如何在Inno Setup中安全地将证书密码传递给signtool.exe? [英] How can I securely pass the certificate password to signtool.exe in Inno Setup?
问题描述
如何安全地将密码传递给signtool.exe?
这是代码:
How can I securely pass the password to signtool.exe?
Here's the code:
[Setup]
SignTool=mysigntool signtool.exe" sign /f <path_to_pfx_certificate> /p <certificate's_password> $f
我知道有一种类似GetSHA1OfString的方法,但是在这里我需要相反的方法.
I know there's a method like GetSHA1OfString, but here I need the opposite.
推荐答案
如果您询问如何加密密码,则没有任何意义.加密需要密钥(也称为密码).因此,您将获得另一个密码,该密码又需要以纯文本格式存储在某处.这是鸡还是鸡蛋的问题.
If you are asking how to encrypt the password, it does not make sense. An encryption needs a key (aka a password). So you end up with another password, which you again need to store somewhere in plain text. It's a kind of a chicken or the egg problem.
您所能做的就是 obfuscate 密码.
All you can do is to obfuscate the password.
请考虑通过将证书放入Windows证书存储区(而不是受密码保护的文件)来保护证书.只是对于MSBuild,您有同样的问题:如何安全地存储要在MSBuild中使用的.pfx密码?答案几乎是通用的.您只需在signtool命令行中用Inno Setup的$f替换MSBuild的%(SignFiles.Identity):
Consider protecting the certificate by putting it into the Windows certificate store instead of a password-protected file. This is the same question you have, just for MSBuild: How do I securely store a .pfx password to use in MSBuild? The answer is pretty much generic. You just replace the MSBuild's %(SignFiles.Identity) with Inno Setup's $f in the signtool command line:
signtool.exe sign /sha1 <value> /t ... $f
其他相关问题:
Other related questions:
- How do I securely configure a CI server to digitally sign binaries?
- Automated Code Signing - Protecting the private key
这篇关于如何在Inno Setup中安全地将证书密码传递给signtool.exe?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
