如何防止每 1 年或 2 年需要重新签署我的代码? [英] How Can I Prevent Needing to Re-sign My Code Every 1 or 2 Years?

问题描述

I was reading What happens when a code signing certificate expires - Stack Overflow and wondering about a more solid answer. The answer provided was more about setting up your own CA. Even with your own CA you will still need to deal with expiring code certificates.

If you signed the code without using a time stamping service, after the certificate expires your code will no longer be trusted, and depending on security settings it may not be allowed to run. You will need to re-sign all of your code with a new certificate, or with a renewed certificate, every 1 or 2 years.

Trusted (digital) timestamping allows the digital signature to be valid even after the certificate itself has expired. You would need to re-sign code with the new certificate only if you have made changes.

Does this all sound correct? If so, I need recommendations on what timestamping service to use, preferably from someone who has actually used one. I'd also like to know if there are any in-house solutions, similar to being your own CA.

Right now this applies to PowerShell scripts, but I will eventually have the same issue with other code.

Update: Sample of how to sign a PS script with a timestamp (you can make a script for this):

Set-AuthenticodeSignature -filepath "D:ProjectsA SampleMyFile.ps1" 
  -cert gci cert:CurrentUserMy -codesigning 
  | where -Filter {$_.FriendlyName -eq "Thawte Code Signing"}
  -IncludeChain All 
  -TimeStampServer "http://timestamp.verisign.com/scripts/timstamp.dll"

Then, to see the Signer Certificate and TimeStamper Certificate, you can do this:

Get-AuthenticodeSignature MyFile.ps1 | fl *

It gives you the Subject (CN, OU, etc.), Issuer, Before/After Dates, and Thumbprints for both your cert and the timestamper's cert. You also get a message indicating the status of the signature.

解决方案

You're better off selecting one of the trusted certificate providers (Verisign, Thawte, Comodo, etc.). This allows you to sign your software without the user explicitly trusting your private root CA. We've used both Verisign and Thawte, Comodo even GoDaddy with timestamping without any issues with the software becoming invalid even years after the certificate expires.

这篇关于如何防止每 1 年或 2 年需要重新签署我的代码?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！