问题描述
通过Visual Studio项目的签名"设置页对ClickOnce部署进行签名时,我指定了我们的SHA2(SHA256)EV Authenticode证书并发布.
发布并尝试运行引导程序(setup.exe)后,在ClickOnce对话框中显示未知发布者".
所讨论的EV证书有效,并且在具有SafeNet客户端工具的eToken硬件令牌上运行以与令牌进行通信.使用signtool签名常规PE文件(exe和dll)始终会生成完全有效的程序集,并且已知发布者.这只是ClickOnce部署的问题.此外,ClickOnce部署的各个文件看起来非常有效,因为文件属性对话框的数字签名选项卡已正确列出了引导程序(setup.exe)和后缀为".deploy"的程序集文件.
此外,.application"和".manifest"文件也进行了适当的突变(可能是通过Visual Studio通过Mage进行了突变),以包含< publisherIdentity>
元素以及正确设置的算法./p>
签名机正在运行Win10,我已经尝试了所有可以想象的排列方式:
- 有和没有时间戳
- 带有或不带有强名称签名的
- 有和没有在线发布
- 有无https在线发布
- 通过发布页面使用和不使用特定的更新位置"
- 通过发布"页面中的说明"设置有无发布者名称"
- 清单选项的每种组合:
- 排除部署提供商URL
- 阻止应用程序通过URL激活
- 使用应用程序清单获取信任信息
- 各种版本的Windows上的多台计算机
- 通过法师和signtool进行人工清单签名和装配体签名(也是mageui)
- 确保证书未被提供者吊销
似乎有
在本地发布ClickOnce部署之后并在分发之前,通过附加SHA2证书对ClickOnce引导程序(setup.exe)进行双重签名.
signtool.exe标志/tr http://timestamp.digicert.com/td sha256/fd sha256/as/sha1 YourCertThumbprintHash"X:\ Deployment \ ClickOnceCert \ setup.exe"
请注意,找到证书指纹的一种方法是通过证书" MMC管理单元.是的,对于SHA2证书,指纹应为SHA1.
现在,引导程序将在文件属性对话框的数字签名"选项卡中显示两个证书.
从Visual Studio中发布"页面的安装文件夹URL"指定的位置运行setup.exe时,应该将发布者视为受信任的.了解安装文件夹很重要,因为如果要从其他位置运行应用程序,则应该期望,使其不受信任,因为引导程序将调用已知的安装文件夹以检索应用程序文件.
When signing my ClickOnce deployment via Visual Studio's project "Signing" settings page I specified our SHA2 (SHA256) EV Authenticode certificate and publish.
After publishing and attempting to run the bootstrapper (setup.exe) I'm presented with the "Unknown Publisher" in the ClickOnce dialog.
The EV certificate in question is valid and running on an eToken hardware token with SafeNet client tools to communicating with the token. Signing regular PE files (exe and dll) with signtool always produces perfectly valid assemblies and the publisher is known. This is only an issue with ClickOnce deployments. In addition, the individual files of the ClickOnce deployment look perfectly valid because the digital signatures tab of the file properties dialog is listed correctly for the bootstrapper (setup.exe) and the assembly files suffixed with ".deploy".
Also, the ".application" and ".manifest" files are appropriately mutated (probably via mage by Visual Studio) to contain the <publisherIdentity>
element along with the algorithm set correctly.
The signing machine is running Win10 and I've tried every permutation I could imagine:
- With and without a timestamp
- With and without strong name signing
- With and without online publishing
- With and without https online publishing
- With and without specific "Update location" via Publish page
- With and without "Publisher name" set via Description in Publish page
- With every combination of Manifest options:
- Exclude deployment provider URL
- Block application from being activated via a URL
- Use application manifest for trust information
- Multiple machines on various versions of Windows
- Manual manifest signing and assembly signing via mage and signtool (yes mageui as well)
- Ensure the cert is not revoked with certificate provider
There appears to be someone else experiencing this.
The reason this occurs is due to a couple of factors:
- ClickOnce displays "Unknown Publisher" when using a SHA2 Authenticode certificate.
- On January 1st 2016 Windows deprecated SHA1 for Authenticode signing /code signing. Windows SmartScreen technology thus displays "Unknown Publisher" when using a SHA1 Authenticode certificate.
This is in effect a catch-22, you need SHA1 for ClickOnce publisher verification and SHA2 for SmartScreen. Nice.
Work with your certificate provider (hopefully a true CA) to get you a SHA1 and SHA2 certificate. The folks at DigiCert were great. You must work with your CA in most cases because even if you already have your own SHA2 cert and you work with them to also get a SHA1 cert (or vica-versa), it will likely auto-revoke any existing certificates you have with them. In the case of DigiCert they were able to prevent the automatic revocation when I explained what I wanted to try (dual signing).
After you've installed those on your EV token, configure Visual Studio to sign your ClickOnce manifests with your SHA1 certificate. Ideally you'll also supply a Timestamp server in that same dialog for the eventual expiration of your certificate.
After publishing your ClickOnce deployment locally and before distributing, dual sign your ClickOnce bootstrapper (setup.exe) by appending your SHA2 certificate.
signtool.exe sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /as /sha1 YourCertThumbprintHash "X:\Deployment\ClickOnceCert\setup.exe"
Note, one way to find your cert thumbprint is via the Certificates MMC snap-in. And yes, thumbprints are supposed to be SHA1 for SHA2 certs.
Now, the bootstapper shows both of your certificates in the Digital Signatures tab of the file properties dialog.
When you run the setup.exe from the location specified as your "Installation Folder URL" of your Publish page in Visual Studio, you should see the publisher as trusted. It's important to understand the Installation Folder because if you were to run the app from another location you should expect that not to be trusted because the bootstrapper will make calls to the known Installation Folder to retrieve Application Files.
这篇关于如何使用EV SHA2证书对ClickOnce部署进行身份验证,并避免“未知发布者"的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!