如何创建具有有效签名的预配置安装程序(MSI 或 EXE)? [英] How to create precofigured installer (MSI or EXE) with valid signature?
问题描述
我们希望我们的用户下载我们的 Windows 软件的预配置安装程序.预配置数据包括基于用户帐户数据的设置.定制将在运行在 Linux 上的 Java 服务器中完成.我们需要对这些安装程序进行数字签名.不幸的是,由于安全政策,我们无法在这些服务器上拥有私人签名密钥.
We want our users to download preconfigured installers of our software for Windows. Pre-configured data consists of settings based on user account data. The customization is to be done in a Java server running on Linux. We need to have those installers digitally signed. Unfortunately we cannot have private signing key on those servers, due to security policy.
您能想出将一些元数据放入 MSI 或 EXE 的方法,同时保留数字签名或其他方法来满足用例吗?
编辑:要求是下载单个文件,所以不幸的是并行 ini 文件不能满足它.它主要是关于提供一组连接点(特定于用户) - 我们不会打扰用户,因为我们已经知道他们.
EDIT: The requirement is to have a single file download, so unfortunately parallel ini file doesn't fulfill it. It is mostly about providing a set of connection points (specific to a user) - we are not to bother a user as we already know them.
推荐答案
与此同时,我找到了一种方法,可以在不使签名无效的情况下将数据添加到已签名的 EXE 中.是的,我也觉得不可能.这是一个可怕的黑客,它通过修改证书部分来工作,它不是签名的一部分,它位于文件的末尾.所以你可以附加到 EXE 的末尾,只是做一些节大小的固定.我检查它有效,签名有效,程序运行,AntiVirus 也没有抱怨.
Meanwhile I found a way to add data to a signed EXE without invalidating signature. Yes, I also thought it is impossible. It is terrible hack, which works by modifying certificate section, which is not part of signature and it is at the end of file. So you can append to the end of EXE and just do some fixing of section size. I checked it works, signatures are valid, program runs, AntiVirus doesn't complain as well.
方法说明:
- http://blog.barthe.ph/2009/02/22/change-signed-executable/
- http://reboot.pro/topic/15889-modify-a-signed-executable-without-invalidating-its-digital-signature/
添加有效载荷的工作程序:
Working program to add payload:
显然,由于被黑客入侵,它可能随时停止工作.
Obviously, as being hack it may stop working any time.
这篇关于如何创建具有有效签名的预配置安装程序(MSI 或 EXE)?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
