如何使用 EV SHA2 证书对 ClickOnce 部署进行 Authenticode 签名并避免 "Unknown Publisher"
How to Authenticode sign ClickOnce deployment with an EV SHA2 cert and avoid "Unknown Publisher"
在通过 Visual Studio 的项目 "Signing" 设置页面签署我的 ClickOnce 部署时,我指定了我们的 SHA2 (SHA256) EV Authenticode 证书并发布。
发布并尝试 运行 引导程序 (setup.exe) 后,我在 ClickOnce 对话框中看到 "Unknown Publisher"。
有问题的 EV 证书是有效的,并且 运行 在 eToken 硬件令牌上使用 SafeNet 客户端工具与令牌进行通信。使用 signtool 对常规 PE 文件(exe 和 dll)进行签名总是会生成完全有效的程序集,并且发布者是已知的。 这只是 ClickOnce 部署的一个问题。此外,ClickOnce 部署的各个文件看起来完全有效,因为引导程序 (setup.exe) 和以“.deploy”为后缀的程序集文件正确列出了文件属性对话框的数字签名选项卡。
此外,“.application”和“.manifest”文件也进行了适当的修改(可能是通过 Visual Studio 的 mage)以包含 <publisherIdentity> 元素以及正确设置的算法。
签名机是 运行ning Win10,我已经尝试了我能想到的所有排列:
- 带和不带时间戳
- 有和没有强名称签名
- 有和没有在线发布
- 有无https在线发布
- 有和没有特定的 "Update location" 通过发布页面
- 有无 "Publisher name" 通过发布页面中的描述设置
- 对于清单选项的每个组合:
- 排除部署提供商URL
- 阻止应用程序通过 URL
激活
- 使用应用程序清单获取信任信息
- 不同版本的多台机器Windows
- 通过 mage 和 signtool 进行手动清单签名和程序集签名(也是 mageui)
- 确保证书未被证书提供商吊销
发生这种情况的原因是几个因素:
- 使用 SHA2 Authenticode 证书时,ClickOnce 显示 "Unknown Publisher"。
- 2016 年 1 月 1 日 Windows 弃用了用于 Authenticode 签名/代码签名的 SHA1。 Windows SmartScreen 技术因此在使用 SHA1 Authenticode 证书时显示 "Unknown Publisher"。
这实际上是一个 catch-22,您需要 SHA1 用于 ClickOnce 发布者验证,SHA2 用于 SmartScreen。 不错。
与您的证书提供商(希望是真正的 CA)合作,为您获取 SHA1 和 SHA2 证书。 DigiCert 的员工很棒。在大多数情况下,您必须与您的 CA 合作,因为即使您已经拥有自己的 SHA2 证书并且与他们合作以获得 SHA1 证书(或反之亦然),它也可能会自动撤销您拥有的任何现有证书.在 DigiCert 的情况下,当我解释我想尝试的内容(双重签名)时,他们能够防止自动撤销。
在您的 EV 令牌上安装这些之后,配置 Visual Studio 以使用您的 SHA1 证书签署您的 ClickOnce 清单。理想情况下,您还将在同一对话框中提供一个时间戳服务器,用于证书的最终到期。
在本地发布您的 ClickOnce 部署之后和分发之前,通过附加您的 SHA2 证书对您的 ClickOnce 引导程序 (setup.exe) 进行双重签名。
signtool.exe sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /as /sha1 YourCertThumbprintHash "X:\Deployment\ClickOnceCert\setup.exe"
请注意,查找证书指纹的一种方法是通过证书 MMC 管理单元。是的,对于 SHA2 证书,指纹应该是 SHA1。
现在,引导程序会在文件属性对话框的数字签名选项卡中显示您的两个证书。
当您从 Visual Studio 中指定为发布页面的 "Installation Folder URL" 的位置 运行 setup.exe 时,您应该会看到发布者是可信的。了解安装文件夹很重要,因为如果您要从另一个位置 运行 应用程序,您应该 预期 不被信任,因为引导程序将调用已知的安装用于检索应用程序文件的文件夹。
无论如何,对我来说,标记的答案会导致智能屏幕警告。您可能对我编写的 PowerShell 脚本感兴趣,它通过使用 SHA256 证书签署它可以解决的问题,然后使用 SHA1 证书签署 ClickOnce (.application) 文件来解决这两个问题。
发帖时的代码
<#
.SYNOPSIS
A PowerShell Script to correctly sign a ClickOnce Application.
.DESCRIPTION
Microsoft ClickOnce Applications Signed with a SHA256 Certificate show as Unknown Publisher during installation, ClickOnce Applications signed with a SHA1 Certificate show an Unknown Publisher SmartScreen Warning once installed, this happens because:
1) The ClickOnce installer only supports SHA1 certificates (not SHA256), but,
2) Microsoft has depreciated SHA1 for Authenticode Signing.
This script uses two code signing certificates (one SHA1 and one SHA256) to sign the various parts of the ClickOnce Application so that both the ClickOnce Installer and SmartScreen are happy.
.PARAMETER VSRoot
The Visual Studio Projects folder, if not provided .\Documents\Visual Studio 2015\Projects will be assumed
.PARAMETER SolutionName
The Name of the Visual Studio Solution (Folder), if not provided the user is prompted.
.PARAMETER ProjectName
The Name of the Visual Studio Project (Folder), if not provided the user is prompted.
.PARAMETER SHA1CertThumbprint
The Thumbprint of the SHA1 Code Signing Certificate, if not provided the user is prompted.
.PARAMETER SHA256CertThumbprint
The Thumbprint of the SHA256 Code Signing Certificate, if not provided the user is prompted.
.PARAMETER TimeStampingServer
The Time Stamping Server to be used while signing, if not provided the user is prompted.
.PARAMETER PublisherName
The Publisher to be set on the ClickOnce files, if not provided the user is prompted.
.PARAMETER Verbose
Writes verbose output.
.EXAMPLE
SignClickOnceApp.ps1 -VSRoot "C:\Users\Username\Documents\Visual Studio 2015\Projects" -SolutionName "MySolution" -ProjectName "MyProject" -SHA1CertThumbprint "f3f33ccc36ffffe5baba632d76e73177206143eb" -SHA256CertThumbprint "5d81f6a4e1fb468a3b97aeb3601a467cdd5e3266" -TimeStampingServer "http://time.certum.pl/" -PublisherName "Awesome Software Inc."
Signs MyProject in MySolution which is in C:\Users\Username\Documents\Visual Studio 2015\Projects using the specified certificates, with a publisher of "Awesome Software Inc." and the Certum Timestamping Server.
.NOTES
Author : Joe Pitt
License : SignClickOnceApp by Joe Pitt is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/4.0/.
.LINK
https://www.joepitt.co.uk/Project/SignClickOnceApp/
#>
param (
[string]$VSRoot,
[string]$SolutionName,
[string]$ProjectName,
[string]$SHA1CertThumbprint,
[string]$SHA256CertThumbprint,
[string]$TimeStampingServer,
[string]$PublisherName,
[switch]$Verbose
)
$oldverbose = $VerbosePreference
if($Verbose)
{
$VerbosePreference = "continue"
}
# Visual Studio Root Path
if(!$PSBoundParameters.ContainsKey('VSRoot'))
{
$VSRoot = '.\Documents\Visual Studio 2015\Projects\'
}
if (Test-Path "$VSRoot")
{
Write-Verbose "Using '$VSRoot' for Visual Studio Root"
}
else
{
Write-Error -Message "VSRoot does not exist." -RecommendedAction "Check path and try again" -ErrorId "1" `
-Category ObjectNotFound -CategoryActivity "Testing VSRoot Path" -CategoryReason "The VSRoot path was not found" `
-CategoryTargetName "$VSRoot" -CategoryTargetType "Directory"
exit 1
}
# Solution Path
if(!$PSBoundParameters.ContainsKey('SolutionName'))
{
$SolutionName = Read-Host "Solution Name"
}
if (Test-Path "$VSRoot$SolutionName")
{
Write-Verbose "Using '$VSRoot$SolutionName' for Solution Path"
$SolutionPath = "$VSRoot$SolutionName"
}
else
{
Write-Error -Message "Solution does not exist." -RecommendedAction "Check Solution Name and try again" -ErrorId "2" `
-Category ObjectNotFound -CategoryActivity "Testing Solution Path" -CategoryReason "The Solution path was not found" `
-CategoryTargetName "$VSRoot$SolutionName" -CategoryTargetType "Directory"
exit 2
}
# Project Path
if(!$PSBoundParameters.ContainsKey('ProjectName'))
{
$ProjectName = Read-Host "Project Name"
}
if (Test-Path "$SolutionPath$ProjectName")
{
Write-Verbose "Using '$SolutionPath$ProjectName' for Project Path"
$ProjectPath = "$SolutionPath$ProjectName"
}
else
{
Write-Error -Message "Project does not exist." -RecommendedAction "Check Project Name and try again" -ErrorId "3" `
-Category ObjectNotFound -CategoryActivity "Testing Project Path" -CategoryReason "The Project path was not found" `
-CategoryTargetName "$SolutionPath$ProjectName" -CategoryTargetType "Directory"
exit 3
}
# Publish Path
if (Test-Path "$ProjectPath\publish")
{
Write-Verbose "Using '$ProjectPath\publish' for Publish Path"
$PublishPath = "$ProjectPath\publish"
}
else
{
Write-Error -Message "Publish path does not exist." -RecommendedAction "Check Project has been published to \publish and try again" -ErrorId "4" `
-Category ObjectNotFound -CategoryActivity "Testing Publish Path" -CategoryReason "The publish path was not found" `
-CategoryTargetName "$ProjectPath\publish" -CategoryTargetType "Directory"
exit 4
}
# Application Files Path
if (Test-Path "$PublishPath\Application Files")
{
Write-Verbose "Using '$PublishPath\Application Files' for Application Files Path"
$AppFilesPath = "$PublishPath\Application Files"
}
else
{
Write-Error -Message "Application Files path does not exist." -RecommendedAction "Check Project has been published to \publish and try again" -ErrorId "5" `
-Category ObjectNotFound -CategoryActivity "Testing Application Files Path" -CategoryReason "The Application Files path was not found" `
-CategoryTargetName "$PublishPath\Application Files" -CategoryTargetType "Directory"
exit 5
}
# Target Path
$TargetPath = Convert-Path "$AppFilesPath${ProjectName}_*"
if ($($TargetPath.Length) -ne 0)
{
Write-Verbose "Using $TargetPath for Target Path"
}
else
{
Write-Error -Message "No versions." -RecommendedAction "Check Project has been published to \publish and try again" -ErrorId "6" `
-Category ObjectNotFound -CategoryActivity "Searching for published version path" -CategoryReason "No Application has been published using ClickOnce" `
-CategoryTargetName "$AppFilesPath${ProjectName}_*" -CategoryTargetType "Directory"
exit 6
}
# SHA1 Certificate
if(!$PSBoundParameters.ContainsKey('SHA1CertThumbprint'))
{
$SHA1CertThumbprint = Read-Host "SHA1 Certificate Thumbprint"
}
if ("$SHA1CertThumbprint" -notmatch "^[0-9A-Fa-f]{40}$")
{
Write-Error -Message "SHA1 Thumbprint Malformed" -RecommendedAction "Check the thumbprint and try again" -ErrorId "7" `
-Category InvalidArgument -CategoryActivity "Verifying Thumbprint Format" -CategoryReason "Thumbprint is not a 40 character Base64 string" `
-CategoryTargetName "$SHA1CertThumbprint" -CategoryTargetType "Base64String"
exit 7
}
$SHA1Found = Get-ChildItem -Path Cert:\CurrentUser\My | where {$_.Thumbprint -eq "$SHA1CertThumbprint"} | Measure-Object
if ($SHA1Found.Count -eq 0)
{
Write-Error -Message "SHA1 Certificate Not Found" -RecommendedAction "Check the thumbprint and try again" -ErrorId "8" `
-Category ObjectNotFound -CategoryActivity "Searching for certificate" -CategoryReason "Certificate with Thumbprint not found" `
-CategoryTargetName "$SHA1CertThumbprint" -CategoryTargetType "Base64String"
exit 8
}
# SHA256 Certificate
if(!$PSBoundParameters.ContainsKey('SHA256CertThumbprint'))
{
$SHA256CertThumbprint = Read-Host "SHA256 Certificate Thumbprint"
}
if ("$SHA256CertThumbprint" -notmatch "^[0-9A-Fa-f]{40}$")
{
Write-Error -Message "SHA256 Thumbprint Malformed" -RecommendedAction "Check the thumbprint and try again" -ErrorId "9" `
-Category InvalidArgument -CategoryActivity "Verifying Thumbprint Format" -CategoryReason "Thumbprint is not a 40 character Base64 string" `
-CategoryTargetName "$SHA256CertThumbprint" -CategoryTargetType "Base64String"
exit 9
}
$SHA256Found = Get-ChildItem -Path Cert:\CurrentUser\My | where {$_.Thumbprint -eq "$SHA256CertThumbprint"} | Measure-Object
if ($SHA256Found.Count -eq 0)
{
Write-Error -Message "SHA256 Certificate Not Found" -RecommendedAction "Check the thumbprint and try again" -ErrorId "10" `
-Category ObjectNotFound -CategoryActivity "Searching for certificate" -CategoryReason "Certificate with Thumbprint not found" `
-CategoryTargetName "$SHA256CertThumbprint" -CategoryTargetType "Base64String"
exit 10
}
# TimeStamping Server
if(!$PSBoundParameters.ContainsKey('TimeStampingServer'))
{
$TimeStampingServer = Read-Host "TimeStamping Server URL"
}
if ("$TimeStampingServer" -notmatch "^http(s)?:\/\/[A-Za-z0-9-._~:/?#[\]@!$&'()*+,;=]+$")
{
Write-Error -Message "SHA256 Thumbprint Malformed" -RecommendedAction "Check the TimeStamp URL and try again" -ErrorId "11" `
-Category InvalidArgument -CategoryActivity "Verifying TimeStamping URL" -CategoryReason "TimeStamping URL is not a RFC Compliant URL" `
-CategoryTargetName "$TimeStampingServer" -CategoryTargetType "URL"
exit 11
}
# Publisher Name
# Project Path
if(!$PSBoundParameters.ContainsKey('PublisherName'))
{
$PublisherName = Read-Host "Publisher Name"
}
# Sign setup.exe and application.exe with SHA256 Cert
Write-Verbose "Signing '$PublishPath\Setup.exe' (SHA256)"
Start-Process "$PSScriptRoot\signtool.exe" -ArgumentList "sign /fd SHA256 /td SHA256 /tr $TimeStampingServer /sha1 $SHA256CertThumbprint `"$PublishPath\Setup.exe`"" -Wait -NoNewWindow
Write-Verbose "Signing '$TargetPath$ProjectName.exe.deploy' (SHA256)"
Start-Process "$PSScriptRoot\signtool.exe" -ArgumentList "sign /fd SHA256 /td SHA256 /tr $TimeStampingServer /sha1 $SHA256CertThumbprint `"$TargetPath$ProjectName.exe.deploy`"" -Wait -NoNewWindow
# Remove .deploy extensions
Write-Verbose "Removing .deploy extensions"
Get-ChildItem "$TargetPath\*.deploy" -Recurse | Rename-Item -NewName { $_.Name -replace '\.deploy','' }
# Sign Manifest with SHA256 Cert
Write-Verbose "Signing '$TargetPath$ProjectName.exe.manifest' (SHA256)"
Start-Process "$PSScriptRoot\mage.exe" -ArgumentList "-update `"$TargetPath$ProjectName.exe.manifest`" -ch $SHA256CertThumbprint -if `"Logo.ico`" -ti `"$TimeStampingServer`"" -Wait -NoNewWindow
# Sign ClickOnces with SHA1 Cert
Write-Verbose "Signing '$TargetPath$ProjectName.application' (SHA1)"
Start-Process "$PSScriptRoot\mage.exe" -ArgumentList "-update `"$TargetPath$ProjectName.application`" -ch $SHA1CertThumbprint -appManifest `"$TargetPath$ProjectName.exe.manifest`" -pub `"$PublisherName`" -ti `"$TimeStampingServer`"" -Wait -NoNewWindow
Write-Verbose "Signing '$PublishPath$ProjectName.application' (SHA1)"
Start-Process "$PSScriptRoot\mage.exe" -ArgumentList "-update `"$PublishPath$ProjectName.application`" -ch $SHA1CertThumbprint -appManifest `"$TargetPath$ProjectName.exe.manifest`" -pub `"$PublisherName`" -ti `"$TimeStampingServer`"" -Wait -NoNewWindow
# Readd .deply extensions
Write-Verbose "Re-adding .deploy extensions"
Get-ChildItem -Path "$TargetPath\*" -Recurse | Where-Object {!$_.PSIsContainer -and $_.Name -notlike "*.manifest" -and $_.Name -notlike "*.application"} | Rename-Item -NewName {$_.Name + ".deploy"}
似乎自 Visual Studio 15.7.5(或者可能是以前的版本,我没有检查它们)以来,setup.exe 和应用程序二进制文件在使用 SHA2 EV 代码签名时都对 ClickOnce 有效签名证书(无需向您的证书提供商索取 SHA-1)。我正在使用 Windows 10 (10.0.16299.492),我们也在 Windows 8 上检查过它,两者都工作正常。我不知道这是更新版本 Visual Studio 还是 SmartScreen 的影响。一年前我未能发布已签名的 ClickOnce 应用程序,现在一切正常。
主要应用项目签名属性:
"Select from store" 对话:
已发布 ClickOnce setup.exe 属性
已发布的 ClickOnce 应用程序 *.exe.deploy 文件属性
安装提示,全是绿色,漂亮:
如果您正在寻找更适合 Azure DevOps CI/CD 管道的东西,我已经采用了 Joe Pitt 的工作并为我的管道重构了它。它在 github here
您可以向脚本传递一个 pmx 文件路径和密码,它将调整证书、安装它并对可执行文件、安装程序、清单和应用程序文件进行签名。
请帮我做得更好:)
在通过 Visual Studio 的项目 "Signing" 设置页面签署我的 ClickOnce 部署时,我指定了我们的 SHA2 (SHA256) EV Authenticode 证书并发布。
发布并尝试 运行 引导程序 (setup.exe) 后,我在 ClickOnce 对话框中看到 "Unknown Publisher"。
有问题的 EV 证书是有效的,并且 运行 在 eToken 硬件令牌上使用 SafeNet 客户端工具与令牌进行通信。使用 signtool 对常规 PE 文件(exe 和 dll)进行签名总是会生成完全有效的程序集,并且发布者是已知的。 这只是 ClickOnce 部署的一个问题。此外,ClickOnce 部署的各个文件看起来完全有效,因为引导程序 (setup.exe) 和以“.deploy”为后缀的程序集文件正确列出了文件属性对话框的数字签名选项卡。
此外,“.application”和“.manifest”文件也进行了适当的修改(可能是通过 Visual Studio 的 mage)以包含 <publisherIdentity> 元素以及正确设置的算法。
签名机是 运行ning Win10,我已经尝试了我能想到的所有排列:
- 带和不带时间戳
- 有和没有强名称签名
- 有和没有在线发布
- 有无https在线发布
- 有和没有特定的 "Update location" 通过发布页面
- 有无 "Publisher name" 通过发布页面中的描述设置
- 对于清单选项的每个组合:
- 排除部署提供商URL
- 阻止应用程序通过 URL 激活
- 使用应用程序清单获取信任信息
- 不同版本的多台机器Windows
- 通过 mage 和 signtool 进行手动清单签名和程序集签名(也是 mageui)
- 确保证书未被证书提供商吊销
发生这种情况的原因是几个因素:
- 使用 SHA2 Authenticode 证书时,ClickOnce 显示 "Unknown Publisher"。
- 2016 年 1 月 1 日 Windows 弃用了用于 Authenticode 签名/代码签名的 SHA1。 Windows SmartScreen 技术因此在使用 SHA1 Authenticode 证书时显示 "Unknown Publisher"。
这实际上是一个 catch-22,您需要 SHA1 用于 ClickOnce 发布者验证,SHA2 用于 SmartScreen。 不错。
与您的证书提供商(希望是真正的 CA)合作,为您获取 SHA1 和 SHA2 证书。 DigiCert 的员工很棒。在大多数情况下,您必须与您的 CA 合作,因为即使您已经拥有自己的 SHA2 证书并且与他们合作以获得 SHA1 证书(或反之亦然),它也可能会自动撤销您拥有的任何现有证书.在 DigiCert 的情况下,当我解释我想尝试的内容(双重签名)时,他们能够防止自动撤销。
在您的 EV 令牌上安装这些之后,配置 Visual Studio 以使用您的 SHA1 证书签署您的 ClickOnce 清单。理想情况下,您还将在同一对话框中提供一个时间戳服务器,用于证书的最终到期。
在本地发布您的 ClickOnce 部署之后和分发之前,通过附加您的 SHA2 证书对您的 ClickOnce 引导程序 (setup.exe) 进行双重签名。
signtool.exe sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /as /sha1 YourCertThumbprintHash "X:\Deployment\ClickOnceCert\setup.exe"
请注意,查找证书指纹的一种方法是通过证书 MMC 管理单元。是的,对于 SHA2 证书,指纹应该是 SHA1。
现在,引导程序会在文件属性对话框的数字签名选项卡中显示您的两个证书。
当您从 Visual Studio 中指定为发布页面的 "Installation Folder URL" 的位置 运行 setup.exe 时,您应该会看到发布者是可信的。了解安装文件夹很重要,因为如果您要从另一个位置 运行 应用程序,您应该 预期 不被信任,因为引导程序将调用已知的安装用于检索应用程序文件的文件夹。
无论如何,对我来说,标记的答案会导致智能屏幕警告。您可能对我编写的 PowerShell 脚本感兴趣,它通过使用 SHA256 证书签署它可以解决的问题,然后使用 SHA1 证书签署 ClickOnce (.application) 文件来解决这两个问题。
发帖时的代码
<#
.SYNOPSIS
A PowerShell Script to correctly sign a ClickOnce Application.
.DESCRIPTION
Microsoft ClickOnce Applications Signed with a SHA256 Certificate show as Unknown Publisher during installation, ClickOnce Applications signed with a SHA1 Certificate show an Unknown Publisher SmartScreen Warning once installed, this happens because:
1) The ClickOnce installer only supports SHA1 certificates (not SHA256), but,
2) Microsoft has depreciated SHA1 for Authenticode Signing.
This script uses two code signing certificates (one SHA1 and one SHA256) to sign the various parts of the ClickOnce Application so that both the ClickOnce Installer and SmartScreen are happy.
.PARAMETER VSRoot
The Visual Studio Projects folder, if not provided .\Documents\Visual Studio 2015\Projects will be assumed
.PARAMETER SolutionName
The Name of the Visual Studio Solution (Folder), if not provided the user is prompted.
.PARAMETER ProjectName
The Name of the Visual Studio Project (Folder), if not provided the user is prompted.
.PARAMETER SHA1CertThumbprint
The Thumbprint of the SHA1 Code Signing Certificate, if not provided the user is prompted.
.PARAMETER SHA256CertThumbprint
The Thumbprint of the SHA256 Code Signing Certificate, if not provided the user is prompted.
.PARAMETER TimeStampingServer
The Time Stamping Server to be used while signing, if not provided the user is prompted.
.PARAMETER PublisherName
The Publisher to be set on the ClickOnce files, if not provided the user is prompted.
.PARAMETER Verbose
Writes verbose output.
.EXAMPLE
SignClickOnceApp.ps1 -VSRoot "C:\Users\Username\Documents\Visual Studio 2015\Projects" -SolutionName "MySolution" -ProjectName "MyProject" -SHA1CertThumbprint "f3f33ccc36ffffe5baba632d76e73177206143eb" -SHA256CertThumbprint "5d81f6a4e1fb468a3b97aeb3601a467cdd5e3266" -TimeStampingServer "http://time.certum.pl/" -PublisherName "Awesome Software Inc."
Signs MyProject in MySolution which is in C:\Users\Username\Documents\Visual Studio 2015\Projects using the specified certificates, with a publisher of "Awesome Software Inc." and the Certum Timestamping Server.
.NOTES
Author : Joe Pitt
License : SignClickOnceApp by Joe Pitt is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/4.0/.
.LINK
https://www.joepitt.co.uk/Project/SignClickOnceApp/
#>
param (
[string]$VSRoot,
[string]$SolutionName,
[string]$ProjectName,
[string]$SHA1CertThumbprint,
[string]$SHA256CertThumbprint,
[string]$TimeStampingServer,
[string]$PublisherName,
[switch]$Verbose
)
$oldverbose = $VerbosePreference
if($Verbose)
{
$VerbosePreference = "continue"
}
# Visual Studio Root Path
if(!$PSBoundParameters.ContainsKey('VSRoot'))
{
$VSRoot = '.\Documents\Visual Studio 2015\Projects\'
}
if (Test-Path "$VSRoot")
{
Write-Verbose "Using '$VSRoot' for Visual Studio Root"
}
else
{
Write-Error -Message "VSRoot does not exist." -RecommendedAction "Check path and try again" -ErrorId "1" `
-Category ObjectNotFound -CategoryActivity "Testing VSRoot Path" -CategoryReason "The VSRoot path was not found" `
-CategoryTargetName "$VSRoot" -CategoryTargetType "Directory"
exit 1
}
# Solution Path
if(!$PSBoundParameters.ContainsKey('SolutionName'))
{
$SolutionName = Read-Host "Solution Name"
}
if (Test-Path "$VSRoot$SolutionName")
{
Write-Verbose "Using '$VSRoot$SolutionName' for Solution Path"
$SolutionPath = "$VSRoot$SolutionName"
}
else
{
Write-Error -Message "Solution does not exist." -RecommendedAction "Check Solution Name and try again" -ErrorId "2" `
-Category ObjectNotFound -CategoryActivity "Testing Solution Path" -CategoryReason "The Solution path was not found" `
-CategoryTargetName "$VSRoot$SolutionName" -CategoryTargetType "Directory"
exit 2
}
# Project Path
if(!$PSBoundParameters.ContainsKey('ProjectName'))
{
$ProjectName = Read-Host "Project Name"
}
if (Test-Path "$SolutionPath$ProjectName")
{
Write-Verbose "Using '$SolutionPath$ProjectName' for Project Path"
$ProjectPath = "$SolutionPath$ProjectName"
}
else
{
Write-Error -Message "Project does not exist." -RecommendedAction "Check Project Name and try again" -ErrorId "3" `
-Category ObjectNotFound -CategoryActivity "Testing Project Path" -CategoryReason "The Project path was not found" `
-CategoryTargetName "$SolutionPath$ProjectName" -CategoryTargetType "Directory"
exit 3
}
# Publish Path
if (Test-Path "$ProjectPath\publish")
{
Write-Verbose "Using '$ProjectPath\publish' for Publish Path"
$PublishPath = "$ProjectPath\publish"
}
else
{
Write-Error -Message "Publish path does not exist." -RecommendedAction "Check Project has been published to \publish and try again" -ErrorId "4" `
-Category ObjectNotFound -CategoryActivity "Testing Publish Path" -CategoryReason "The publish path was not found" `
-CategoryTargetName "$ProjectPath\publish" -CategoryTargetType "Directory"
exit 4
}
# Application Files Path
if (Test-Path "$PublishPath\Application Files")
{
Write-Verbose "Using '$PublishPath\Application Files' for Application Files Path"
$AppFilesPath = "$PublishPath\Application Files"
}
else
{
Write-Error -Message "Application Files path does not exist." -RecommendedAction "Check Project has been published to \publish and try again" -ErrorId "5" `
-Category ObjectNotFound -CategoryActivity "Testing Application Files Path" -CategoryReason "The Application Files path was not found" `
-CategoryTargetName "$PublishPath\Application Files" -CategoryTargetType "Directory"
exit 5
}
# Target Path
$TargetPath = Convert-Path "$AppFilesPath${ProjectName}_*"
if ($($TargetPath.Length) -ne 0)
{
Write-Verbose "Using $TargetPath for Target Path"
}
else
{
Write-Error -Message "No versions." -RecommendedAction "Check Project has been published to \publish and try again" -ErrorId "6" `
-Category ObjectNotFound -CategoryActivity "Searching for published version path" -CategoryReason "No Application has been published using ClickOnce" `
-CategoryTargetName "$AppFilesPath${ProjectName}_*" -CategoryTargetType "Directory"
exit 6
}
# SHA1 Certificate
if(!$PSBoundParameters.ContainsKey('SHA1CertThumbprint'))
{
$SHA1CertThumbprint = Read-Host "SHA1 Certificate Thumbprint"
}
if ("$SHA1CertThumbprint" -notmatch "^[0-9A-Fa-f]{40}$")
{
Write-Error -Message "SHA1 Thumbprint Malformed" -RecommendedAction "Check the thumbprint and try again" -ErrorId "7" `
-Category InvalidArgument -CategoryActivity "Verifying Thumbprint Format" -CategoryReason "Thumbprint is not a 40 character Base64 string" `
-CategoryTargetName "$SHA1CertThumbprint" -CategoryTargetType "Base64String"
exit 7
}
$SHA1Found = Get-ChildItem -Path Cert:\CurrentUser\My | where {$_.Thumbprint -eq "$SHA1CertThumbprint"} | Measure-Object
if ($SHA1Found.Count -eq 0)
{
Write-Error -Message "SHA1 Certificate Not Found" -RecommendedAction "Check the thumbprint and try again" -ErrorId "8" `
-Category ObjectNotFound -CategoryActivity "Searching for certificate" -CategoryReason "Certificate with Thumbprint not found" `
-CategoryTargetName "$SHA1CertThumbprint" -CategoryTargetType "Base64String"
exit 8
}
# SHA256 Certificate
if(!$PSBoundParameters.ContainsKey('SHA256CertThumbprint'))
{
$SHA256CertThumbprint = Read-Host "SHA256 Certificate Thumbprint"
}
if ("$SHA256CertThumbprint" -notmatch "^[0-9A-Fa-f]{40}$")
{
Write-Error -Message "SHA256 Thumbprint Malformed" -RecommendedAction "Check the thumbprint and try again" -ErrorId "9" `
-Category InvalidArgument -CategoryActivity "Verifying Thumbprint Format" -CategoryReason "Thumbprint is not a 40 character Base64 string" `
-CategoryTargetName "$SHA256CertThumbprint" -CategoryTargetType "Base64String"
exit 9
}
$SHA256Found = Get-ChildItem -Path Cert:\CurrentUser\My | where {$_.Thumbprint -eq "$SHA256CertThumbprint"} | Measure-Object
if ($SHA256Found.Count -eq 0)
{
Write-Error -Message "SHA256 Certificate Not Found" -RecommendedAction "Check the thumbprint and try again" -ErrorId "10" `
-Category ObjectNotFound -CategoryActivity "Searching for certificate" -CategoryReason "Certificate with Thumbprint not found" `
-CategoryTargetName "$SHA256CertThumbprint" -CategoryTargetType "Base64String"
exit 10
}
# TimeStamping Server
if(!$PSBoundParameters.ContainsKey('TimeStampingServer'))
{
$TimeStampingServer = Read-Host "TimeStamping Server URL"
}
if ("$TimeStampingServer" -notmatch "^http(s)?:\/\/[A-Za-z0-9-._~:/?#[\]@!$&'()*+,;=]+$")
{
Write-Error -Message "SHA256 Thumbprint Malformed" -RecommendedAction "Check the TimeStamp URL and try again" -ErrorId "11" `
-Category InvalidArgument -CategoryActivity "Verifying TimeStamping URL" -CategoryReason "TimeStamping URL is not a RFC Compliant URL" `
-CategoryTargetName "$TimeStampingServer" -CategoryTargetType "URL"
exit 11
}
# Publisher Name
# Project Path
if(!$PSBoundParameters.ContainsKey('PublisherName'))
{
$PublisherName = Read-Host "Publisher Name"
}
# Sign setup.exe and application.exe with SHA256 Cert
Write-Verbose "Signing '$PublishPath\Setup.exe' (SHA256)"
Start-Process "$PSScriptRoot\signtool.exe" -ArgumentList "sign /fd SHA256 /td SHA256 /tr $TimeStampingServer /sha1 $SHA256CertThumbprint `"$PublishPath\Setup.exe`"" -Wait -NoNewWindow
Write-Verbose "Signing '$TargetPath$ProjectName.exe.deploy' (SHA256)"
Start-Process "$PSScriptRoot\signtool.exe" -ArgumentList "sign /fd SHA256 /td SHA256 /tr $TimeStampingServer /sha1 $SHA256CertThumbprint `"$TargetPath$ProjectName.exe.deploy`"" -Wait -NoNewWindow
# Remove .deploy extensions
Write-Verbose "Removing .deploy extensions"
Get-ChildItem "$TargetPath\*.deploy" -Recurse | Rename-Item -NewName { $_.Name -replace '\.deploy','' }
# Sign Manifest with SHA256 Cert
Write-Verbose "Signing '$TargetPath$ProjectName.exe.manifest' (SHA256)"
Start-Process "$PSScriptRoot\mage.exe" -ArgumentList "-update `"$TargetPath$ProjectName.exe.manifest`" -ch $SHA256CertThumbprint -if `"Logo.ico`" -ti `"$TimeStampingServer`"" -Wait -NoNewWindow
# Sign ClickOnces with SHA1 Cert
Write-Verbose "Signing '$TargetPath$ProjectName.application' (SHA1)"
Start-Process "$PSScriptRoot\mage.exe" -ArgumentList "-update `"$TargetPath$ProjectName.application`" -ch $SHA1CertThumbprint -appManifest `"$TargetPath$ProjectName.exe.manifest`" -pub `"$PublisherName`" -ti `"$TimeStampingServer`"" -Wait -NoNewWindow
Write-Verbose "Signing '$PublishPath$ProjectName.application' (SHA1)"
Start-Process "$PSScriptRoot\mage.exe" -ArgumentList "-update `"$PublishPath$ProjectName.application`" -ch $SHA1CertThumbprint -appManifest `"$TargetPath$ProjectName.exe.manifest`" -pub `"$PublisherName`" -ti `"$TimeStampingServer`"" -Wait -NoNewWindow
# Readd .deply extensions
Write-Verbose "Re-adding .deploy extensions"
Get-ChildItem -Path "$TargetPath\*" -Recurse | Where-Object {!$_.PSIsContainer -and $_.Name -notlike "*.manifest" -and $_.Name -notlike "*.application"} | Rename-Item -NewName {$_.Name + ".deploy"}
似乎自 Visual Studio 15.7.5(或者可能是以前的版本,我没有检查它们)以来,setup.exe 和应用程序二进制文件在使用 SHA2 EV 代码签名时都对 ClickOnce 有效签名证书(无需向您的证书提供商索取 SHA-1)。我正在使用 Windows 10 (10.0.16299.492),我们也在 Windows 8 上检查过它,两者都工作正常。我不知道这是更新版本 Visual Studio 还是 SmartScreen 的影响。一年前我未能发布已签名的 ClickOnce 应用程序,现在一切正常。
主要应用项目签名属性:
"Select from store" 对话:
已发布 ClickOnce setup.exe 属性
已发布的 ClickOnce 应用程序 *.exe.deploy 文件属性
安装提示,全是绿色,漂亮:
如果您正在寻找更适合 Azure DevOps CI/CD 管道的东西,我已经采用了 Joe Pitt 的工作并为我的管道重构了它。它在 github here
您可以向脚本传递一个 pmx 文件路径和密码,它将调整证书、安装它并对可执行文件、安装程序、清单和应用程序文件进行签名。
请帮我做得更好:)