签署 Windows EXE 文件 [英] Signing a Windows EXE file
问题描述
我有一个 EXE 文件,我想签署该文件,以便 Windows 不会警告最终用户关于来自未知发布者"的应用程序.我不是 Windows 开发人员.所讨论的应用程序是从生成屏幕保护程序应用程序的应用程序生成的屏幕保护程序.因此,我对文件的生成方式没有影响.
I have an EXE file that I should like to sign so that Windows will not warn the end user about an application from an "unknown publisher". I am not a Windows developer. The application in question is a screensaver generated from an application that generates screensaver applications. As such I have no influence on how the file is generated.
我已经发现我需要一个代码签名证书来自CA,例如Verisign 或 instantssl.com.我不明白的是我需要做什么(如果可能的话)来签署我的 EXE 文件.什么是简单的解释?
I've already found out that I will need a code signing certificate from a CA like Verisign or instantssl.com. What I don't understand is what I need to do (if at all possible) to sign my EXE file. What is a simple explanation?
Mel Green 的回答让我更进一步,但 signtool 要我指定在任何情况下使用什么证书.我能否以某种方式获得免费的代码签名证书来测试这是否对我有用?
Mel Green's answer took me further, but signtool wants me to specify what certificate to use in any case. Can I get a free code signing certificate somehow to test if this will work for me at all?
另请说明哪种证书类型是正确的.大多数站点只提到代码签名"并谈论对用户实际编译的应用程序进行签名.对我来说不是这样.
Also please specify which certificate kind is the correct one. Most sites only mention "code signing" and talk about signing applications that are actually compiled by the user. This is not the case for me.
推荐答案
您可以尝试使用 微软的签名工具
您可以将其作为适用于 Windows Server 2008 和 .NET 3.5 的 Windows SDK 的一部分进行下载.下载后,您可以像这样从命令行使用它:
You download it as part of the Windows SDK for Windows Server 2008 and .NET 3.5. Once downloaded you can use it from the command line like so:
signtool 签名/a MyFile.exe
signtool sign /a MyFile.exe
这会使用可用的最佳证书"对单个可执行文件进行签名.(如果您没有证书,则会显示 SignTool 错误消息.)
This signs a single executable, using the "best certificate" available. (If you have no certificate, it will show a SignTool error message.)
或者你可以试试:
signtool 符号向导
signtool signwizard
这将启动一个向导,引导您完成对应用程序的签名.(此选项在 Windows SDK 7.0 之后不可用.)
This will launch a wizard that will walk you through signing your application. (This option is not available after Windows SDK 7.0.)
如果您想获得可用于测试签署可执行文件的过程的证书,您可以使用 .NET 工具 Makecert.
If you'd like to get a hold of certificate that you can use to test your process of signing the executable you can use the .NET tool Makecert.
创建自己的证书并使用它对可执行文件进行签名后,您需要手动将其添加为计算机的受信任根 CA,以便 UAC 告诉运行它的用户它来自受信任的来源.重要.将证书安装为 ROOT CA 会危及您的用户隐私.看看 DELL 发生了什么.您可以在以下位置找到更多信息以在代码中和通过 Windows 完成此操作:
Once you've created your own certificate and have used it to sign your executable, you'll need to manually add it as a Trusted Root CA for your machine in order for UAC to tell the user running it that it's from a trusted source. Important. Installing a certificate as ROOT CA will endanger your users privacy. Look what happened with DELL. You can find more information for accomplishing this both in code and through Windows in:
在 Windows Vista 中安装自签名证书作为受信任的根 CA
希望为任何尝试这样做的人提供更多信息!
Hopefully that provides some more information for anyone attempting to do this!
这篇关于签署 Windows EXE 文件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
