为程序包签名创建证书Create a certificate for package signing

本文介绍了如何使用 PowerShell 工具为应用包签名创建和导出证书。This article explains how to create and export a certificate for app package signing using PowerShell tools. 建议使用 Visual Studio 打包 UWP 应用打包桌面应用,但如果未使用 visual studio 开发应用,仍可手动打包应用。It's recommended that you use Visual Studio for packaging UWP apps and packaging desktop apps, but you can still package an app manually if you did not use Visual Studio to develop your app.

先决条件Prerequisites

  • 打包或未打包的应用A packaged or unpackaged app
    包含 AppxManifest.xml 文件的应用。An app containing an AppxManifest.xml file. 在创建用于给最终应用包签名的证书时,你将需要参考清单文件。You will need to reference the manifest file while creating the certificate that will be used to sign the final app package. 有关如何手动打包应用的详细信息,请参阅使用 MakeAppx.exe 工具创建应用包For details on how to manually package an app, see Create an app package with the MakeAppx.exe tool.

  • 公钥基础结构 (PKI) CmdletPublic Key Infrastructure (PKI) Cmdlets
    你需要 PKI cmdlet 创建和导出你的签名证书。You need PKI cmdlets to create and export your signing certificate. 有关详细信息,请参阅公钥基础结构 CmdletFor more information, see Public Key Infrastructure Cmdlets.

创建自签名证书Create a self-signed certificate

自签名证书可用于测试你的应用程序,然后才能将其发布到应用商店。A self-signed certificate is useful for testing your app before you're ready to publish it to the Store. 按照此部分中所述的步骤创建自签名证书。Follow the steps outlined in this section to create a self-signed certificate.

备注

当你创建并使用自签名证书时,只有安装和信任你的证书的用户才能运行你的应用程序。When you create and use a self-signed certificate only users who install and trust your certificate can run your application. 这易于实现测试,但可能会阻止其他用户安装您的应用程序。This is easy to implement for testing but it may prevent additional users from installing your application. 当你准备好发布应用程序时,我们建议你使用由受信任源颁发的证书。When you are ready to publish your application we recommend that you use a certificate issued by a trusted source. 此集中信任系统有助于确保应用程序生态系统具有验证级别,以保护用户免受恶意用户的攻击。This system of centralized trust helps to ensure that the application ecosystem has levels of verification to protect users from malicious actors.

确定你的打包应用的主体Determine the subject of your packaged app

若要使用证书给你的应用包签名,证书中的“主体”必须匹配应用清单中的“发布者”部分。To use a certificate to sign your app package, the "Subject" in the certificate must match the "Publisher" section in your app's manifest.

例如,你应用的 AppxManifest.xml 文件中的“身份”部分应如下所示:For example, the "Identity" section in your app's AppxManifest.xml file should look something like this:

  <Identity Name="Contoso.AssetTracker" 
    Version="1.0.0.0" 
    Publisher="CN=Contoso Software, O=Contoso Corporation, C=US"/>

在这种情况下,“发布者”为“CN = Contoso 软件,O = Contoso Corporation,C = 美国”,创建你的证书时将需要这些。The "Publisher", in this case, is "CN=Contoso Software, O=Contoso Corporation, C=US" which needs to be used for creating your certificate.

使用 New-SelfSignedCertificate 创建证书Use New-SelfSignedCertificate to create a certificate

使用 New-SelfSignedCertificate PowerShell cmdlet 创建自签名证书。Use the New-SelfSignedCertificate PowerShell cmdlet to create a self signed certificate. New-SelfSignedCertificate 包含用于自定义的几个参数,但是鉴于本文目的,我们将侧重于创建可使用 SignTool 的简单证书。New-SelfSignedCertificate has several parameters for customization, but for the purpose of this article, we'll focus on creating a simple certificate that will work with SignTool. 有关更多示例和此 cmdlet 的使用,请参阅 New-SelfSignedCertificateFor more examples and uses of this cmdlet, see New-SelfSignedCertificate.

基于上一示例中的 AppxManifest.xml 文件,你应该使用下面的语法创建证书。Based on the AppxManifest.xml file from the previous example, you should use the following syntax to create a certificate. 在提升的 PowerShell 提示符中:In an elevated PowerShell prompt:

New-SelfSignedCertificate -Type Custom -Subject "CN=Contoso Software, O=Contoso Corporation, C=US" -KeyUsage DigitalSignature -FriendlyName "Your friendly name goes here" -CertStoreLocation "Cert:\CurrentUser\My" -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.3", "2.5.29.19={text}")

请注意以下有关某些参数的详细信息:Note the following details about some of the parameters:

  • 密钥用法:此参数定义证书的用途。KeyUsage: This parameter defines what the certificate may be used for. 对于自签名证书,应将此参数设置为 DigitalSignatureFor a self-signing certificate, this parameter should be set to DigitalSignature.

  • TextExtension:此参数包括以下扩展的设置:TextExtension: This parameter includes settings for the following extensions:

    • 扩展密钥用法 (EKU) :此扩展指示可使用已认证的公钥的其他目的。Extended Key Usage (EKU): This extension indicates additional purposes for which the certified public key may be used. 对于自签名证书,此参数应包含扩展字符串 "2.5.29.37 = {text} 1.3.6.1.5.5.7.3.3",这表示证书将用于代码签名。For a self-signing certificate, this parameter should include the extension string "2.5.29.37={text}1.3.6.1.5.5.7.3.3", which indicates that the certificate is to be used for code signing.

    • 基本约束:此扩展指示证书是否为证书颁发机构 (CA) 。Basic Constraints: This extension indicates whether or not the certificate is a Certificate Authority (CA). 对于自签名证书,此参数应包含扩展字符串 "2.5.29.19 = {text}",这表示该证书是一个结束实体, (不是 CA) 。For a self-signing certificate, this parameter should include the extension string "2.5.29.19={text}", which indicates that the certificate is an end entity (not a CA).

运行此命令后,证书将被添加到本地证书存储中,如“-CertStoreLocation”参数中指定。After running this command, the certificate will be added to the local certificate store, as specified in the "-CertStoreLocation" parameter. 此命令的结果还将生成证书的指纹。The result of the command will also produce the certificate's thumbprint.

你可以使用以下命令在 PowerShell 窗口中查看你的证书:You can view your certificate in a PowerShell window by using the following commands:

Set-Location Cert:\CurrentUser\My
Get-ChildItem | Format-Table Subject, FriendlyName, Thumbprint

这将显示本地存储中的所有证书。This will display all of the certificates in your local store.

导出证书Export a certificate

若要将本地存储中的证书导出到个人信息交换 (PFX) 文件中,请使用 Export-PfxCertificate cmdlet。To export the certificate in the local store to a Personal Information Exchange (PFX) file, use the Export-PfxCertificate cmdlet.

使用 Export-PfxCertificate 时,你必须创建并使用密码或使用“-ProtectTo”参数指定哪些用户或组可以不使用密码访问该文件。When using Export-PfxCertificate, you must either create and use a password or use the "-ProtectTo" parameter to specify which users or groups can access the file without a password. 注意,如果不使用“-Password”或“-ProtectTo”参数,将显示错误。Note that an error will be displayed if you don't use either the "-Password" or "-ProtectTo" parameter.

密码使用Password usage

$password = ConvertTo-SecureString -String <Your Password> -Force -AsPlainText 
Export-PfxCertificate -cert "Cert:\CurrentUser\My\<Certificate Thumbprint>" -FilePath <FilePath>.pfx -Password $password

ProtectTo 使用ProtectTo usage

Export-PfxCertificate -cert Cert:\CurrentUser\My\<Certificate Thumbprint> -FilePath <FilePath>.pfx -ProtectTo <Username or group name>

创建并导出你的证书后,准备好使用 SignTool 给你的应用包签名。After you create and export your certificate, you're ready to sign your app package with SignTool. 有关手动打包过程中的后续步骤,请参阅使用 SignTool 给应用包签名For the next step in the manual packaging process, see Sign an app package using SignTool.

安全注意事项Security considerations

通过将证书添加到本地计算机证书存储,可以影响计算机上所有用户的证书信任。By adding a certificate to local machine certificate stores, you affect the certificate trust of all users on the computer. 建议当这些证书对于阻止其被用来破坏系统信任而言不再必要时删除这些证书。It is recommended that you remove those certificates when they are no longer necessary to prevent them from being used to compromise system trust.