使用signtool创建密钥并签署可执行文件 [英] creating a key and signing executable with signtool
问题描述
我该如何签名Visual C#可执行文件?
How would I sign a Visual C# executable?
SignTool.exe找不到证书.
SignTool.exe can't find a certificate.
我如何创建自签名密钥和证书,并让signtool能够查看和使用证书?
How would I create a self signed key and certificate, and have signtool be able to see the certificate and use it?
已安装OpenSSL和Visual Studio 2010 Express.运行Windows 7 Ultimate x64.
OpenSSL and Visual Studio 2010 Express are installed. Running Windows 7 Ultimate x64.
使用Windows驱动程序工具包中的SignTool.exe.
Using SignTool.exe from Windows Driver Kit.
推荐答案
Using self-signed certificates for digitally signing your binaries pretty much goes against the concept of using digital certificates with programs. The basic idea is to prove the code was created by you (authenticity) and has not been modified since you released it (integrity). This must be done by using a signed certificate that is signed by a trusted Certificate Authority (CA).
With .Net, when a binary is digitally signed, it is automatically verified for integrity and authenticity during startup. While I have not personally tested this, using a self-signed certificate is probably going to cause you a great deal of problems.
如果要对程序进行数字签名,则需要从CA购买代码签名证书.有很多公司可以提供这项服务( Verisign , Thawte ),需付费.
If you want to digitally sign your programs, you need to invest in a code signing certificate from a CA. There are a number of companies out there that can provide this service (Verisign, Thawte), for a fee.
虽然这笔费用似乎有点高价,但请记住,您不仅在购买数字证书,而且还购买了该证书的24/7验证.每当有人启动您的程序时,它都会确保该程序是由您编写的,并且自您发布该程序以来,该程序未被更改.
While the fee might seem a bit extreme in price, remember that you are not just purchasing a digital certificate but also 24/7 validation of that certificate. Any time someone starts your program it will ensure the program was written by you and that the program has not been changed since you released it.
Once you have a certificate, you can digitally sign your program by following the steps in How to: Sign Application and Deployment Manifests.
更新:如果此程序严格是内部应用程序(仅限您或您的企业),请受信任的根证书安装运行该程序的计算机(或者,如果您有权访问Windows Server,则可以设置一个真正有效的CA).
Update: If this program is strictly an internal application (limited to you or your business), you can created your own CA. Since you would be the only one running it, only you would need to validate it. The CA certificate would need to be installed as a Trusted Root Certificate on all the machines that would run the program (or if you have access to Windows Server, you could set up a real working CA).
这篇关于使用signtool创建密钥并签署可执行文件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
