我有一个由Clickonce安装的应用程序(WPF),现在我需要对其进行签名,以便Windows可以将我的公司识别为受信任的发行者.我的C.I.中使用了以下命令行工具(带有菱形<>的参数仅用于举例说明情况):
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /target:clean;build;publish /p:ApplicationVersion=<VERSION> /p:SignAssembly=true /p:GenerateManifests=true /p:SignManifests=true /p:AssemblyOriginatorKeyFile=<PFX_PATH> /p:ManifestCertificateThumbprint=<CERTIFICATE_ID> /property:Configuration=<CONFIGURATION>;PublishDir=<PUBLISH_DIR>;BootstrapperEnabled=true;PublishUrl=<PUBLISH_URL>;InstallUrl=<INSTALL_URL>;UpdateUrl=<UPDATE_URL> C:\hudson\slave\workspace\NIMBUS-NFE-NFEasy2\NFeasy2\NFeasy2.sln
问题是:仅setup.exe被签名,并且仅使用SHA-256算法.因此,当用户运行我的应用程序时,无法识别发行者.另外,在Windows XP上运行时,安装程序将永远不会运行,因为SO无法识别签名(似乎WinXP需要SHA-1).
如何设置项目或命令行以使用SHA-1和SHA-256算法对所有文件进行签名?此外,是否会在每次运行应用程序时停止提示用户的权限?如果没有,有办法吗?
谢谢!
解决方法:
通过Internet阅读了许多解决方案后,我设法编写了一个批处理文件以进行完整签名.请注意,这仅适用于特定版本,我必须按以下顺序将它们放入“路径”:
C:\Program Files (x86)\Windows Kits\8.1\bin\x86;
C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Bin;
脚本如下:
rem renaming the setup.exe because it will be treated separately
ren setup.exe setup._
rem removing the .DEPLOY extension, getting back the original one
for /r %%x in (*.deploy) do ren "%%x" *.
rem signing all files with my certificate
for /r %%x in (*.exe *.dll) do signtool.exe sign /fd sha1 /as /sha1 <MY_CERTIFICATE> "%%x"
for /r %%x in (*.exe *.dll) do signtool.exe sign /fd sha256 /as /sha1 <MY_CERTIFICATE> "%%x"
rem updating the manifest with the new signatures
for /r %%x in (*.manifest) do mage.exe -update "%%x"
rem signing the manifest file
for /r %%x in (*.manifest) do mage.exe -sign "%%x" -ch <MY_CERTIFICATE>
rem putting the .DEPLOY extension in all files renamed previously
for /r %%x in (*.exe *.dll *.config *.cer *.ttf *.ico *.xml *.p7b) do ren "%%x" *.*.deploy
rem getting back setup.exe
ren setup._ setup.exe
rem signing setup.exe file
signtool.exe sign /fd sha1 /as /sha1 <MY_CERTIFICATE> setup.exe
signtool.exe sign /fd sha256 /as /sha1 <MY_CERTIFICATE> setup.exe
rem updating MyApp.Application file
for /r %%x in (*.manifest) do mage.exe -update MyApp.Application -appm "%%x"
rem signing MyApp.Application file
mage.exe -sign MyApp.Application -ch <MY_CERTIFICATE>
rem updating the new signed file to the destiny folder
for /r %%x in (*.application) do xcopy MyApp.Application "%%x" /y