PowerShell Set-AuthenticodeSignature-IncludeChain选项优点/缺点? [英] PowerShell Set-AuthenticodeSignature - IncludeChain Options Advantages/Disadvantages?
问题描述
使用Set-AuthenticodeSignature时,有一个名为IncludeChain的选项.尽管有关于每个选项含义的文档,但我仍无法针对每个设置的优缺点找到很多指导(当您选择一个设置而不是另一个设置时).
在示例中我在任何地方看到IncludeChain的地方,它总是设置为All.我认为All可能是最好的答案,但我想了解每种设置的优缺点.
-
Signer -
NotRoot(默认) -
All
除了All使文件大得多以外,每种设置的具体优点和缺点是什么?
参考文献
- https://technet.microsoft.com/en-us/library/hh847874.aspx
- http://go.microsoft.com/fwlink/?LinkID=113391
- 如何防止每1年或2年重新签名我的代码?
示例
$certPfx = "super secret location"
$certPassword = "super secret password"
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($certPfx, $certPassword)
Set-AuthenticodeSignature -Filepath "ps1 file location" `
-Cert $cert `
-TimeStampServer "url to timestamp server" `
-IncludeChain All `
-HashAlgorithm SHA256
默认NotRoot是最佳选择.
- 签名人
优点:仅放置签名者证书时,签名大小相对较小.
缺点:如果接收者不具备构成链的所有信息,则有效签名可能会变得无效.此外,从Internet检索证书会导致签名验证期间出现明显的延迟.
- NotRoot
优点:通过附加中间CA证书来加速链构建,从而减少了签名验证时间.如果没有有关链证书的额外信息(例如,通过本地商店或AIA扩展),这些证书将填补空白,并极大地帮助建立链.
缺点:每个中间CA证书的签名大小增加了大约2kb.
- 全部
优点:通过附加中间CA证书来加快链的建立,从而减少签名验证时间.
缺点:每个CA证书的签名大小增加了大约2kb.此选项包括根CA,它是冗余信息.如果客户端已经具有受信任的根证书(因此已经安装了该证书),则随附的根CA证书不会提供任何有用的信息.如果客户端没有根证书,则将其包含在签名中也没有意义.When using Set-AuthenticodeSignature, there is an option called IncludeChain. While there is documentation about what each of the options are, I haven't been able to uncover much guidance surrounding the advantages/disadvantages of each setting (when you would pick one setting over another).
Everywhere I see IncludeChain in examples, it is always set to All. I think All is likely the best answer, but I'd like to understand the benefits and disadvantages of each of the settings.
SignerNotRoot(default)All
Other than All making the file quite a bit bigger, what are the specific advantages and disadvantages of each of the settings?
References
- https://technet.microsoft.com/en-us/library/hh847874.aspx
- http://go.microsoft.com/fwlink/?LinkID=113391
- How Can I Prevent Needing to Re-sign My Code Every 1 or 2 Years?
Example
$certPfx = "super secret location"
$certPassword = "super secret password"
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($certPfx, $certPassword)
Set-AuthenticodeSignature -Filepath "ps1 file location" `
-Cert $cert `
-TimeStampServer "url to timestamp server" `
-IncludeChain All `
-HashAlgorithm SHA256
Default NotRoot is the best option.
- Signer
pros: when you put only signer certificate, signature size is relatively small.
cons: if recipient do not have all information to construct the chain, valid signature may become invalid. In addition, certificate retrieval from the internet causes noticeable delays during signature validation.
- NotRoot
pros: reduces signature validation time by speeding up chain building with attached intermediate CA certificates. In the case when no extra information about chain certificates available (say, through local store or AIA extension), these certificates fill the gap and greatly help in chain building.
cons: signature size is increased by about 2kb per each intermediate CA certificate.
- All
pros: reduces signature validation time by speeding up chain building with attached intermediate CA certificates.
cons: signature size is increased by about 2kb per each CA certificate. This option includes root CA, which is redundant information. If client already have root certificate trusted (as the result it is already installed), included root CA certificate do not provide any helpful information. If client do not have root certificate, its inclusion in the signature doesn't make sense either.
这篇关于PowerShell Set-AuthenticodeSignature-IncludeChain选项优点/缺点?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
