将时间戳添加到已签名的AppX捆绑包 [英] Add timestamp to signed AppX bundle

问题描述

Visual Studio使用我们的自定义代码签名证书对Windows Store应用进行了签名，以允许侧面加载生成的AppX捆绑包。

Our Windows Store app is signed by Visual Studio with our custom code signing certificate to allow sideloading of the resulting AppX bundle.

Visual Studio生成的AppX捆绑包（我猜在 _CreateBundle 构建步骤中）在数字签名中不添加任何可信时间戳。这样可以防止在证书过期后安装软件包。

The AppX bundle generated by Visual Studio (during the _CreateBundle build step I guess) will add no trusted timestamp to the digital signature. This prevents the bundle from being installed after the certficate has expired.

是否可以调整或配置 _CreateBundle 生成任务以在打包和演唱过程中添加时间戳？我研究了SignTool（用于对MSI程序包进行代码签名），但是文档产生结果

Is there a way to adjust or configure the _CreateBundle build task to add a timestamp during the packaging and singing process? I looked into SignTool (which we use for code signing MSI packages), but the documentation yields

您不能在屏幕上使用SignTool时间戳操作签名的应用程序包；

You can't use the SignTool time stamp operation on a signed app package; the operation isn't supported.

..并且我的包已经由Visual Studio在 _CreateBundle中签名步骤。

.. and my package is already signed by Visual Studio within the _CreateBundle step as it seems.

推荐答案

要清除文档，请执行以下操作：无法将时间戳记添加到已经存在的文档中。已签名的程序包，但是 SignTool 可以重新签名程序包并包含时间戳。因此，我添加了一个构建后事件以重新签名Visual Studio生成的捆绑包：

To clearify the documentation: One cannot add a timestamp to an already signed package, but SignTool can re-sign the package and include a timestamp. So I added a post-build event to re-sign the bundle generated by Visual Studio:

if $(SolutionName) == Installer (
  "C:\Program Files (x86)\Windows Kits\10\bin\x86\signtool.exe" sign /fd SHA256 /a /f "$(ProjectDir)..\..\Build\CodeSigning.pfx" /tr http://tsa.starfieldtech.com "$(TargetDir)AppPackages\my_app\my_app.appxbundle"
)

这篇关于将时间戳添加到已签名的AppX捆绑包的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！