creating a key and signing executable with signtoo

2019-01-25 20:18发布

问题:

How would I sign a Visual C# executable?

SignTool.exe can't find a certificate.

How would I create a self signed key and certificate, and have signtool be able to see the certificate and use it?

OpenSSL and Visual Studio 2010 Express are installed. Running Windows 7 Ultimate x64.

Using SignTool.exe from Windows Driver Kit.

回答1:

Using self-signed certificates for digitally signing your binaries pretty much goes against the concept of using digital certificates with programs. The basic idea is to prove the code was created by you (authenticity) and has not been modified since you released it (integrity). This must be done by using a signed certificate that is signed by a trusted Certificate Authority (CA).

With .Net, when a binary is digitally signed, it is automatically verified for integrity and authenticity during startup. While I have not personally tested this, using a self-signed certificate is probably going to cause you a great deal of problems.

If you want to digitally sign your programs, you need to invest in a code signing certificate from a CA. There are a number of companies out there that can provide this service (Verisign, Thawte), for a fee.

While the fee might seem a bit extreme in price, remember that you are not just purchasing a digital certificate but also 24/7 validation of that certificate. Any time someone starts your program it will ensure the program was written by you and that the program has not been changed since you released it.

Once you have a certificate, you can digitally sign your program by following the steps in How to: Sign Application and Deployment Manifests.

Update: If this program is strictly an internal application (limited to you or your business), you can created your own CA. Since you would be the only one running it, only you would need to validate it. The CA certificate would need to be installed as a Trusted Root Certificate on all the machines that would run the program (or if you have access to Windows Server, you could set up a real working CA).