使用 Device Guard 签名功能对 MSIX 包进行签名Sign an MSIX package with Device Guard signing

重要

我们引入了新版本的 Device Guard 签名服务 (DGSS) ,以使其更易于自动化。We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. 新版本的服务将于2020年9月开始使用 (DGSS v2) ,并将在12月2020结束后转换为 DGSS v2。The new version of the service (DGSS v2) will be available for consumption starting mid-September 2020, and you will have until the end of December 2020 to transition to DGSS v2. 到 2020 年 12 月底,用于当前 DGSS 服务版本的基于 Web 的现有机制将被停用,并且不再可用。At the end of December 2020, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. 请计划在9月到12月2020之间迁移到服务的新版本。Please make plans to migrate to the new version of the service between September and December 2020.

下面是我们对服务所做的主要更改:Following are the major changes we are making to the service:

  • 使用该服务的方法将更改为基于 PowerShell cmdlet 的更多自动化易懂方法。The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. 这些 cmdlet 将以 NuGet 下载的形式提供。These cmdlets will be available as a NuGet download.
  • 为了实现所需的隔离,你将需要从 DGSS v2 获取新的 CI 策略 (并根据需要对其进行) 签名。In order to achieve desired isolation, you will be required to get a new CI policy from DGSS v2 (and optionally sign it).
  • DGSS v2 将不支持下载用于对文件进行签名的叶证书 (但是,根证书仍可用于下载) 。DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). 请注意,用于对文件进行签名的证书可以轻松地从签名的文件本身提取。Note that the certificate used to sign a file can be easily extracted from the signed file itself. 因此,在2020年12月结束后,DGSS v1 终止后,将无法再下载用于对文件进行签名的叶证书。As a result, after DGSS v1 is retired at the end of December 2020, you will no longer be able to download the leaf certificates used to sign your files.

以下 PowerShell cmdlet 将提供以下功能:The following functionality will be available via these PowerShell cmdlets:

  • 获取 CI 策略Get a CI policy
  • 签署 CI 策略Sign a CI policy
  • 为目录签名Sign a catalog
  • 下载根证书Download root cert
  • 下载签名操作的历史记录Download history of your signing operations

我们将在2020年10月之前共享详细的说明和 NuGet 位置。We will share detailed instructions and NuGet location before mid-October 2020. 如有任何疑问,请通过与我们联系 DGSSMigration@microsoft.com 获取有关迁移的详细信息。For any questions, please contact us at DGSSMigration@microsoft.com for more information on migration.

Device guard 签名 是一项 device guard 功能,可用于商业和教育 Microsoft Store。Device Guard signing is a Device Guard feature that is available in the Microsoft Store for Business and Education. 它使企业能够保证每个应用都来自受信任的来源。It enables enterprises to guarantee that every app comes from a trusted source. 从 Windows 10 预览体验版18945开始,可以使用 Windows SDK 中的 SignTool,通过设备保护签名对 .MSIX 应用进行签名。Starting in Windows 10 Insider Preview Build 18945, you can use SignTool in the Windows SDK to sign your MSIX apps with Device Guard signing. 此功能支持使你能够轻松地将设备防护登录纳入 .MSIX 包生成和签名工作流。This feature support enables you to easily incorporate Device Guard signing into the MSIX package building and signing workflow.

Device Guard 签名需要 Microsoft Store for Business 中的权限,并使用 Azure Active Directory (AD) 身份验证。Device Guard signing requires permissions in the Microsoft Store for Business and uses Azure Active Directory (AD) authentication. 若要使用 Device Guard 签名对 .MSIX 包进行签名,请按照下列步骤操作。To sign an MSIX package with Device Guard signing, follow these steps.

  1. 如果尚未这样做,请 注册 Microsoft Store For Business 或 Microsoft Store 教育If you haven't done so already, sign up for Microsoft Store for Business or Microsoft Store for Education.

    备注

    只需使用此门户配置 Device Guard 签名的权限。You only need to use this portal to configure permissions for Device Guard signing.

  2. 在 Microsoft Store for Business (或 Microsoft Store 教育) 中,为自己分配执行 Device Guard 签名所需权限的角色。In the Microsoft Store for Business (or or Microsoft Store for Education), assign yourself a role with permissions necessary to perform Device Guard signing.
  3. 使用正确的设置在 Azure 门户 中注册应用,以便可以将 Azure AD 身份验证用于企业的 Microsoft Store。Register your app in the Azure portal with the proper settings so that you can use Azure AD authentication with the Microsoft Store for Business.
  4. 获取 JSON 格式的 Azure AD 访问令牌。Get an Azure AD access token in JSON format.
  5. 运行 SignTool,使用 Device Guard 签名对 .MSIX 包进行签名,并传递在上一步中获取的 Azure AD 访问令牌。Run SignTool to sign your MSIX package with Device Guard signing, and pass the Azure AD access token you obtained in the previous step.

以下部分更详细地介绍了这些步骤。The following sections describes these steps in more detail.

配置 Device Guard 签名的权限Configure permissions for Device Guard signing

若要在 Microsoft Store for Business 或 Microsoft Store 教育中使用 Device Guard 签名,需要 Device guard 签名者 角色。To use Device Guard signing in the Microsoft Store for Business or Microsoft Store for Education, you need the Device Guard signer role. 这是可以签名的最小特权角色。This is the least privilege role that has the ability to sign. 其他角色(如 全局管理员计费帐户所有者 )也可以对其进行签名。Other roles such as Global Administrator and Billing account owner can also sign.

备注

当你作为应用进行签名时,将使用 Device Guard 签名者角色。Device Guard Signer role is used when you are signing as an app. 当你作为已登录用户进行签名时,将使用全局管理员和计费帐户所有者。Global Administrator and Billing Account Owner is used when you sign as a logged in person.

确认或重新分配角色:To confirm or reassign roles:

  1. 请登录适用于企业的 Microsoft StoreSign in to the Microsoft Store for Business.
  2. 选择 " 管理 ",然后选择 " 权限"。Select Manage and then select Permissions.
  3. 查看 角色View Roles.

有关详细信息,请参阅适用于企业和教育的 Microsoft Store 中的角色和权限For more information, see Roles and permissions in the Microsoft Store for Business and Education.

在 Azure 门户中注册你的应用Register your app in the Azure Portal

使用正确的设置注册应用,以便可以将 Azure AD 身份验证用于业务 Microsoft Store:To register your app with the proper settings so that you can use Azure AD authentication with the Microsoft Store for Business:

  1. 登录到 Azure 门户 并按照 快速入门:向 Microsoft 标识平台注册应用程序 中的说明注册将使用 Device Guard 签名的应用程序。Sign in to the Azure portal and follow the instructions in Quickstart: Register an application with the Microsoft identity platform to register the app that will use Device Guard signing.

    备注

    在 " 重定向 URI " 部分中,建议选择 " **公用客户端 (移动 & 桌面) **"。Under Redirect URI section, we recommend you choose Public client (mobile & desktop). 否则,如果你选择 " Web " 作为 "应用类型",则在此过程中稍后获取 Azure AD 访问令牌时,你将需要提供 客户端密码Otherwise, if you choose Web for the app type, you will need to provide a client secret when you obtain an Azure AD access token later in this process.

  2. 注册应用后,在应用的 "Azure 门户中,单击" api 权限",在" 我的组织使用的 api "下,并添加适用于 企业的 Windows 应用商店 API的权限。After you register your app, on the main page for your app in the Azure portal, click API permissions, under APIs my organization uses and add a permission for the Windows Store for Business API.

  3. 接下来,选择 " 委托的权限 ",然后选择 " user_impersonation"。Next, select Delegated permissions and then select user_impersonation.

获取 Azure AD 访问令牌Get an Azure AD access token

接下来,获取 JSON 格式的 Azure AD 应用的 Azure AD 访问令牌。Next, obtain an Azure AD access token for your Azure AD app in JSON format. 您可以使用各种编程和脚本语言来实现此目的。You can do this using a variety of programming and scripting languages. 有关此过程的详细信息,请参阅 使用 OAuth 2.0 代码授予流授予对 Azure Active Directory web 应用程序的访问权限For more information about this process, see Authorize access to Azure Active Directory web applications using the OAuth 2.0 code grant flow. 由于访问令牌将在一小时后过期,因此我们建议你同时检索 刷新令牌 和访问令牌。We recommend that you retrieve a refresh token along with the access token, because your access token will expire in one hour.

备注

如果在 Azure 门户中将应用注册为 Web 应用,则在请求令牌时必须提供客户端机密。If you registered your app as a Web app in the Azure portal, you must provide a client secret when you request your token. 有关详细信息,请参阅上一部分。For more information, see the previous section.

下面的 PowerShell 示例演示如何请求访问令牌。The following PowerShell example demonstrates how to request an access token.

function GetToken()
{

    $c = Get-Credential -Credential $user
    
    $Credentials = New-Object System.Management.Automation.PSCredential -ArgumentList $c.UserName, $c.password
    $user = $Credentials.UserName
    $password = $Credentials.GetNetworkCredential().Password
    
    $tokenCache = "outfile.json"

    #replace <application-id> and <client_secret-id> with the Application ID from your Azure AD application registration
    $Body = @{
      'grant_type' = 'password'
      'client_id'= '<application-id>'
      'client_secret' = '<client_secret>'
      'resource' = 'https://onestore.microsoft.com'
      'username' = $user
      'password' = $password
    }

    $webpage = Invoke-WebRequest 'https://login.microsoftonline.com/common/oauth2/token' -Method 'POST'  -Body $Body -UseBasicParsing
    $webpage.Content | Out-File $tokenCache -Encoding ascii
}

备注

我们建议你保存 JSON 文件以供以后使用。We recommand that you save your JSON file for later use.

对包进行签名Sign your package

拥有 Azure AD 访问令牌后,就可以使用 SignTool 通过 Device Guard 签名对包进行签名。After you have your Azure AD access token, you are ready to use SignTool to sign your package with Device Guard signing. 有关使用 SignTool 对包进行签名的详细信息,请参阅 使用 SignTool 对应用包进行签名For more information about using SignTool to sign packages, see Sign an app package using SignTool.

以下命令行示例演示如何使用 Device Guard 签名对包进行签名。The following command line example demonstrates how to sign a package with Device Guard signing.

signtool sign /fd sha256 /dlib DgssLib.dll /dmdf <Azure AAD in .json format> /t <timestamp-service-url> <your .msix package>

备注

  • 建议你在对包进行签名时使用一个时间戳选项。We recommend that you use one of the timestamp options when you sign your package. 如果不应用 时间戳,签名将在一年后过期,应用将需要重新签名。If you do not apply a timestamp, the signing will expire in one year and the app will need to be resigned.
  • 确保包清单中的发布者名称与用来对包进行签名的证书匹配。Make sure that the publisher name in your package's manifest matches the certificate you are using to sign the package. 利用此功能,它将是你的叶证书。With this feature, it will be your leaf certificate. 例如,如果 "叶证书" 是 " 公司名称",则清单中的发布者名称必须是 CN = "公司名称"。For example, if leaf certificate is CompanyName, than the publisher name in the manifest must be CN=CompanyName. 否则,签名操作将失败。Otherwise, the signing operation will fail.
  • 仅支持 SHA256 算法。Only the SHA256 algorithm is supported.
  • 当你用 Device Guard 签名对包进行签名时,你的包将不是通过 Internet 发送的。When you sign your package with Device Guard signing, your package is not being sent over the Internet.

测试Test

若要测试 Device Guard 签名,请从业务门户 Microsoft Store 下载证书。To test the Device Guard signing, download your certificate from the Microsoft Store for Business Portal.

  1. 请登录适用于企业的 Microsoft StoreSign in to the Microsoft Store for Business.
  2. 选择 " 管理 ",然后选择 " 设置"。Select Manage and then select Settings.
  3. 查看 设备View Devices.
  4. 查看 下载你的组织的根证书以便与 Device Guard 一起使用View Download your organization's root certificate for use with Device Guard
  5. 单击 "下载"Click Download

在设备上将根证书安装到 受信任的根 证书颁发机构。Install the root certificate to the Trusted Root Certification Authorities on your device . 安装新签名的应用,以验证是否已使用 Device Guard 签名成功对应用进行签名。Install your newly signed app to verify that you have successfully signed your app with Device Guard signing.

常见错误Common errors

下面是你可能会遇到的常见错误。Here are common errors you might encounter.

  • 0x800700d:此常见错误表示 Azure AD JSON 文件的格式无效。0x800700d: This common error means that the format of the Azure AD JSON file is invalid.
  • 在下载 Device Guard 签名的根证书之前,你可能需要接受 Microsoft Store for Business 的条款和条件。You may need to accept the terms and conditions of Microsoft Store for Business before downloading the root certificate of Device Guard Signing. 可以通过在门户中获取免费应用来完成此操作。This can be done by acquiring a free app in the portal.