如何使 SmartScreen 过滤器信任自签名证书 [英] How can I make SmartScreen Filter trust a self-signed certificate

问题描述

Windows 8 下的微软 SmartScreen Filter 是小开发者最可怕的噩梦.

Microsoft's SmartScreen Filter under Windows 8 is a small developer's worst nightmare.

虽然我意识到对最终用户的好处以及阻止恶意程序在最终用户的计算机上自行安装的有效性，但我和许多其他开发人员宁愿不支付每年更新代码签名证书的费用，甚至更糟，EV代码签名证书.此外，当为内部使用而开发的产品使用来自内部 CA 的可信证书进行签名并存储在 Trusted Publishers 存储中时，它们仍然会成为过滤器过度热心行为的牺牲品.

While I realize the benefits to end users and the effectiveness at stopping malicious programs from installing themselves on end users' computers, I and many other developers would rather not pay the fees for annual renewal of a Code Signing Certificate or, even worse, an EV Code Signing Certificate. Also, when products developed for use in-house are signed with a trusted certificate from an internal CA, stored in the Trusted Publishers store, they still fall prey to the filter's overzealous behavior.

开发人员和管理员过去可以通过在受信任的发布者商店中安装发布者的代码签名证书来禁用警告和提示.创意开发人员可以在安装使用付费 Authenticode 代码签名证书签名和时间戳的先决条件时在那里安装他们的自签名代码签名证书.之后，由发布者签名的程序将被信任，并且不会触发 SmartScreen 过滤器警报.从本质上讲，一旦受到信任，发布者就无需支付经常性费用.

Developers and Administrators used to be able to disable the warnings and prompts by installing a publisher's Code Signing Certificate in the Trusted Publishers store. Creative developers could install their self-signed Code Signing Certificate there when they install a pre-requisite signed and timestamped with a paid-for Authenticode Code Signing Certificate. After that, programs signed by the publisher would be trusted and would not trip the SmartScreen Filter alarms. Essentially, once trusted, a publisher was free from the recurring fees.

最近对 SmartScreen 筛选器的更改(并将其作为 Windows 8 中的操作系统功能"包含在内)清楚地表明，Microsoft 希望您购买代码签名证书，而不是创造性地解决他们为您创建的问题.是否有人发现了一种新方法来信任默认使用自签名代码签名证书(即不显示提示)的发布者?除了完全关闭过滤器之外，最终用户可以做些什么来让 SmartScreen 过滤器知道始终信任自签名证书?

The recent changes to the SmartScreen Filter (and its inclusion as an OS "feature" in Windows 8) make it clear Microsoft wants you to buy a code signing certificate instead of creatively working around the problem they've created for you. Has anyone discovered a new method to trust publishers who use their self-signed Code Signing Certificates by default (i.e., not showing the prompts)? Short of turning off the filter completely, what can end users do to let the SmartScreen Filter know to always trust a Self-Signed certificate?

请注意，购买代码签名证书并不是此问题的答案.我正在寻找一种方法来告诉 SmartScreen Filter 信任不从外部来源购买证书，而是颁发自己的证书以供其组织内部使用的发布者.

Please note that purchasing a Code Signing Certificate is not an answer to this question. I'm looking for a way to tell SmartScreen Filter to trust a publisher that does not purchase certificates from an outside source, but instead issues their own for use inside their organization.

更新:我想我可能找到了解决方法！来自 MSDN，SmartScreen 过滤器可以在 Windows 8 和 Internet Explorer 10 上为列为受信任站点的站点禁用.如果有人可以验证此方法适用于从 Windows 8 中的受信任站点下载和运行的安装程序，那将不胜感激，并将帮助许多 ISV 和内部开发团队.这也是回答这个问题所需的解决方法.受信任的站点可以通过组策略进行配置，因此从那里开始很简单.

UPDATE: I think I might have found a workaround! From MSDN, SmartScreen Filter can be disabled on Windows 8 and Internet Explorer 10 for sites listed as Trusted Sites. If someone could verify that this method works for setup programs downloaded and run from a Trusted Site in Windows 8, that would be greatly appreciated and would help a lot of ISV's and in-house development teams. It would also be the workaround needed to answer this question. Trusted Sites can be configured by group policy, so it would be simple from there.

通过为机器设置 HKLMSoftwarePoliciesMicrosoftWindowsCurrentVersionInternet Settingsones2!2301 或 HKCUSoftwarePolicies 以编程方式关闭受信任站点区域的 SmartScreen 过滤器MicrosoftWindowsCurrentVersionInternet Settingsones2!2301 将用户设置为 0，并将要信任的站点添加到 Trusted Sites Zone 可以如 这个问题.

Programmatically, turning off SmartScreen Filter for the Trusted Sites Zone can be achieved by setting either HKLMSoftwarePoliciesMicrosoftWindowsCurrentVersionInternet Settingsones2!2301 for the machine or HKCUSoftwarePoliciesMicrosoftWindowsCurrentVersionInternet Settingsones2!2301 for the user to 0, and adding the site to be trusted to the Trusted Sites Zone can be done as shown in this question.

有人可以验证我建议的解决方法在 Windows 8 上是否适用于从受信任站点下载的未签名或自签名可执行文件?我自己没有使用 Windows 8，我的操作系统升级预算已经花在了证书费用上.

Could someone please verify that my proposed workaround functions on Windows 8 for an unsigned or self-signed executable downloaded from a Trusted Site? I'm not using Windows 8 myself, having spent my OS upgrade budget on certificate fees.

推荐答案

使用 Microsoft 提供的 90 天试用版 Windows 8，我已经能够验证我的解决方法确实有效.如果您想一次性支付一次代码签名证书而不是支付年费，这种方法也应该适用于您，但我无法做出任何保证.我的解决方案是每台机器，但应该很容易转换为每用户工作.

Using a 90 day trial of Windows 8 from Microsoft, I've been able to verify that my workaround does indeed work. If you want to pay for a code signing certificate once and only once instead of paying annual fees, this method should work for you as well, but I can't make any guarantees. My solution is per-machine, but should be easy to convert to work per-user.

这是我的解决方案:

1. 设置您自己的证书基础架构.
2. 将根 CA 证书、根颁发的任何中间 CA 证书以及中间 CA 颁发的任何代码签名证书的副本作为 .cer 文件发布到您的网站.
3. 在您的网站上安装由您的根 CA 颁发的 SSL 证书.
4. 创建执行以下任务的安装程序/下载程序:
   • 将根 CA 证书(从您的网站，第 2 步)安装到最终用户计算机的 Trusted Root Certification Authorities 存储中.
   • 通过将 HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet Settingsones2!2301 设置为 0，为受信任的站点 Internet 区域禁用 SmartScreen 过滤器.
   • 通过添加注册表项 HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsoneMapDomainsyourdomain.comyoursubdomain 将您的网站添加到区域地图.
   • 通过在上一步中创建的密钥中创建一个名为 https 的 DWORD 值 2，将您的域映射到受信任的站点区域.

• 在您购买之前，请确保 CA 用于您的代码签名证书的证书和时间戳方案不会导致 OID 的 1.3.6.1.4.1.311.10.3.13 或 1.3.6.1.4.1.311.10.3.14，因为这些将在证书过期时使签名过期，无论是否带有时间戳.

到目前为止，我使用这种方法收到的最糟糕的警告是这种类型的文件可能会损害您的计算机."这就是典型的你正在下载一个可执行文件！"警告.它不会隐藏运行"选项，并且不会出现在使用 VS2010 中单击发布"生成的引导网页的 ClickOnce 部署中.

The worst warning I’ve received using this method so far has been "This type of file could harm your computer." That's the typical "You're downloading an executable file!" warning. It doesn’t hide the Run option and does not appear for ClickOnce deployments using the bootstrap webpage generated by clicking "Publish" in VS2010.

感谢所有评论和链接.

这篇关于如何使 SmartScreen 过滤器信任自签名证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！