建立套件簽署的憑證Create a certificate for package signing

本文章將說明如何使用 PowerShell 工具,以建立和匯出應用程式套件簽署的憑證。This article explains how to create and export a certificate for app package signing using PowerShell tools. 建議您使用 Visual Studio 來 封裝 UWP 應用程式 並封裝傳統型 應用程式,但如果您未使用 Visual Studio 來開發應用程式,仍然可以手動封裝應用程式。It's recommended that you use Visual Studio for packaging UWP apps and packaging desktop apps, but you can still package an app manually if you did not use Visual Studio to develop your app.

必要條件Prerequisites

  • 已封裝或未封裝的應用程式A packaged or unpackaged app
    包含 AppxManifest.xml 檔案的應用程式。An app containing an AppxManifest.xml file. 在建立用來簽署最終應用程式套件的憑證時,您會需要參考資訊清單檔。You will need to reference the manifest file while creating the certificate that will be used to sign the final app package. 如需如何手動封裝應用程式的詳細資訊,請參閱使用 MakeAppx.exe 工具建立應用程式套件For details on how to manually package an app, see Create an app package with the MakeAppx.exe tool.

  • 公開金鑰基礎結構 (PKI) CmdletPublic Key Infrastructure (PKI) Cmdlets
    您需要 PKI cmdlet 來建立和匯出您的簽署憑證。You need PKI cmdlets to create and export your signing certificate. 如需詳細資訊,請參閱 Public Key Infrastructure CmdletsFor more information, see Public Key Infrastructure Cmdlets.

建立自我簽署憑證Create a self-signed certificate

自我簽署憑證可用於測試您的應用程式,然後才能將它發佈到存放區。A self-signed certificate is useful for testing your app before you're ready to publish it to the Store. 遵循本節所述的步驟來建立自我簽署憑證。Follow the steps outlined in this section to create a self-signed certificate.

注意

當您建立並使用自我簽署憑證時,只有安裝和信任憑證的使用者可以執行您的應用程式。When you create and use a self-signed certificate only users who install and trust your certificate can run your application. 這可讓您輕鬆地進行測試,但可能會導致其他使用者無法安裝您的應用程式。This is easy to implement for testing but it may prevent additional users from installing your application. 當您準備好要發行應用程式時,建議您使用受信任來源所發行的憑證。When you are ready to publish your application we recommend that you use a certificate issued by a trusted source. 此集中式信任系統可協助確保應用程式生態系統具有驗證層級,以保護使用者免于惡意執行者的攻擊。This system of centralized trust helps to ensure that the application ecosystem has levels of verification to protect users from malicious actors.

判斷您經過封裝之應用程式的主旨Determine the subject of your packaged app

若要使用憑證來簽署您的應用程式套件,憑證中的「主旨」必須符合您應用程式資訊清單中的「發行者」區段。To use a certificate to sign your app package, the "Subject" in the certificate must match the "Publisher" section in your app's manifest.

舉例來說,應用程式之 AppxManifest.xml 檔案中的「身分識別」區段看起來像這樣︰For example, the "Identity" section in your app's AppxManifest.xml file should look something like this:

  <Identity Name="Contoso.AssetTracker" 
    Version="1.0.0.0" 
    Publisher="CN=Contoso Software, O=Contoso Corporation, C=US"/>

本案例中的「發行者」為 "CN=Contoso Software, O=Contoso Corporation, C=US",而且您需要使用此項目來建立憑證。The "Publisher", in this case, is "CN=Contoso Software, O=Contoso Corporation, C=US" which needs to be used for creating your certificate.

使用 New-SelfSignedCertificate 來建立憑證Use New-SelfSignedCertificate to create a certificate

使用 New-SelfSignedCertificate PowerShell cmdlet 來建立自我簽署憑證。Use the New-SelfSignedCertificate PowerShell cmdlet to create a self signed certificate. New-SelfSignedCertificate 有數個可供自訂的參數,但為符合本篇文章的主旨,我們會著重於建立使用 *SignTool 的簡單憑證。New-SelfSignedCertificate has several parameters for customization, but for the purpose of this article, we'll focus on creating a simple certificate that will work with SignTool. 如需詳細範例以及此 Cmdlet 的使用方法,請參閱 New-SelfSignedCertificateFor more examples and uses of this cmdlet, see New-SelfSignedCertificate.

根據先前範例的 AppxManifest.xml 檔案,您應該使用下列語法來建立憑證。Based on the AppxManifest.xml file from the previous example, you should use the following syntax to create a certificate. 在提升權限的 PowerShell 提示字元內︰In an elevated PowerShell prompt:

New-SelfSignedCertificate -Type Custom -Subject "CN=Contoso Software, O=Contoso Corporation, C=US" -KeyUsage DigitalSignature -FriendlyName "Your friendly name goes here" -CertStoreLocation "Cert:\CurrentUser\My" -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.3", "2.5.29.19={text}")

請注意下列部分參數的相關詳細資料:Note the following details about some of the parameters:

  • KeyUsage:這個參數會定義憑證的用途。KeyUsage: This parameter defines what the certificate may be used for. 若為自我簽署憑證,此參數應設為 DigitalSignatureFor a self-signing certificate, this parameter should be set to DigitalSignature.

  • TextExtension:此參數包含下列延伸模組的設定:TextExtension: This parameter includes settings for the following extensions:

    • (EKU) 的擴充金鑰使用方法:此延伸模組表示可能會使用已認證公開金鑰的其他用途。Extended Key Usage (EKU): This extension indicates additional purposes for which the certified public key may be used. 若為自我簽署憑證,此參數應包含副檔名字串 "2.5.29.37 = {text} 1.3.6.1.5.5.7.3.3",這表示憑證將用於程式碼簽署。For a self-signing certificate, this parameter should include the extension string "2.5.29.37={text}1.3.6.1.5.5.7.3.3", which indicates that the certificate is to be used for code signing.

    • 基本限制:此延伸指出憑證是否為憑證授權單位單位 (CA) 。Basic Constraints: This extension indicates whether or not the certificate is a Certificate Authority (CA). 若為自我簽署憑證,此參數應包含擴充字串 "2.5.29.19 = {text}",這表示憑證是 (不是 CA) 的終端實體。For a self-signing certificate, this parameter should include the extension string "2.5.29.19={text}", which indicates that the certificate is an end entity (not a CA).

執行此命令之後,憑證將會依照 "-CertStoreLocation" 參數新增至本機憑證存放區中。After running this command, the certificate will be added to the local certificate store, as specified in the "-CertStoreLocation" parameter. 命令的結果也會產生憑證的指紋。The result of the command will also produce the certificate's thumbprint.

您可以使用下列命令在 PowerShell 視窗中檢視您的憑證︰You can view your certificate in a PowerShell window by using the following commands:

Set-Location Cert:\CurrentUser\My
Get-ChildItem | Format-Table Subject, FriendlyName, Thumbprint

這會顯示出您本機存放區中的所有憑證。This will display all of the certificates in your local store.

匯出憑證Export a certificate

若要將本機存放區的憑證匯出至個人資訊交換 (PFX) 檔案,請使用 Export-PfxCertificate Cmdlet。To export the certificate in the local store to a Personal Information Exchange (PFX) file, use the Export-PfxCertificate cmdlet.

在使用 Export-PfxCertificate 時,您必須建立並使用密碼,或使用 "-ProtectTo" 參數來指定能不需密碼即可存取檔案的使用者或群組。When using Export-PfxCertificate, you must either create and use a password or use the "-ProtectTo" parameter to specify which users or groups can access the file without a password. 請注意,如果您沒有使用 "-Password" 或 "-ProtectTo" 兩項參數中的其中一項,將會顯示錯誤訊息。Note that an error will be displayed if you don't use either the "-Password" or "-ProtectTo" parameter.

密碼使用方式Password usage

$password = ConvertTo-SecureString -String <Your Password> -Force -AsPlainText 
Export-PfxCertificate -cert "Cert:\CurrentUser\My\<Certificate Thumbprint>" -FilePath <FilePath>.pfx -Password $password

ProtectTo 使用方式ProtectTo usage

Export-PfxCertificate -cert Cert:\CurrentUser\My\<Certificate Thumbprint> -FilePath <FilePath>.pfx -ProtectTo <Username or group name>

在您建立和匯出憑證之後,就可以使用 SignTool 登入您的應用程式套件。After you create and export your certificate, you're ready to sign your app package with SignTool. 如需手動封裝過程的下一個步驟,請參閱使用 SignTool 簽署應用程式套件 (英文)。For the next step in the manual packaging process, see Sign an app package using SignTool.

安全性考量Security considerations

藉由將認證新增至本機電腦憑證存放區 (英文),您會對電腦上所有使用者的憑證信任造成影響。By adding a certificate to local machine certificate stores, you affect the certificate trust of all users on the computer. 建議您移除不再需要的憑證,以避免它們危害系統信任。It is recommended that you remove those certificates when they are no longer necessary to prevent them from being used to compromise system trust.