.NET应用程序代码签名 [英] .NET application code signing
问题描述
我有一个由.exe和.dll组成的应用程序,它们打包在由Visual Studio中的InstallShield Limited Edition构建的setup.exe中。我想在Internet上分发该应用程序,并试图了解我在代码签名方面需要做的事情,以避免在下载和安装时来自Windows的警告消息。尽管VS提供了签名文件的功能,但是否最好从DigiCert,Comodo,Symantec等CA购买数字证书?我是否只需要签名setup.exe而不是2 .NET程序集?因为我注意到安装完成后,应用程序本身运行时没有任何警告(无论如何在Windows 8.1中),或者OS a / o浏览器足够聪明,可以在下载或安装时在程序集中查看setup.exe文件。 ?
I have an application consisting of an .exe and a .dll, which are packaged in a setup.exe that's built with InstallShield Limited Edition in Visual Studio. I want to distribute the application on the Internet, and am trying to understand what I need to do in terms of code signing to avoid warning messages from Windows at download and install time. Although VS provides the ability to sign files, would it be preferable to buy a digital certificate from a CA such as DigiCert, Comodo, Symantec, etc.? Do I just need to sign the setup.exe and not the 2 .NET assemblies? Because I notice that once the install is complete, the application itself runs without warnings (In Windows 8.1 anyway) -- or is the OS a/o browser smart enough to look inside the setup.exe file at the assemblies at download or install time?
推荐答案
您在这里有两个问题
虽然VS提供了签名文件的功能,但还是最好从DigiCert,Comodo,Symantec等CA那里购买数字证书吗?
Although VS provides the ability to sign files, would it be preferable to buy a digital certificate from a CA such as DigiCert, Comodo, Symantec, etc.?
要避免收到警告消息,目标计算机必须信任用于签名程序的证书。做到这一点的两种方法是在受控环境(例如Active Directory域)中,在该环境中,您可以推出在VS中用于签署应用程序的专用CA的证书,或者使用您知道目标计算机的证书。将已经像DigiCert,Comodo,Symantec等一样受到信任。如果将安装程序放在Internet上,则需要支付代码签名证书。
For you not to get a warning message the certificate you use to sign your program must be trusted by the target computer. The two ways to do this is be in a controlled environment (like a Active Directory Domain) where you can push out the certificate for the "private CA" you used in VS to sign your app or use a certificate that you know the target computer will already trust like DigiCert, Comodo, Symantec, etc. If you are putting your installer on the internet you will need to pay for a code signing certificate.
我是否只需要签署setup.exe而不是2个.NET程序集?
Do I just need to sign the setup.exe and not the 2 .NET assemblies?
操作系统/浏览器将而不是窥视安装程序,只需要对安装程序本身进行签名,但是设置步骤也将对安装程序中的文件进行签名。
The os/browser will not "peek inside" the installer, only the installer itself needs to be signed however the steps to set that up will also sign the files inside the setup anyway.
来自
Instructions from Install Shield's website for signing files for InstallShield 2012 Express Edition:
为发布及其文件配置数字签名:
- 在准备发布下的视图列表中,单击发布。
- 在构建资源管理器中,单击要签名的版本。
- 单击签名选项卡。
- 适当配置以下设置:
- 证书URL
- 数字证书文件
- 私钥文件-请注意,如果指定.pfx文件,则无需指定.pvk文件。
- 证书密码
- In the View List under Prepare for Release, click Releases.
- In the Builds explorer, click the release that you want to sign.
- Click the Signing tab.
- Configure the following settings as appropriate:
- Certificate URL
- Digital Certificate File
- Private Key File—Note that if you specify a .pfx file, you do not also need to specify a .pvk file.
- Certificate Password
这些说明适用于Express Edition,而不是Limited Edition。我发现此代码项目页面限量版鞋子的 UltraDynamo具有类似的签名标签屏幕。
These instructions are for the Express Edition, not the Limited Edition. I found this Code Project page for somthing called "UltraDynamo" which shoes the limited edition has a similar signing tab screen.
这篇关于.NET应用程序代码签名的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
