验证 Authenticode 签名为来自我们公司的自动更新程序 [英] Verify Authenticode signature as being from our company for automatic updater
问题描述
我正在实施一项自动更新功能,需要一些关于如何使用最佳做法安全地执行此操作的建议.我想使用下载文件的 Authenticode 签名来验证它是否可以安全运行(即来自我们公司并且没有被篡改).我的问题与问题#2008519 非常相似.
I am implementing an automatic update feature and need some advice on how to do this securely using best practices. I would like to use the downloaded file's Authenticode signature to verify that it is safe to run (i.e. originates from our company and hasn't been tampered with). My question is very similar to question #2008519.
底线问题:检查 Authenticode 签名以获得自动更新功能的最佳、最安全的方法是什么?应该检查证书中的哪些字段?要求是:(1) 检查签名是否有效,(2) 检查这是我的签名,(3) 当我的证书过期并且我得到一个新的时,旧客户端仍然可以更新.
The bottom-line question: what's the best, most secure way to check Authenticode signatures for an automatic update feature? What fields in the certificate should be checked? Requirements being: (1) check signature is valid, (2) check it's my signature, (3) old clients can still update when my certificate expires and I get a new one.
以下是我研究的一些背景信息/想法:我相信这可以分为两个步骤:
Here's some background information / ideas from my research: I believe this could be broken into two steps:
验证签名是否有效.我相信这应该很容易使用 WinVerifyTrust,如 http://msdn.microsoft.com/en-us/library/aa382384(VS.85).aspx - 我预计这里不会出现问题.
Verify that the signature is valid. I believe this should be easy using WinVerifyTrust as outlined in http://msdn.microsoft.com/en-us/library/aa382384(VS.85).aspx - I don't expect problems here.
确认签名对应于我们公司,而不是其他公司.这似乎是一个更难回答的问题:
Verify that the signature corresponds to our company, and not another company. This seems to be a more difficult question to answer:
一种可能性是检查签名中的一些字符串.可以通过 MS 知识库文章 #323809 中的代码获得,但本文并未就此类应用程序(或任何其他)应检查哪些字段提出建议.问题 #1072540 也说明了如何获取一些证书信息,但同样不建议实际检查哪些字段.我担心字符串可能不是最好的检查:例如,如果另一个人能够获得同名的证书怎么办?或者我们将来是否有正当理由更改字符串?
One possibility is to check some of the strings in the signature. Could be obtained via code at MS KB article #323809, but this article doesn't make recommendations on what fields should be checked for this type of application (or any other, for that matter). Question #1072540 also illustrates how to get some certificate info, but again doesn't recommend what fields to actually check. My concern is that the strings might not be the best check: what if another person is able to obtain a certificate with the same name, for example? Or if there's a valid reason for us to change the strings in the future?
question #2008519 中的人有一个非常相似的要求.他对TrustedByUs"功能的需求与我的相同.但是,他通过比较公钥来进行检查.虽然这在短期内可行,但它似乎不适用于自动更新功能.这是因为代码签名证书的有效期最长为 2 - 3 年.因此,未来我们在2年后购买新证书时,由于公钥的变化,旧客户端将无法再更新.
The person at question #2008519 has a very similar requirement. His need for a "TrustedByUs" function is identical to mine. However, he goes about doing the check by comparing public keys. While this would work in the short-term, it seems like it won't work for an automatic update feature. This is because code signing certificates are only valid for 2 - 3 years max. Therefore, in the future, when we buy a new certificate in 2 years, the old clients wouldn't be able to update any more due to the change in public key.
推荐答案
问题#2008519 的人有一个非常相似的要求.他的需要TrustedByUs"功能是相同的到我的.然而,他开始做通过比较公钥进行检查.虽然这适用于短期的,好像不会为自动更新功能工作.这是因为代码签名证书仅适用于 2 - 3最多年因此,在未来,当我们在 2 购买新证书时年,老客户不会由于更改公钥.
The person at question #2008519 has a very similar requirement. His need for a "TrustedByUs" function is identical to mine. However, he goes about doing the check by comparing public keys. While this would work in the short-term, it seems like it won't work for an automatic update feature. This is because code signing certificates are only valid for 2 - 3 years max. Therefore, in the future, when we buy a new certificate in 2 years, the old clients wouldn't be able to update any more due to the change in public key.
由于担心的是应用程序信任您而不是某人信任您,因此您可以使用自签名并将所需的任何公钥嵌入应用程序本身.这使您可以更好地控制该过程.当要求不受您控制的用户或应用程序给予信任时,这是不合适的,但在这种情况下,应用程序在您的控制之下,因此它可以正常工作.这使您可以非常轻松地避免将其他人的类似证书误认为是您自己的.
Since the concern is that the application trusts you rather than that a person trusts you, you could just use self-signing and embed any public keys needed in the applications themselves. This gives you much more control over the process. This is inappropriate when asking a user or application not under your control to give trust, but in this case the application is under your control, so it will work fine. This allows you to very easily avoid the concern of mistaking someone else's similar-looking certificate for your own.
这篇关于验证 Authenticode 签名为来自我们公司的自动更新程序的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
