自签名证书到Authenticode证书? [英] Self Sign Certificate To Authenticode Certificate?
问题描述
我们通过ClickOnce和我们创建的自签名者证书部署了Windows应用程序。现在,我们正在寻求从像VeriSign这样的证书颁发机构那里获取Authenticode证书。
We deployed a windows application via ClickOnce and a self signer certificate that we created. We are now looking in to getting a Authenticode Certificate from a Certificate Authority like VeriSign.
当我们开始使用新证书对ClickOnce清单进行签名时,我们的用户是否必须重新-安装应用程序?
When we start signing our ClickOnce manifests with the new certificate, will our users have to re-install the application?
有没有已知的迁移路径可以处理我们的情况?
Are there any known migration paths for dealing with our scenario?
谢谢是的,您可以执行此操作而无需用户重新安装,但这很棘手。
Thanks
推荐答案
关键是要认识到应用程序清单具有Authenticode签名(以标识发布者)和强名称签名(以防止篡改)。诀窍是将旧证书用于强名称签名,将新证书用于Authenticode签名。
Yes, you can do this without the users having to re-install, but it's tricky. The key is to realise that the application manifests have an Authenticode signature (to identify the publisher) and a strong name signature (to prevent tampering). The trick is to use your old certificate for the strong name signature, and the new certificate for the Authenticode signature.
VS2005 / Mage或签名工具(signtool.exe .NET Framework SDK中的)支持这种签名。但是 Windows Server 2003 R2平台SDK 包含一个新版本的signtool.exe,带有一个新的开关 / manifest,并带有使用不同密钥进行签名的选项。使用此工具,您可以为两个签名中的每个签名使用不同的密钥对ClickOnce清单进行签名。
Neither VS2005/Mage or the sign tool (signtool.exe) from the .NET Framework SDK supports this kind of signing. But the Windows Server 2003 R2 Platform SDK contains a newer version of signtool.exe with a new switch "/manifest" and with options to use different keys for signing. With this tool you can sign the ClickOnce manifests with different keys for each of the two signatures.
您可以找到更多详细信息在这里。
这篇关于自签名证书到Authenticode证书?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!