在没有签名证书的情况下部署 VSTO 加载项?
[英]Deploy VSTO Add-In Without Signing Certificate?
问题描述
This is my first time trying to deploy a VSTO add-in to a user's system, and I am running into a security barrier.
这是我第一次尝试将 VSTO 加载项部署到用户的系统,并且遇到了安全障碍。 The add-in was built in Visual Studio 2019 Community Edition and is meant to integrate with Microsoft Excel.该加载项内置于 Visual Studio 2019 社区版,旨在与 Microsoft Excel 集成。 The user runs Office 365.用户运行 Office 365。
On running Setup.exe, user receives the initial confirmation prompt and clicks "Install."在运行 Setup.exe 时,用户会收到初始确认提示并单击“安装”。 A progress bar briefly appears and runs about 25% of the way, then an error message pops up: "Customized functionality in this application will not work because the certificate used to sign the deployment manifest for [the add-in] or its location is not trusted."一个进度条短暂出现并运行了大约 25%,然后弹出一条错误消息:“此应用程序中的自定义功能将不起作用,因为用于签署 [插件] 的部署清单或其位置的证书是不信任。”
I understand that Microsoft would like me to pay for a signing certificate, but I am hoping to get this to work while avoiding that expense.我知道微软希望我支付签名证书的费用,但我希望在避免这笔费用的同时让它发挥作用。
This article from Microsoft describes the use of a digital certificate as "an optional step": ClickOnce and Authenticode . Microsoft 的这篇文章将数字证书的使用描述为“可选步骤”: ClickOnce 和 Authenticode 。 This article states that an alternative route is for the user to click the "ClickOnce trust prompt" during installation: Grant trust to Office solutions .本文指出,另一种方法是让用户在安装过程中单击“ClickOnce 信任提示”: 授予对 Office 解决方案的信任。 But as far as I understand the process, it is halted before it even gets to the ClickOnce trust prompt, so the user never gets that option.但据我了解该过程,它甚至在到达 ClickOnce 信任提示之前就停止了,因此用户永远不会获得该选项。
For comparison, the user ran the installation on an older system.作为比较,用户在较旧的系统上运行安装。 On that system he received the ClickOnce prompt, approved the software, and the installation ran successfully to the end.在那个系统上,他收到了 ClickOnce 提示,批准了软件,安装成功运行到最后。 This indicates very strongly that the problem on the newer system is a security setting.这非常强烈地表明较新系统上的问题是安全设置。
I instructed the user to open Excel and go to Options > Trust Center > Trust Center Settings > Add-Ins and remove the check mark from "Require Application Add-Ins to be signed by Trusted Publisher."我指示用户打开 Excel 和 go 到选项 > 信任中心 > 信任中心设置 > 加载项,然后从“要求应用程序加载项由受信任的发布者签名”中删除复选标记。 There was no check mark to begin with, so that setting was not the issue.开始时没有复选标记,因此设置不是问题。
I have instructed the user to go to the command prompt and clean out any remnants of the failed install with rundll32 dfshim CleanOnlineAppCache before each new installation attempt.我已指示用户 go 到命令提示符,并在每次新安装尝试之前使用rundll32 dfshim CleanOnlineAppCache失败安装的任何残余。
I'm at a loss as to where to look next.我不知道下一步该往哪里看。 Any help would be much appreciated.任何帮助将非常感激。
3 个解决方案
解决方案1
2 已采纳 2020-07-13 23:30:49
One relatively easy workaround: you pack the "publish" folder as ZIP file, disable any online checks or deployments (in the project settings, select to publish locally, not to a website. Installing from a website or auto-update won't work without normal certificate).一个相对简单的解决方法:将“发布”文件夹打包为 ZIP 文件,禁用任何在线检查或部署(在项目设置中,select 将在本地发布,而不是发布到网站。从网站安装或自动更新将不起作用没有普通证书)。 Then give your user that ZIP.然后给你的用户 Z4348F938BDDDD8475E967CCB47ECB234Z。 User downloads that ZIP, then right-click the ZIP file and checks "Unblock" .用户下载 ZIP,然后右键单击 ZIP 文件并选中“取消阻止” 。 Then unzips and installs normally.然后解压并正常安装。 Now any certificate should do.现在任何证书都应该这样做。 This applies if your user downloads your file from the internet.这适用于您的用户从 Internet 下载您的文件。
So the idea is very simple: Just tell your user to click "Unblock" checkbox before extracting files from the ZIP archive you have sent and running them.所以这个想法很简单:只需告诉您的用户在从您发送并运行它们的 ZIP 存档中提取文件之前单击“取消阻止”复选框。
Another solution, you simply tell the user's system to trust your "self-signed" developer's certificate (add your certificate to "Trusted Publishers" store on the user computer).另一种解决方案,您只需告诉用户的系统信任您的“自签名”开发人员的证书(将您的证书添加到用户计算机上的“受信任的发布者”存储中)。 For that you need admin rights.为此,您需要管理员权限。 Please note that user's admins probably won't like this idea, unless you and your user work in the same organization.请注意,除非您和您的用户在同一个组织中工作,否则用户的管理员可能不会喜欢这个想法。 Here are the instructions: https://docs.microsoft.com/en-us/skype-sdk/sdn/articles/installing-the-trusted-root-certificate以下是说明: https://docs.microsoft.com/en-us/skype-sdk/sdn/articles/installing-the-trusted-root-certificate
The best and easiest of course would be if you buy a normal code signing certificate.最好和最简单的当然是购买普通的代码签名证书。 They are not that expensive, you can get one from COMODO (SectiGo) for example for something like $70/year though their resellers.它们并不昂贵,您可以从 COMODO (SectiGo) 获得一个,例如通过他们的经销商以每年 70 美元的价格购买。
解决方案2
0 2020-07-13 23:13:14
On the target machine.在目标机器上。 you need to install and trust the certificate used to sign your addin (see Signing tab of your project options)您需要安装并信任用于签署插件的证书(请参阅项目选项的签名选项卡)
解决方案3
0 2020-07-20 06:54:14
What is required for the certification process, is it a quick process?认证过程需要什么,是一个快速的过程吗? Are they certifying me/ my business or the code??他们是在证明我/我的业务还是代码?
It is a quick process for the process:这是一个快速的过程:
Sign with valid certificate when publishing.发布时使用有效证书签名。
Add the publisher into Trusted Publisher before installing when Macro Settings is a high security level.当宏设置为高安全级别时,在安装前将发布者添加到受信任的发布者中。
Finish installing.完成安装。
You can obtain a certificate for code signing in one of three ways:您可以通过以下三种方式之一获取代码签名证书:
Purchase one from a certificate vendor.从证书供应商处购买一个。
Receive one from a group in your organization responsible for creating digital certificates.从您组织中负责创建数字证书的小组接收一份。
Generate your own certificate with MakeCert.exe, which is included with the Windows Software Development Kit (SDK).使用 Windows 软件开发套件 (SDK) 随附的 MakeCert.exe 生成您自己的证书。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.