exe签名流程? [英] Exe signing process?
问题描述
我写了一个程序(简单地将一些dll复制到一个位置),但遗憾的是Bit-defender病毒正在弹出一个显示它没有数字签名!!!
任何人都可以告诉我一步一步的过程吗?
Verisign是这样做的过程。但是我不想为此付费。
谢谢
注意:如果你有意见请加评论知道这样做的过程,不需要给我建议如何改善发布或任何这个愚蠢!!
Hi,
I wrote a program (Simply copies some dll to a location), but unfortunately Bit-defender virus is giving it a pop up showing that it is not digitally signed!!!
Can any one tell me the step by step process?
Verisign is process to do this. But I do not want to pay for this.
Thanks
NOTE: Please add comment if you know process to do this, no need to give me suggestion like how to improve posting or any this foolish!!
推荐答案
证书从证书颁发机构购买(如VeriSign)因为证书颁发机构会验证您的身份,并且他们向您发出的证书指向其已安装在PC上的证书颁发机构证书。购买签名证书是最佳做法。
如果您不想购买证书,则必须创建自己的证书颁发机构和从中派生的签名证书。必须在将运行您的应用程序的所有PC上安装证书颁发机构证书。许多系统管理员不希望这样做。如果您是运行应用程序的所有PC的系统管理员,那么您可能决定这样做。
在下面的所有说明中,用您公司名称的缩写替换COMPANYNAME(如TATA,XEROX,IBM,HP,IAD等)
我是从记忆中做到的,所以我希望它有效为了你。我不是自称是这个话题的专家。但是,经过大量的研究和实验,这个过程最近对我有用。
1.创建证书颁发机构证书
A certificate is purchased from a certificate authority (like VeriSign) because the certificate authority verifies your identity and the certificate they issue to you points to their certificate authority certificate that is already installed on PCs. It is a best practice to buy your signing certificate.
If you do not want to buy a certificate, then you must create your own certificate authority and a signing certificate derived from it. The certificate authority certificate must be installed on all of the PCs that will run your application. Many system administrators will not want to do this. If you are the system administrator for all of the PCs that will run your application, then it is something you may decide to do.
In all of the instructions below, replace COMPANYNAME with an abbreviation of your company name (like TATA, XEROX, IBM, HP, IAD, etc.)
I did this from memory so I hope it works for you. I don''t claim to be an expert in this topic. But, after a lot of research and experimentation this process worked for me recently.
1. Create Certificate Authority Certificate
C:\"Program Files (x86)"\"Windows Kits"\8.0\bin\x86\makecert -n "CN=COMPANYNAME" -cy authority -a sha1 -sv "COMPANYNAME.pvk" -r "COMPANYNAME.cer"
这会要求您输入密码。别忘了!
2.打开MMC(运行mmc.exe)
*点击文件然后添加/删除快照 -in
*从左侧列表中选择证书,单击添加。
*选择我的用户帐户,点击完成
*再次从列表中选择证书并添加它
*选择计算机帐户。
*将MMC(文件,然后保存)的此配置保存为开始菜单,程序,管理工具目录中的Certificates.msc,以便将来可以访问它。
3.将新证书颁发机构证书安装到将进行签名的计算机的证书(本地计算机)/受信任的根证书颁发机构/证书)和所有计算机上将运行您的应用程序。
*双击证书(本地计算机)
*右键单击受信任的根证书颁发机构。选择所有任务,然后选择导入。
*选择新证书(* .cer),并将其置于受信任的根证书*授权中。
计算机现在隐含地信任由新证书颁发机构签名的所有证书。
4.创建一个源自新证书的签名证书证书颁发机构并将其存储在将要进行签名的PC上的证书 - 当前用户/个人/证书存储中。您不必在用户的计算机上安装此证书。
This will ask you for a password. Don''t forget it!
2. Open MMC (Run mmc.exe)
* Click File then "Add/Remove Snap-in"
* Select Certificates from the left list, click "Add".
* Select "My user account", Click Finish
* Select Certificates from the list again and "Add" it
* Select "Computer account".
* Save This configuration of MMC (File, then Save) as "Certificates.msc" in the Start Menu, Programs, Administrative Tools directory so that you can access it in the future.
3. Install the new certificate authority certificate into the trusted store Certificates (Local Computer) / Trusted Root Certification Authorities / Certificates ) of the computer that will do the signing and all of the computers that will run your application.
* Double-click Certificates (Local Computer)
* Right click on "Trusted Root Certification Authorities". Select "All Tasks", then "Import".
* Select the new certificate (*.cer), and place it into "Trusted Root Certification * Authorities".
The computer now implicitly trusts all certificates signed by that new certificate authority.
4. Create a signing certificate that is derived from the new certificate authority and store it in the Certificates - Current User / Personal / Certificates store on the PC that will do the signing. You do not have to install this certificate on your user''s computers.
C:\"Program Files (x86)"\"Windows Kits"\8.0\bin\x86\makecert -n "CN=COMPANYNAME Software" -ic "COMPANYNAME.cer" -iv "COMPANYNAME.pvk" -a sha1 -sky exchange -pe -sr currentuser -ss my "COMPANYNAMESoftware.cer"
这将要求您输入一个密码,用于锁定您为此证书创建的新私钥。
它还会要求您提供上述步骤1中证书颁发机构私钥的密码。
*右键单击证书 - 当前用户中的个人。选择所有任务,然后选择导入。选择新证书COMPANYNAMESoftware.cer。
5.在C:\ BAT中创建名为SIGNCODE.BAT的BAT文件包含以下内容:
This will ask you for a password with which to lock the new private key you are creating for this certificate.
It will also ask you for the password to the certificate authority''s private key from Step 1 above.
* Right click on "Personal" in "Certificates - Current User". Select "All Tasks", then "Import". Select the new certificate "COMPANYNAMESoftware.cer".
5. Create a BAT file in C:\BAT named SIGNCODE.BAT what contains this:
@ECHO OFF
REM create an array of timestamp servers...
REM The SET statement should be all on one line.
SET SERVERLIST=(http://timestamp.comodoca.com/authenticode http://timestamp.verisign.com/scripts/timstamp.dll http://timestamp.globalsign.com/scripts/timestamp.dll http://tsa.starfieldtech.com)
REM sign the file...
C:\"Program Files (x86)"\"Windows Kits"\8.0\bin\x86\signtool.exe sign /n "COMPANYNAME Software" %1
set timestampErrors=0
for /L %%a in (1,1,300) do (
for %%s in %SERVERLIST% do (
Echo Try %%s
REM try to timestamp the file. This operation is unreliable and may need to be repeated...
C:\"Program Files (x86)"\"Windows Kits"\8.0\bin\x86\signtool.exe timestamp /t %%s %1
REM check the return value of the timestamping operation and retry a max of ten times...
if ERRORLEVEL 0 if not ERRORLEVEL 1 GOTO succeeded
echo Signing failed. Probably cannot find the timestamp server at %%s
set /a timestampErrors+=1
Rem Wait 6 seconds
choice /N /T:6 /D:Y >NUL
)
REM wait 12 seconds...
choice /N /T:12 /D:Y >NUL
)
REM return an error code...
echo sign.bat exit code is 1. There were %timestampErrors% timestamping errors.
exit /b 1
:succeeded
REM return a successful code...
echo sign.bat exit code is 0. There were %timestampErrors% timestamping errors.
exit /b 0
6.在程序中签名
在CMD窗口中,导航到包含要签名的程序的目录并运行BAT文件。
6. Sign the program
In a CMD Window, navigate to the directory that contains the program to be signed and run the BAT file.
C:\BAT\SIGNCODE.BAT SETUP.EXE
其中SETUP.EXE是要签名的程序。
where "SETUP.EXE" is the program to be signed.
这篇关于exe签名流程?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
