使用自托管证书签署Windows可执行文件
[英]Signing Windows Executables with self-hosted certificate
问题描述
The question has already been asked and answered about how one can 'sign' a Windows executable; 
已经有人提出并回答了有关如何“签名” Windows可执行文件的问题。 however, the answer requires the ongoing expense of a hosted certificate. 但是,答案需要持续的托管证书费用。
My company already has a VPS which we use for WWW, email and version control, so it seems to me that we could host our own certificate, albeit with rather less trustworthiness, but still sufficient for our clients. 我公司已经有一个VPS,可用于WWW,电子邮件和版本控制,因此在我看来,我们可以托管自己的证书,尽管可信度较低,但对于我们的客户来说仍然足够。
We already host a PEM certificate which a consultant sysadmin set up for our email (IMAP4) hosting; 我们已经托管了PEM证书,该证书由顾问sysadmin为我们的电子邮件(IMAP4)托管设置; can we use that and what would be the procedure for 'signing' the executable and hosting the certificate ? 我们可以使用它吗?对可执行文件进行“签名”并托管证书的过程是什么? Presumably somewhere the URL of the hosted certificate would be embedded in what is attached ('signed') to the executable. 大概在某个位置,将托管证书的URL嵌入到附加到可执行文件的内容中(“签名”)。
1 个解决方案
解决方案1
0 已采纳 2013-05-21 04:48:10
Here's a question on ServerFault that provides some good details on what specifically you can do with PEM (there's quite a bit more than I think would be prudent to copy/paste). 这是有关ServerFault的一个问题,该问题提供了有关可以使用PEM进行具体操作的一些详细信息 (复制/粘贴比我认为要谨慎得多)。
As far as self-signing, yes this is something you can do, although not trivially. 至于自签名,是的,尽管不是很简单,但是您可以执行此操作。 In additional to the work setting it up there will be some ongoing maintenance that can be a real pain, especially if you don't know what you're doing very well. 除了进行工作设置外,还将进行一些持续的维护,这确实是一件痛苦的事情,特别是如果您不知道自己做得如何很好。 The problem is really two-fold: 这个问题实际上有两个方面:
- Your clients have to install the root CA cert of your VPS or you have to install it for them. 您的客户端必须安装VPS的根CA证书,或者您必须为其安装。 This is somewhat invasive and will require an administrator. 这有些侵入性,需要管理员。 Additionally, if your root CA ever changes (which it should at least as often as it expires) you have to update all the machines again. 此外,如果您的根CA曾经发生过更改(至少应该与到期时间相同),则您必须再次更新所有计算机。
- You assume substantial liability for the security of the system. 您对系统的安全性承担重大责任。 If your VPS is compromised somehow, whether it is exploited/penetrated/spoofed is all the same, an attacker can impersonate your executable to the client. 如果您的VPS受到某种程度的破坏,那么无论它被利用/渗透/欺骗都是一样的,攻击者可以将您的可执行文件模拟给客户端。 As you can imagine, this can have catastrophic consequences. 您可以想象,这可能会带来灾难性的后果。
Self-signing is generally not advised for production environments, especially with outside customers. 通常不建议在生产环境中使用自签名,特别是对于外部客户。 There is too much to know and too many ways to screw it up. 有太多需要了解的内容,也有太多方法可以解决。
If cost is an issue, you should check out Comodo's code signing certificate offerings . 如果成本是一个问题,则应查看Comodo的代码签名证书产品 。 They are generally the best priced and quite reliable. 它们通常是价格最优惠的,并且相当可靠。 They were hacked a copule years ago , but there was a lot the security field learned from that incident, and IMO it wasn't really Comodo's fault. 他们是在几年前被黑客入侵的 ,但是安全领域从该事件中学到了很多东西,而IMO并不是COMODO的错。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.