已签名的程序集阻止我的服务启动 [英] Signed assemblies prevent my service from starting

问题描述

当我使用Verisign signtool.exe对服务中的程序集进行签名时，在运行Windows 2003 Server的计算机上，计算机启动时无法启动。事件日志有两个事件：

When I sign the assemblies in my service with the Verisign signtool.exe, it fails to start when the machine starts, on a machine running Windows 2003 Server. The event log has two events:

超时（30000毫秒），等待xxx服务连接。
和
xxx服务服务由于以下错误而无法启动：
该服务未及时响应启动或控制请求。

"Timeout (30000 milliseconds) waiting for the xxx Service service to connect." and "The xxx Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion."

一旦机器运行，它就会开始正常运行。在XP和Vista中可以正常启动。当程序集未签名时，它开始正常。

It starts fine once the machine is running. It starts fine in XP and Vista. It starts fine when the assemblies are unsigned.

推荐答案

对于已签名的.NET服务可执行文件，此问题非常普遍：该服务将无法在启动时启动，但可以正常运行之后手动启动时。是否使用ServiceBase.RequestAdditionalTime无关紧要：实际上，在服务启动请求超时之前根本不执行任何用户代码。在没有Internet连接的计算机上，这种影响更加明显：在这种情况下，即使从SCM手动启动服务也会失败。

This problem is very common for signed .NET service executables: the service will fail to start at boot time, but run fine when started manually afterwards. Whether ServiceBase.RequestAdditionalTime is used is irrelevant: in fact, no user code is executed at all prior to the service start request timing out. This effect is even more pronounced on machines without Internet connectivity: in that case, even manually starting the service from the SCM will fail.

要解决此问题，在加载时禁用Authenticode签名的验证，以便创建发布者证据，方法是在.exe.config文件中添加以下元素：

To resolve this issue, disable the verification of the Authenticode signature at load time in order to create Publisher evidence, by adding the following elements to your .exe.config file:

<configuration>
    <runtime>
        <generatePublisherEvidence enabled="false"/>
    </runtime>
</configuration>

发布者证据是一种很少使用的代码访问安全性（CAS）功能：仅当您的服务依赖于PublisherMembershipCondition将禁用它导致的问题。在所有其他情况下，它将不再需要运行时进行昂贵的证书检查（包括吊销列表查找），从而消除了永久性或间歇性启动失败。

Publisher evidence is a little-used Code Access Security (CAS) feature: only if your service relies on the PublisherMembershipCondition will disabling it cause issues. In all other cases, it will make the permanent or intermittent startup failures go away, by no longer requiring the runtime to do expensive certificate checks (including revocation list lookups).

编辑，2010年7月：对于使用.NET Framework 4.0版的应用程序，不再需要此解决方法。

Edit, July 2010: For applications using version 4.0 of the .NET Framework, this workaround is no longer required.

这篇关于已签名的程序集阻止我的服务启动的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！