代码设计 EKU-OID“1.3.6.1.5.5.7.3.3”,这不会对 EXE、JAR、Adobe Air 以及周围存在的其他东西造成任何差异。那么,如果所有“CodeSigning”证书在技术上都是平等的,为什么我必须决定我是否想成为“Java 开发人员”或“Windows 开发人员”或“软件开发人员”?
也许证书还是有区别?当我使用 Authenticode-certs 进行签名时,也许我在 JAR 中没有获得足够的权限?
(PS:我不会将我的软件用于商业用途!)
Most CAs are selling code signing certificates in different "products", like Verisign or Certum:
Microsoft Authenticode - "Allows you to sign EXE, OCX, DLL, bla..."
Java CodeSign - "Allows you to sign Java code"
Software Publisher Certificate - "Allows you to sign software"
Well, I am REALLY confused about this. What is the difference between all these products - except the PRICE? I asked Verisign and other CAs a few times since I am curious, but got no answer.
I got a Authenticode certificate from Certum CA. I enrolled it in Internet Explorer, exported it as PKCS#12 PFX and could sign EXE, DLL, ... as promised.
Now... I tried to import this PFX into Java with keytool, then I tried to sign a JAR. And it worked!
And then there is the mysterious "Software Publisher certificate" as product. I don't know what I can/should sign with that... Mac? Linux? Isn't "Microsoft Authenticode" a Software publisher certificate too? Isn't a EXE "software"? That really confuses me.
So, my question is now: When I have ordered a Microsoft Authenticode cert, is it then illegal to use it to sign e.g. JAR files or if possible any other content? There seems to be no technical difference between these certificates. All of those products should have the same codesigning EKU-OID "1.3.6.1.5.5.7.3.3", which does not make any differences between EXE, JAR, Adobe Air and what the hell also exists around there. So, if all "CodeSigning" certificates are technically equal, why do I have to decide then if I want to be a "Java Developer" or "Windows Developer" or "Software Developer"?
Maybe there are still differences in the certificate? Maybe I get not enough rights in JARs when I use Authenticode-certs for signing?
(PS: I do not use my software commercially!)
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
正如您所猜测的那样,没有技术差异,提供的证书适用于任何代码签名上下文(除了 macOS/iOS,它们使用 Apple 颁发的证书)。 CA 只是尝试以适合开发人员环境的格式提供证书。例如,用于 Java 开发人员签名 JAR 文件的 JKS 文件、用于 Authenticode 的 SPC 文件(即 DER 编码的 PKCS#7 证书)或 PKCS#12 文件。
代码签名工具通常接受各种密钥和证书格式:
无论使用哪种格式,这些工具都会为给定文件生成相同的签名(当然签名时间和时间戳除外)。
There is no technical difference as you guessed, the certificate provided works for any code signing context (except macOS/iOS which use certificates issued by Apple). The CAs just try to deliver the certificate in a format suitable for the developer environment. For example a JKS file for Java developers signing JAR files, a SPC file (i.e. a DER encoded PKCS#7 certificate) or a PKCS#12 file for Authenticode.
The code signing tools often accept various key and certificate formats:
Regardless of the format used, these tools will produce the same signature for a given file (except for the signing time and the timestamp of course).