VSTO 插件代码签名 | 安全问题
[英]VSTO Addin Code Signing | Security Question
问题描述
I would like to use the best security coding practices in a VSTO Addin project I am implementing for Microsoft Outlook application and I have a question regarding code signing.
我想在我为Microsoft Outlook应用程序实施的VSTO Addin 项目中使用最佳安全编码实践,并且我对代码签名有疑问。
Following the creation of a code signing certificate ( .pfx ), I have successfully signed:创建代码签名证书( .pfx )后,我已成功签名:
a) the DLL files produced by my project via using Visual Studio post-build event parameters . a) 我的项目通过使用 Visual Studio构建后事件参数生成的DLL文件。
b) the EXE & MSI installers using the SignTool command-line tool. b) 使用SignTool命令行工具的EXE和MSI安装程序。
c) <"filename">.vsto and <"filename">.dll.manifest files c) <"filename">.vsto和<"filename">.dll.manifest文件
My question is that I used mage tool (Manifest Generation and Editing Tool) to sign the <"filename">.VSTO and <"filename">.dll.manifest files via the following commands - according to Microsoft:我的问题是,我使用mage工具(清单生成和编辑工具)通过以下命令对<"filename">.VSTO和<"filename">.dll.manifest文件进行签名- 根据 Microsoft:
"C:\Program Files (x86)\....\mage.exe" -sign "<filename>.dll.manifest" -CertFile <certificate.pfx> -Password <password>
"C:\Program Files (x86)\....\mage.exe" -update "<filename>.vsto" -appmanifest "<filename>.dll.manifest" --CertFile <certificate.pfx> -Password <password>
Verified that the relevant files have a "valid signature" after viewing the output of the following commands;查看以下命令的output后验证相关文件有“有效签名” ; apart from Visual Studio build output (reporting successful signing):除了 Visual Studio 构建 output (报告签名成功):
"C:\Program Files (x86)\......\mage.exe" -ver "<filename>.vsto"
"C:\Program Files (x86)\......\mage.exe" -ver "<filename>.dll.manifest"
However, when I check their properties via the windows explorer I do not see any " Digital Signatures " tab, not sure if this is the proper setting?但是,当我通过 windows 资源管理器检查它们的属性时,我没有看到任何“数字签名”选项卡,不确定这是否是正确的设置?
Am I missing something?我错过了什么吗? Please let me know if there is anything I could additionally do to enhance the security posture of my VSTO Addin project.如果有什么我可以做的额外的事情来增强我的VSTO Addin 项目的安全状态,请告诉我。
Thank you.谢谢你。
References:参考:
https://github.com/MicrosoftDocs/visualstudio-docs/blob/master/docs/deployment/how-to-re-sign-application-and-deployment-manifests.md
https://github.com/MicrosoftDocs/visualstudio-docs/blob/master/docs/deployment/how-to-re-sign-application-and-deployment-manifests.mdhttps://docs.microsoft.com/en-us/dotnet/framework/tools/mage-exe-manifest-generation-and-editing-tool
https://docs.microsoft.com/en-us/dotnet/framework/tools/mage-exe-manifest-generation-and-editing-tool
1 个解决方案
解决方案1
0 已采纳 2021-01-31 02:28:14
You can see digital signature in Windows Explorer only for the executable (dll and exe) files.您只能在 Windows Explorer 中查看可执行文件(dll 和 exe)的数字签名。
VSTO is a text file (try to open it in Notepad). VSTO 是一个文本文件(尝试在记事本中打开)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.