使用自签名证书进行代码签名软件 [英] Using self-signed certificate for code signing software
问题描述
当前,我们公司使用Versign / Symtanec的数字证书对我们的软件进行代码签名。
Currently our company uses a digital certificate from Versign/Symtanec for code signing our software.
我们公司中有人试图说服我们使用自签名证书,而不是从Verisign / Symantec购买的证书。部分是作为降低成本的过程(即使对于2-3年的更新而言,它们确实很便宜),部分是因为我们的软件所运行的系统(工业机器)具有补丁性,使事情变得更容易打补丁具有非Windows证书存储区的已安装软件,还需要在其中管理我们的证书。显然,他们希望使用Windows根CA来生成我们的证书,因此我们不必继续修补新证书,只要Windows根CA有效,我们的证书就将持续有效...
We have someone in our company attempting to persuade us to use a self-signed certificate instead of one purchased from Verisign/Symantec. Partially as a "cost-down" procedure (even though they're pretty damn cheap for a 2-3 year renewal), and partially to make things easier in a patching sense, as the systems our software runs on (industrial machines) has installed software with a non-Windows certificate store in which our certificate also needs to be managed. Apparently they want use to use the Windows Root CA in order to generate our certificate so we don't have to keep patching new certificates on and our certificate will essentially last as long as the Windows Root CA is valid ...
我一直在寻找的每个地方,都发现有人在使用自签名证书进行网上网站身份验证之类的事情,但是在代码签名环境中使用时,有很多用于生成证书的示例,有人说您可以在更接近生产环境的环境中使用它们进行测试(这是我过去所做的),但是我找不到很难解释的原因
Everywhere I've been looking, I've found that some people use self-signed certificates for things like website identity verification over the net, but when used in a code-signing context, there are a lot of examples for certificate generation and people saying that you can use them for testing in an environment that's closer to a production environment (which I have done in the past), but I can't find any hard reasons as to why not to use a self-signed certificate for code-signing production software.
已经有一段时间了,因为我不得不从证书的角度考虑问题,但这已经有一段时间了。只是感觉不对。
It's been a while since I've had to look a the certificate side of things, but this just feels wrong.
可能我只是没有足够的证书经验,无法理解为什么这是个好主意。有没有人可以帮助我理解其全部含义?
It's possible that just I'm not experienced enough with certificates to see why this is a good idea. Does anyone have any input to help me understand the full implications of this?
推荐答案
使用自签名证书应该不起作用。这个想法是值得信任的人(不是您;而是Verisign或其他应检查您的凭据的方)确认某项内容已通过认证。
Using a self-signed certificate should not work. The idea is that "someone trustable" (not you; but Verisign or some other party that should check your credentials) confirms that something is certified.
我不确定确切地说,这在Windows中是如何工作的。可能是因为他们没有正确实施某些东西。
I'm not sure exactly how this works in Windows. Might be that they didn't implement something properly.
这篇关于使用自签名证书进行代码签名软件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
