在基于Linux的发行版上签名Windows应用程序 [英] Signing Windows application on Linux-based distros

问题描述

我准备了一个应用程序和网站，客户可以在下载之前为此应用程序设置多个选项。设置以二进制格式存储在文件末尾（附加），然后将编辑的文件发送给最终用户。问题是，文件的内容的更改将打破文件签名 - 是否有任何机会使用任何命令行工具重新签名此更改的文件？我尝试使用Microsoft的SignTool，但在Linux上无法正常工作。

I have prepared an application and website where the customer can set several options for this application before he downloads it. Settings are stored in binary format on the end of the file (appended), then the edited file is sent to the end user. The problem is that the change of "contents" of the file will break the file signature - is there any chance to re-sign this changed file with any command line tools? I've tried to use Microsoft's SignTool, but it does not work properly on Linux.

推荐答案

https://developer.mozilla.org/en-US/docs/Signing_an_executable_with_Authenticode>立即前往使用 Mono 的signtool;

It's actually quite straight forward to do using Mono's signtool; the tricky part (described in more detail in the linked Mozilla article) is copying the certificate in the correct format from Windows to Linux.

将Windows PFX证书文件转换为PVK文件和SPC文件，只需要在将证书从Windows复制到Linux时执行一次;

Converting the Windows PFX certificate file to PVK and SPC files, only needs to be done once when copying the certificate from Windows to Linux;

openssl pkcs12 -in authenticode.pfx -nocerts -nodes -out key.pem
openssl rsa -in key.pem -outform PVK -pvk-strong -out authenticode.pvk
openssl pkcs12 -in authenticode.pfx -nokeys -nodes -out cert.pem
openssl crl2pkcs7 -nocrl -certfile cert.pem -outform DER -out authenticode.spc

实际上签署exe是很简单的;

Actually signing the exe is straight forward;

signcode \
 -spc authenticode.spc \
 -v authenticode.pvk \
 -a sha1 -$ commercial \
 -n My\ Application \
 -i http://www.example.com/ \
 -t http://timestamp.verisign.com/scripts/timstamp.dll \
 -tr 10 \
 MyApp.exe

这篇关于在基于Linux的发行版上签名Windows应用程序的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！