如何安全地存储要在MSBuild中使用的.pfx密码? [英] How do I securely store a .pfx password to use in MSBuild?

问题描述

我需要将证书签名添加到我的构建中.以下是我编写的工作脚本示例，但是其中包含.pfx文件的密码.我无法将密码保留在构建脚本中.在这种情况下，您将使用什么最佳做法"或黑客手段?

I need to add certificate signing to my build. Below is a sample of the working script I wrote, however it includes the password to the .pfx file. I can't keep the password in the build script. What are "best practices" or hacks that you would use in this type of situation?

<ItemGroup Label="SignFiles">
  <SignFilesInclude="$(FileLocation)\**\*.exe"/>
</ItemGroup>

<Exec Command="$(SignTool) sign /v /ac C:\MSCV-VSClass3.cer /f C:\Certificate.pfx /p Password /t http://timestamp.verisign.com/scripts/timestamp.dll %(SignFiles.Identity)"/>

在谷歌搜索之后，我在多个地方读到，一旦您第一次使用密码运行脚本，.pfx就会存储在证书存储区中，之后在构建脚本中就不需要密码了.可以，但是我想确保这是最好的方法，或者更好的方法，有一种方法可以避免在脚本中输入密码.

After googling, I read in multiple places that once you run the script the first time with the password, the .pfx is stored in the certificate store and the password won't be required in the build script after that. This works, however I want to make sure this is the best way to do it or better yet, there is a way to avoid putting the password in the script.

推荐答案

将.pfx文件导入到Windows证书管理器中，以用于构建时使用的用户帐户.然后使用signtool的/sha1开关选择正确的证书，不需要密码.

Import your .pfx-file to Windows Certificate Manager for the user account which is used when building. Then select the correct certificate using signtool's /sha1 switch, and no password is needed.

1. 以构建用户身份登录
2. 运行certmgr.msc
3. 右键单击证书-当前用户/个人/证书"，然后选择所有任务/导入..."
4. 选择您的.pfx文件，输入密码，然后单击下一步"和完成"
5. 双击导入的证书
6. 在详细信息"页面中，指纹算法应为sha1
7. 复制指纹，看起来像12 34 56 78 90 ab cd ef 12 34 56 78 90 ab cd ef 12 34 56 78
8. signtool /sha1 1234567890abcdef1234567890abcdef12345678 /t http://timestamp.verisign.com/scripts/timestamp.dll %(SignFiles.Identity)

1. Log in as the build user
2. Run certmgr.msc
3. Right-click Certificates - Current User / Personal / Certificates, and select All Tasks / Import...
4. Select your .pfx file, enter the password, and click Next and Finish
5. Double-click on the imported certificate
6. In the Details page, the thumbprint algorithm should be sha1
7. Copy the thumbprint, it looks something like 12 34 56 78 90 ab cd ef 12 34 56 78 90 ab cd ef 12 34 56 78
8. signtool /sha1 1234567890abcdef1234567890abcdef12345678 /t http://timestamp.verisign.com/scripts/timestamp.dll %(SignFiles.Identity)

第8步将不会要求输入密码.

And step 8 will not ask for a password.

这篇关于如何安全地存储要在MSBuild中使用的.pfx密码?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！