我可以在没有代码签名 EKU 的情况下使用证书签署自解压 exe 吗? [英] Can I sign a self-extracting exe with a certificate without the Code signing EKU?

问题描述

我有一个用 7zip (7z.sfx) 创建的自解压 .exe.我已经用signtool签名了.签名证书位于我的本地计算机存储中，其根证书位于受信任的根证书颁发机构"和受信任的发布者"文件夹中.

I've a self-extracting .exe created with 7zip (7z.sfx). I've signed it with signtool. The signing certificate is in my Local Machine store, and it's root certificate is in the "Trusted root certificate authorities" and "Trusted publishers" folders.

我希望签名详细信息出现在 UAC 提示的发布者字段中，但它仍然显示未知发布者".有谁知道这是怎么回事?该证书没有代码签名"EKU.这会导致问题吗?

I would like the signature details to appear in the publisher field of the UAC prompt, but it still shows "Unknown Publisher". Anyone know what's going on? The certificate does not have the "Code signing" EKU. Will this cause the problem?

这个人也有类似的问题，没有答案.这个问题详细介绍了代码签名，但它仍然不适合我.

This person had a similar problem, with no answers. This question covers code signing in detail but it's still not working for me.

推荐答案

好吧，也许正如我所怀疑的，用于代码签名的 EKU 对于 UAC 是必不可少的.使用普通证书生成签名没有问题，但 UAC 会忽略使用非代码签名证书生成的签名，即使这些证书位于受信任的发布者、受信任的根授权机构等中.

Ok, perhaps as I suspected, the EKU for code signing is essential for UAC. There's no problem generating the signature with a vanilla certificate, but UAC will ignore signatures generated with non code-signing certificates, even if those certificates are in Trusted Publisers, Trusted Root Authorities etc..

代码签名的eku是1.3.6.1.5.5.7.3.3

the eku for code signing is 1.3.6.1.5.5.7.3.3

以下 PowerShell 命令为您提供自签名代码签名证书...

The following PowerShell command gets you a self signed code signing cert...

New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname sby-port -type CodeSigningCert

这篇关于我可以在没有代码签名 EKU 的情况下使用证书签署自解压 exe 吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！