如何安全地存储 .pfx 密码以在 MSBuild 中使用? [英] How do I securely store a .pfx password to use in MSBuild?

查看:18
本文介绍了如何安全地存储 .pfx 密码以在 MSBuild 中使用?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我需要将证书签名添加到我的构建中.下面是我编写的工作脚本示例,但它包含 .pfx 文件的密码.我无法在构建脚本中保留密码.在这种情况下,您会使用哪些最佳做法"或技巧?

I need to add certificate signing to my build. Below is a sample of the working script I wrote, however it includes the password to the .pfx file. I can't keep the password in the build script. What are "best practices" or hacks that you would use in this type of situation?

<ItemGroup Label="SignFiles">
  <SignFilesInclude="$(FileLocation)***.exe"/>
</ItemGroup>

<Exec Command="$(SignTool) sign /v /ac C:MSCV-VSClass3.cer /f C:Certificate.pfx /p Password /t http://timestamp.verisign.com/scripts/timestamp.dll %(SignFiles.Identity)"/>

谷歌搜索后,我在多个地方读到,一旦您第一次使用密码运行脚本,.pfx 就会存储在证书存储中,之后构建脚本中就不需要密码了.这可行,但是我想确保这是最好的方法,或者更好的是,有一种方法可以避免将密码放入脚本中.

After googling, I read in multiple places that once you run the script the first time with the password, the .pfx is stored in the certificate store and the password won't be required in the build script after that. This works, however I want to make sure this is the best way to do it or better yet, there is a way to avoid putting the password in the script.

推荐答案

将您的 .pfx 文件导入到 Windows 证书管理器中,用于构建时使用的用户帐户.然后使用signtool/sha1开关选择正确的证书,不需要密码.

Import your .pfx-file to Windows Certificate Manager for the user account which is used when building. Then select the correct certificate using signtool's /sha1 switch, and no password is needed.

  1. 以构建用户身份登录
  2. 运行 certmgr.msc
  3. 右键单击证书 - 当前用户/个人/证书,然后选择所有任务/导入...
  4. 选择您的 .pfx 文件,输入密码,然后单击下一步完成
  5. 双击导入的证书
  6. 详情页面中,指纹算法应该是sha1
  7. 复制指纹,它看起来像 12 34 56 78 90 ab cd ef 12 34 56 78 90 ab cd ef 12 34 56 78
  8. signtool/sha1 1234567890abcdef1234567890abcdef12345678/t http://timestamp.verisign.com/scripts/timestamp.dll %(SignFiles.Identity)
  1. Log in as the build user
  2. Run certmgr.msc
  3. Right-click Certificates - Current User / Personal / Certificates, and select All Tasks / Import...
  4. Select your .pfx file, enter the password, and click Next and Finish
  5. Double-click on the imported certificate
  6. In the Details page, the thumbprint algorithm should be sha1
  7. Copy the thumbprint, it looks something like 12 34 56 78 90 ab cd ef 12 34 56 78 90 ab cd ef 12 34 56 78
  8. signtool /sha1 1234567890abcdef1234567890abcdef12345678 /t http://timestamp.verisign.com/scripts/timestamp.dll %(SignFiles.Identity)

第 8 步不会要求输入密码.

And step 8 will not ask for a password.

这篇关于如何安全地存储 .pfx 密码以在 MSBuild 中使用?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆