Windows代码签名过程和替代MS signtool.exe？ [英] Windows Code-Signing process & alternative to MS signtool.exe?

问题描述

我使用非Microsoft编译器编写了Windows小型应用程序，希望免费赠送或以微不足道的价格出售（5美元）。该程序不使用注册表，但我想将其提供为使用免费工具（例如InnoSetup）创建的安装程序可执行文件（例如MyAppInstall.exe）。

从签名Windows EXE文件和其他来源中，我的理解如下：

1. 如果我未签名安装程序，Windows将弹出警告对话框，警告用户发布者未知，并建议他们不要运行该软件。




2. 如果我使用自认证密钥对安装程序进行签名，则弹出对话框将至少提供发布者名称，而不是 unknown。它将说发布者无法验证或发布者不受信任。




3. 如果我每年支付〜$ 100

em>到CA，我可以获得一个代码签名证书，该证书可以让我
分发有用的免费软件，这些软件可以轻松安装-不会出现令人恐惧和讨厌的对话。



4. 我可以使用Windows版本的OpenSSL创建用于代码签名的自认证密钥。这样，我不必从MS上下载安装590 MB的SDK文件就可以获取Microsoft的 makecert.exe




5. 第22项：我听说的唯一的代码签名工具是 signtool.exe ，该工具只能通过下载并安装至少590 MB的其他工具来获取。东西（SDK）。

问：Microsoft signtool.exe是否可以替代？

解决方案

有 kSign ，并且他们的博客上还有一篇有关如何与Inno Setup集成。

这不是signtool的完整替代品（即，它不会签名驱动程序包所涉及的.cat和.sys文件），但是它将以数字方式签名EXE，DLL，COM，CAB和OCX文件。

Using a non-Microsoft compiler, I have written small application for Windows that I'd like to give away for free or sell for some trivial amount ($5 say). The program doesn't use the registry but I'd like to provide it as an installer executable (e.g. MyAppInstall.exe) created using freely available tools (e.g InnoSetup).

From Signing a Windows EXE file and other sources my understanding is as follows:

1. If I do not sign the installer, Windows will pop-up a warning dialogue box warning the user that the publisher is unknown and suggesting they should not run the software. This is undesirable.

2. If I sign the installer with a self certified key, The popup dialogue will at least provide a publisher name instead of "unknown". It will say the publisher could not be verified or the publisher is untrusted. This is probably marginally better than being described as an unknown publisher.

3. If I pay ~$100 every year to a CA, I can get a code-signing cert that will allow me to give away useful free software that can be easily installed - without scary and off-putting dialogues appearing.

4. I can use the Windows edition of OpenSSL to create a self-certified key for code signing. This way I don't have to download an install a 590 MB SDK file from MS just to obtain Microsoft's makecert.exe

5. Catch 22: The only code signing tool I have heard of is signtool.exe which can only be obtained by downloading and installing at least 590 MB of other stuff (the SDK).

Q: Is there an alternative to Microsoft's signtool.exe

解决方案

There is kSign, and their blog also has an article about how to integrate with Inno Setup.

It is not a complete replacement for signtool (i.e. it won't sign .cat and .sys files involved in signing driver packages) but it will will digitally sign EXE,DLL,COM,CAB and OCX files.

这篇关于Windows代码签名过程和替代MS signtool.exe？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！