如何使用有效签名创建预先配置的安装程序（MSI或EXE）？ [英] How to create precofigured installer (MSI or EXE) with valid signature?

问题描述

我们希望我们的用户为Windows下载我们软件的预配置安装程序。预先配置的数据由基于用户帐户数据的设置组成。该定制将在Linux上运行的Java服务器中完成。我们需要对这些安装程序进行数字签名。遗憾的是，由于安全政策的原因，我们在这些服务器上无法使用私有签名密钥。

您能想到在保留数字签名或其他方法来满足用例的同时将一些元数据放入MSI或EXE的方法吗？

编辑：要求是下载一个文件，因此不幸的是并行ini文件无法实现。

解决方案 div>

同时，我找到了一种在不使签名无效的情况下将数据添加到已签名EXE的方法。是的，我也认为这是不可能的。这是很糟糕的破解，它通过修改证书部分来工作，该部分不是签名的一部分，而是位于文件的末尾。因此，您可以追加到EXE的末尾，然后对部分大小进行一些固定。我检查了它是否有效，签名有效，程序运行，防病毒软件也没有抱怨。

方法说明：

• http：// blog.barthe.ph/2009/02/22/change-signed-executable/


• http://reboot.pro/topic/15889-modify-a-signed-executable-without-invalidating-its -digital-signature /

正在添加有效载荷的工作程序：

• http://reboot.pro/files/file/ 85-digitalsignaturetweaker /

很明显，由于受到黑客攻击，它随时都可能停止工作。

We want our users to download preconfigured installers of our software for Windows. Pre-configured data consists of settings based on user account data. The customization is to be done in a Java server running on Linux. We need to have those installers digitally signed. Unfortunately we cannot have private signing key on those servers, due to security policy.

Can you think of ways to put some metadata into either MSI or EXE while preserving digital signature or other approaches to fulfill the use case?

EDIT: The requirement is to have a single file download, so unfortunately parallel ini file doesn't fulfill it. It is mostly about providing a set of connection points (specific to a user) - we are not to bother a user as we already know them.

解决方案

Meanwhile I found a way to add data to a signed EXE without invalidating signature. Yes, I also thought it is impossible. It is terrible hack, which works by modifying certificate section, which is not part of signature and it is at the end of file. So you can append to the end of EXE and just do some fixing of section size. I checked it works, signatures are valid, program runs, AntiVirus doesn't complain as well.

Description of the approach:

• http://blog.barthe.ph/2009/02/22/change-signed-executable/
• http://reboot.pro/topic/15889-modify-a-signed-executable-without-invalidating-its-digital-signature/

Working program to add payload:

• http://reboot.pro/files/file/85-digitalsignaturetweaker/

Obviously, as being hack it may stop working any time.

这篇关于如何使用有效签名创建预先配置的安装程序（MSI或EXE）？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！