自签名证书到Authenticode证书？ [英] Self Sign Certificate To Authenticode Certificate?

问题描述

我们通过ClickOnce和我们创建的自签名者证书部署了Windows应用程序。现在，我们正在寻求从像VeriSign这样的证书颁发机构那里获取Authenticode证书。

We deployed a windows application via ClickOnce and a self signer certificate that we created. We are now looking in to getting a Authenticode Certificate from a Certificate Authority like VeriSign.

当我们开始使用新证书对ClickOnce清单进行签名时，我们的用户是否必须重新-安装应用程序？

When we start signing our ClickOnce manifests with the new certificate, will our users have to re-install the application?

有没有已知的迁移路径可以处理我们的情况？

Are there any known migration paths for dealing with our scenario?

谢谢

Thanks

推荐答案

关键是要认识到应用程序清单具有Authenticode签名（以标识发布者）和强名称签名（以防止篡改）。诀窍是将旧证书用于强名称签名，将新证书用于Authenticode签名。

Yes, you can do this without the users having to re-install, but it's tricky. The key is to realise that the application manifests have an Authenticode signature (to identify the publisher) and a strong name signature (to prevent tampering). The trick is to use your old certificate for the strong name signature, and the new certificate for the Authenticode signature.

VS2005 / Mage或签名工具（signtool.exe .NET Framework SDK中的）支持这种签名。但是 Windows Server 2003 R2平台SDK 包含一个新版本的signtool.exe，带有一个新的开关 / manifest，并带有使用不同密钥进行签名的选项。使用此工具，您可以为两个签名中的每个签名使用不同的密钥对ClickOnce清单进行签名。

Neither VS2005/Mage or the sign tool (signtool.exe) from the .NET Framework SDK supports this kind of signing. But the Windows Server 2003 R2 Platform SDK contains a newer version of signtool.exe with a new switch "/manifest" and with options to use different keys for signing. With this tool you can sign the ClickOnce manifests with different keys for each of the two signatures.

您可以找到更多详细信息在这里。

这篇关于自签名证书到Authenticode证书？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！