windows 应用程序签名/验证
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/5280435/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Application signing/verification
提问by Aaron
I'm relatively new to Windows development, but have just finished a small project. I want to make my application "verified" like a lot of other applications are. For example, when you launch the application and UAC pops up, it won't have the "publisher unknown" message with the yellow bar and should have a "Verified by: " section on it.
我对 Windows 开发比较陌生,但刚刚完成了一个小项目。我想让我的应用程序像许多其他应用程序一样“验证”。例如,当您启动应用程序并弹出 UAC 时,它不会有带有黄色条的“发布者未知”消息,并且应该有一个“验证者:”部分。
I hope I explained that correctly. Does anyone know how to do this? I am hoping it's not like SSL certificates where you have to pay money...
我希望我解释正确。有谁知道如何做到这一点?我希望它不像 SSL 证书那样你必须付钱......
Please feel free to let me know if my question was unclear or if I am not explaining it the right way. Thanks!
如果我的问题不清楚或者我没有正确解释,请随时告诉我。谢谢!
回答by Eaton
Unfortunatley, yes, you do need to pay money.
不幸的是,是的,你确实需要付钱。
What you need is a code signing certificate. You can get them from the below certificate authorities: Thawte
您需要的是代码签名证书。您可以从以下证书颁发机构获取它们: Thawte
Or if you are looking for a cheap one, I would buy one from here, that is where I got mine: Tucows
或者,如果您正在寻找便宜的,我会从这里买一个,这就是我的地方: Tucows
Once you get your cert, you can integrate it into the build process to sign your application and it will show your name as the publisher.
获得证书后,您可以将其集成到构建过程中以签署您的应用程序,它会显示您作为发布者的姓名。
回答by John Rasch
This is known as code signing. If you want to generate your own certificate just for you, you can follow the instructions in this answer.
这称为代码签名。如果您想为自己生成自己的证书,可以按照此答案中的说明进行操作。
As Eaton suggests, you'll have to pay if you want one for public use. I recently purchased one for our BuildMaster software from http://www.instantssl.com/code-signing/index.htmlfor 2 years at about $340.
正如伊顿所建议的那样,如果您想要公共使用,则必须付费。我最近从http://www.instantssl.com/code-signing/index.html为我们的 BuildMaster 软件购买了 2 年,价格约为 340 美元。
Response to comment:
回复评论:
If I generated my own certificate, how would it work for me but not for everyone else (publicly)?
如果我生成了自己的证书,它对我有什么作用,但对其他人(公开)不起作用?
Steps 1 and 2 in the linked answer create a self-signed Certificate Authority (CA) and then add it to your Windows Certificate Store. Step 3 then generates the code signing certificate and specifies the issuing CA (the -icswitch). Since the issuer is a CA that was created in step 1 and then set to manually be trusted by you in step 2, the code signing certificate generated in step 3 appears to be signed by a trusted party on your machine.
链接答案中的步骤 1 和 2 创建一个自签名证书颁发机构 (CA),然后将其添加到您的 Windows 证书存储中。步骤 3 然后生成代码签名证书并指定颁发 CA(-ic交换机)。由于颁发者是在步骤 1 中创建的 CA,然后在步骤 2 中手动设置为受您信任,因此步骤 3 中生成的代码签名证书似乎是由您机器上的受信任方签名的。
There is no way it can be trusted by the public because you both generated the code signing certificate andthe authority used to verify that its creator is actually who he says he is. Imagine if you were evil and put fake info in the code signing certificate that says the signer is Microsoft.com instead of Aaron! All certificates would useless if there was no trusted authority to verify the actual identity of signer.
公众无法信任它,因为您既生成了代码签名证书,又生成了用于验证其创建者实际上是他所说的人的权限。想象一下,如果您是邪恶的并且在代码签名证书中放入虚假信息,表明签名者是 Microsoft.com 而不是 Aaron!如果没有受信任的机构来验证签名者的实际身份,那么所有证书都将毫无用处。
When you order the certificate from a trusted CA, they'll verify your identity in some way. They'll probably ask for a scanned copy of your driver's license if it's for signing as your name, or something only the business owner would have like the articles of incorporation (we used our D&B D-U-N-S number to verify Inedo).
当您从受信任的 CA 订购证书时,他们会以某种方式验证您的身份。如果是为了以您的名义签名,他们可能会要求您提供驾驶执照的扫描副本,或者只有企业主才会拥有的东西,例如公司章程(我们使用我们的 D&B DUNS 编号来验证 Inedo)。
Once they have verified your or your company's identity, they'll send you a certificate that is trusted by typical web browsers that you can use to sign your executables and the public can be assured that it's actually you signing them because the CA would be whichever company you bought the certificate from. If you look in the Options section of your favorite web browser you can see which CAs are deemed trusted.
一旦他们验证了您或您公司的身份,他们就会向您发送典型 Web 浏览器信任的证书,您可以使用该证书对可执行文件进行签名,并且公众可以放心,实际上是您为它们签名,因为 CA您购买证书的公司。如果您查看您最喜欢的 Web 浏览器的“选项”部分,您可以看到哪些 CA 被认为是可信的。
回答by k3b
Beside bought certificates as @Eaton explained and selfcreated selfsigned certificates as @John Rasch suggested
除了@Eaton 解释的购买证书和@John Rasch 建议的自创自签名证书
you can try free comunitee-based certificates from http://cacert.orgthat works simmilar to pgp/gpg-s trustsystem. For codesigning you need a trust resumee of at least 100 points.
您可以从http://cacert.org尝试免费的基于 comunitee 的证书,其工作方式与 pgp/gpg-s 信任系统类似。对于协同设计,您需要至少 100 分的信任简历。
German users can also use free http://web.decertificates that also permits codesigning.
德国用户还可以使用免费的http://web.de证书,该证书也允许进行代码签名。
The drawback of this approach (as well as self-created certs) is that "verified" is only activ, if the operating system of the executing client has installed the root certificate of the signing agency which in 99% is not the case.
这种方法(以及自创建证书)的缺点是“已验证”仅在执行客户端的操作系统已安装签名机构的根证书时才有效,而 99% 的情况并非如此。
However Firefox knows cacert.org so certs from cacert can be used for https, java and silverlight but not for standard msie without installing the root certificate.
但是 Firefox 知道 cacert.org,因此 cacert 中的证书可用于 https、java 和 silverlight,但不能用于标准 msie,而无需安装根证书。
回答by Ron Christie
You can also buy a code signing certificate from StartCom (www.startssl.com) for roughly $49.90 for two years - a lot cheaper than Thawte, Verisign and the rest.
您还可以从 StartCom (www.startssl.com) 购买代码签名证书,价格约为 49.90 美元,为期两年——比 Thawte、Verisign 和其他产品便宜很多。
