我该如何进行数字签名的可执行文件? [英] How can I digitally sign an executable?
问题描述
我编码需要管理访问软件。当UAC弹出对话框,它显示了比非签名的软件数字签名的软件不同的弹出窗口。我相信数字签名我的软件将使用户能够信任我的软件更容易。它花费数千美元进行数字签名的软件,或者是免费的吗?有一个简单的办法做到这一点?我四处搜查谷歌和我得到的是如何签署PHP,XML和PDF文件,这是不是我想要的。我需要我签字的软件可执行文件。
I'm coding software that requires administrative access. When a UAC dialog pops up, it shows a different popup for digitally signed software than non-signed software. I believe digitally signing my software would enable users to trust my software easier. Does it cost thousands of dollars to digitally sign software, or is it free? Is there a simple way to do it? I've searched around Google and all I get is how to sign PHP, XML, and PDF files, which is not what I want. I need to sign my software executable.
刚看到一些有关sigtool.exe?这是一个正确的方向吗?那些复杂的.pfx文件和验证码或什么不是?
Just saw something about sigtool.exe? Is this the right direction? What about those complicated .pfx files and Authenticode or what not?
推荐答案
正如在其他的答案中提到什么,你首先需要购买适合代码签名证书。这将花费几百美元,远不及上千人。我最近重新我公司与 GlobalSign的证书,也有调查,以确认该公司是合法的 - 因为我用一个手机号码在登记过程中,他们希望从公司会计的一封信,以确认我们是一个真正的业务。
As mentioned in the other answers, you will first need to purchase a certificate suitable for code signing. This will cost a few hundred dollars, nowhere near a thousand. When I renewed my company's certificate with Globalsign recently, there was also an investigation to check that the company was legitimate - because I used a mobile number for the registration process, they wanted a letter from the company accountant to verify that we are a real business.
要签名的可执行文件,我使用的MSBuild任务。以下是有关部分摘录:
To sign the executable, I use an MSBuild task. Here's an excerpt with the relevant pieces:
<!--
Installer files that need to be signed.
-->
<ItemGroup>
<InstallerSignedFiles Include="$(BuildRoot)path\to\myinstaller.msi"/>
<InstallerSignedFiles Include="$(BuildRoot)path\to\setup.exe"/>
</ItemGroup>
<Target Name="ReleasePackaging">
<!-- Sign the files we're going to release -->
<SignTool
CertificateStoreName="My"
CertificateSubjectName="MyCompany"
Description="My application description"
TimestampServerUrl="http://timestamp.verisign.com/scripts/timstamp.dll"
TargetFiles="@(InstallerSignedFiles)"
/>
</Target>
有关此如上工作,你需要将证书安装到您的个人证书存储(见 CertificateStoreName =我在上面的例子)。在GlobalSign的网站上,这是安装在证书下载过程的自动一部分。注:我发现,它有助于当你下载证书,因为它与Windows证书存储区集成使用Internet Explorer。一旦它在下载的计算机上的证书存储,您可以导出为一个PFX文件 ,它传输到您的构建机器,并导入它。如果你这样做出口的话,我会建议您保护与以防落入坏人手中的密码导出的文件。
For this to work as above, you will need to install the certificate into your personal certificate store (see CertificateStoreName="My" in the above example). On the Globalsign web site, this installation was an automatic part of the certificate download process. Note: I found that it helps to use Internet Explorer when you download the certificate, as it is integrated with the Windows certificate store. Once it is in the certificate store on the download computer, you can export it as a pfx file, transfer it to your build machine, and import it there. If you do export it, I would advise that you protect the exported file with a password in case it falls into the wrong hands.
当您使用SignTool的MSBuild任务,以上时,它从一个与当前Windows用户帐户相关联的个人存储(我)证书。这意味着,你可以控制谁可以与您的证书,这是一件好事签名的代码。您应该只将证书导入的您信任的开发人员的个人存储。
When you use the SignTool MSBuild task as above, it reads certificates from the personal store ("My") that is associated with the current Windows user account. This means that you can control who can sign code with your certificate, which is a Good Thing. You should only import the certificate into the personal store of developers that you trust.
这是签名代码时使用时间戳服务器是一个好主意,让你不需要在证书到期重新签订的代码。
It's a good idea to use the timestamp server when signing code, so that you don't need to re-sign the code when the certificate expires.
这篇关于我该如何进行数字签名的可执行文件?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
