使用signtool创建密钥和签名可执行文件
如何签署 Visual C# 可执行文件?
SignTool.exe 找不到证书。
我如何创建自签名密钥和证书,并使signtool能够查看并使用证书?
OpenSSL 和 Visual Studio 2010 Express 已安装。运行 Windows 7 旗舰版 x64。
使用 Windows 驱动程序工具包中的 SignTool.exe。
How would I sign a Visual C# executable?
SignTool.exe can't find a certificate.
How would I create a self signed key and certificate, and have signtool be able to see the certificate and use it?
OpenSSL and Visual Studio 2010 Express are installed. Running Windows 7 Ultimate x64.
Using SignTool.exe from Windows Driver Kit.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
使用自签名证书对二进制文件进行数字签名几乎违背了使用数字证书的概念程序。基本思想是证明代码是由您创建的(真实性)并且自您发布以来没有被修改过(完整性)。这必须通过使用由受信任的证书颁发机构 (CA) 签署的签名证书来完成。
使用 .Net,当二进制文件经过数字签名时,它是 在启动期间自动验证完整性和真实性。虽然我没有亲自测试过这一点,但使用自签名证书可能会给您带来很多问题。
如果您想对程序进行数字签名,则需要购买来自 CA 的代码签名证书。有许多公司可以提供此服务(Verisign、Thawte),需付费。
虽然费用可能看起来有点过高,但请记住,您不仅购买数字证书,还购买该证书的 24/7 验证。每当有人启动您的程序时,它都会确保该程序是由您编写的,并且自您发布以来该程序没有被更改。
获得证书后,您可以按照 如何:签署应用程序和部署清单。
更新:如果此计划严格来说是一个内部应用程序(仅限于您或您的企业),您可以创建自己的 CA。由于您是唯一运行它的人,因此只有您需要验证它。 CA 证书需要作为受信任的根证书安装在所有运行该程序的计算机(或者如果您有权访问 Windows Server,则可以设置一个真正有效的 CA)。
Using self-signed certificates for digitally signing your binaries pretty much goes against the concept of using digital certificates with programs. The basic idea is to prove the code was created by you (authenticity) and has not been modified since you released it (integrity). This must be done by using a signed certificate that is signed by a trusted Certificate Authority (CA).
With .Net, when a binary is digitally signed, it is automatically verified for integrity and authenticity during startup. While I have not personally tested this, using a self-signed certificate is probably going to cause you a great deal of problems.
If you want to digitally sign your programs, you need to invest in a code signing certificate from a CA. There are a number of companies out there that can provide this service (Verisign, Thawte), for a fee.
While the fee might seem a bit extreme in price, remember that you are not just purchasing a digital certificate but also 24/7 validation of that certificate. Any time someone starts your program it will ensure the program was written by you and that the program has not been changed since you released it.
Once you have a certificate, you can digitally sign your program by following the steps in How to: Sign Application and Deployment Manifests.
Update: If this program is strictly an internal application (limited to you or your business), you can created your own CA. Since you would be the only one running it, only you would need to validate it. The CA certificate would need to be installed as a Trusted Root Certificate on all the machines that would run the program (or if you have access to Windows Server, you could set up a real working CA).