使用 SignTool 簽署應用程式套件Sign an app package using SignTool

SignTool 是使用憑證以數位方式簽署應用程式套件或套件組合的命令列工具。SignTool is a command line tool used to digitally sign an app package or bundle with a certificate. 憑證可以由使用者建立 (適用於測試目的) 或由公司發行 (適用於發佈)。The certificate can either be created by the user (for testing purposes) or issued by a company (for distribution). 簽署應用程式套件,為使用者提供驗證:在簽署之後應用程式的資料尚未修改,同時也確認簽署使用者或公司的身分識別。Signing an app package provides the user with verification that the app's data has not been modified after it was signed while also confirming the identity of the user or company that signed it. SignTool 可以簽署加密或未加密的應用程式套件和套件組合。SignTool can sign encrypted or unencrypted app packages and bundles.

重要

如果您使用 Visual Studio 來開發 App,建議您使用 Visual Studio 精靈建立並簽署應用程式套件。If you used Visual Studio to develop your app, it's recommended that you use the Visual Studio wizard to create and sign your app package. 如需詳細資訊,請參閱使用 Visual Studio 封裝 UWP 應用程式 ,並 使用 Visual Studio 從原始程式碼封裝桌面應用程式For more information, see Package a UWP app with Visual Studio and Package a desktop app from source code using Visual Studio.

如需有關程式碼簽署以及憑證的一般資訊,請參閱程式碼簽署簡介For more information about code signing and certificates in general, see Introduction to Code Signing.

必要條件Prerequisites

  • 已封裝應用程式A packaged app
    若要深入了解手動建立應用程式套件,請參閱使用 MakeAppx.exe 工具建立應用程式套件To learn more about manually creating an app package, see Create an app package with the MakeAppx.exe tool.

  • 有效簽署的憑證A valid signing certificate
    如需有關建立或匯入有效簽署的憑證的詳細資訊,請參閱建立或匯入要用於套件簽署的憑證For more information about creating or importing a valid signing certificate, see Create or import a certificate for package signing.

  • SignTool.exeSignTool.exe
    根據 SDK 的安裝路徑,這就是 SignTool 在您的 Windows 10 電腦上的位置:Based on your installation path of the SDK, this is where SignTool is on your Windows 10 PC:

    • x86: C:\Program Files (x86) \Windows Kits\10\bin \ < sdk 版本 >\x86\SignTool.exex86: C:\Program Files (x86)\Windows Kits\10\bin\<sdk version>\x86\SignTool.exe
    • x64: C:\Program Files (x86) \Windows Kits\10\bin \ < sdk 版本 >\x64\SignTool.exex64: C:\Program Files (x86)\Windows Kits\10\bin\<sdk version>\x64\SignTool.exe

使用 SignToolUsing SignTool

SignTool 可以用來簽署檔案、驗證簽章或時間戳記、移除簽章,以及更多。SignTool can be used to sign files, verify signatures or timestamps, remove signatures, and more. 為了簽署應用程式套件,我們會著重於 sign 命令。For the purpose of signing an app package, we will focus on the sign command. 如需有關 SignTool 的完整資訊,請參閱 SignTool 參考頁面。For full information on SignTool, see the SignTool reference page.

判斷雜湊演算法Determine the hash algorithm

使用 SignTool 簽署應用程式套件或套件組合,用於 SignTool 的雜湊演算法必須是用來封裝應用程式的相同演算法。When using SignTool to sign your app package or bundle, the hash algorithm used in SignTool must be the same algorithm you used to package your app. 例如,如果您使用 MakeAppx.exe 以預設設定來建立您的應用程式套件,使用 SignTool 時必須指定 SHA256,因為這是 MakeAppx.exe 所使用的預設演算法。For example, if you used MakeAppx.exe to create your app package with the default settings, you must specify SHA256 when using SignTool since that's the default algorithm used by MakeAppx.exe.

若要了解封裝應用程式時使用哪種雜湊演算法,請解壓縮應用程式套件並檢查 AppxBlockMap.xml 檔案。To find out which hash algorithm was used while packaging your app, extract the contents of the app package and inspect the AppxBlockMap.xml file. 若要了解如何解開/解壓縮應用程式套件,請參閱從套件或套件組合解壓縮檔案To learn how to unpack/extract an app package, see Extract files from a package or bundle. 雜湊方法在 BlockMap 元素中,而且採用此格式:The hash method is in the BlockMap element and has this format:

<BlockMap xmlns="http://schemas.microsoft.com/appx/2010/blockmap"
HashMethod="http://www.w3.org/2001/04/xmlenc#sha256">

下表顯示每個 HashMethod 值,以及對應的雜湊演算法:This table shows each HashMethod value and its corresponding hash algorithm:

HashMethod 值HashMethod value 雜湊演算法Hash Algorithm
http://www.w3.org/2001/04/xmlenc#sha256 SHA256SHA256
http://www.w3.org/2001/04/xmldsig-more#sha384 SHA384SHA384
http://www.w3.org/2001/04/xmlenc#sha512 SHA512SHA512

注意

因為 SignTool 的預設演算法是 SHA1 (MakeAppx.exe 中無法使用),使用 SignTool 時,您必須一律指定雜湊演算法。Since SignTool's default algorithm is SHA1 (not available in MakeAppx.exe), you must always specify a hash algorithm when using SignTool.

簽署應用程式套件Sign the app package

一旦您擁有所有必要條件並判斷使用何種雜湊演算法封裝您的應用程式,就已準備好簽署它。Once you have all of the prerequisites and you've determined which hash algorithm was used to package your app, you're ready to sign it.

SignTool 套件簽署的一般命令列語法是:The general command line syntax for SignTool package signing is:

SignTool sign [options] <filename(s)>

用來簽署您應用程式的憑證必須是 .pfx 檔案,或是安裝在憑證存放區中。The certificate used to sign your app must be either a .pfx file or be installed in a certificate store.

若要使用 .pfx 檔案中的憑證簽署您的應用程式套件,使用下列語法:To sign your app package with a certificate from a .pfx file, use the following syntax:

SignTool sign /fd <Hash Algorithm> /a /f <Path to Certificate>.pfx /p <Your Password> <File path>.appx
SignTool sign /fd <Hash Algorithm> /a /f <Path to Certificate>.pfx /p <Your Password> <File path>.msix

請注意,/a 選項可讓 SignTool 自動選擇最佳的憑證。Note that the /a option allows SignTool to choose the best certificate automatically.

如果您的憑證不是 .pfx 檔案,請使用下列語法:If your certificate is not a .pfx file, use the following syntax:

SignTool sign /fd <Hash Algorithm> /n <Name of Certificate> <File Path>.appx
SignTool sign /fd <Hash Algorithm> /n <Name of Certificate> <File Path>.msix

或者,您可以指定所要憑證的 SHA1 雜湊,而不是 <Name of Certificate>,請使用這個語法:Alternatively, you can specify the SHA1 hash of the desired certificate instead of <Name of Certificate> using this syntax:

SignTool sign /fd <Hash Algorithm> /sha1 <SHA1 hash> <File Path>.appx
SignTool sign /fd <Hash Algorithm> /sha1 <SHA1 hash> <File Path>.msix

如需更多範例,請參閱使用 SignTool 簽署檔案For more examples, see Using SignTool to Sign a File

請注意,某些憑證不使用密碼。Note that some certificates do not use a password. 如果您的憑證不使用密碼,請省略命令範例中的 "/p <Your Password>"。If your certificate does not have a password, omit "/p <Your Password>" from the sample commands.

一旦使用有效的憑證來簽署您的應用程式套件,您可以將套件上傳至Microsoft Store。Once your app package is signed with a valid certificate, you're ready to upload your package to the Store. 如需上傳與提交應用程式至Microsoft Store的更多指引,請參閱提交應用程式For more guidance on uploading and submitting apps to the Store, see App submissions.