使用 Device Guard 簽署來簽署 MSIX 套件Sign an MSIX package with Device Guard signing

重要

我們引進了新版本的 Device Guard 簽署服務 (DGSS) 更容易自動化。We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. 新版本的服務 (DGSS v2) 將可供從2020年9月開始的取用,而您將會在2020年12月結束之前轉換至 DGSS v2。The new version of the service (DGSS v2) will be available for consumption starting mid-September 2020, and you will have until the end of December 2020 to transition to DGSS v2. 2020 年 12 月底,目前 DGSS 服務版本的現有 Web 型機制將會淘汰,且無法繼續提供使用。At the end of December 2020, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. 請在2020年9月到12月之間,規劃遷移至新版本的服務。Please make plans to migrate to the new version of the service between September and December 2020.

以下是我們對服務所做的重大變更:Following are the major changes we are making to the service:

  • 取用服務的方法將會變更為以 PowerShell Cmdlet 為基礎的更容易使用的方法。The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. 這些 Cmdlet 會以 NuGet 下載的形式提供。These cmdlets will be available as a NuGet download.
  • 為了達成所需的隔離,您將需要從 DGSS v2 (取得新的 CI 原則,並選擇性地將它簽) 。In order to achieve desired isolation, you will be required to get a new CI policy from DGSS v2 (and optionally sign it).
  • DGSS v2 不支援下載用來簽署檔案的分葉憑證 (不過,根憑證仍可供下載) 。DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). 請注意,用來簽署檔案的憑證可以從已簽署的檔案本身輕鬆地解壓縮。Note that the certificate used to sign a file can be easily extracted from the signed file itself. 因此,在2020年12月底淘汰 DGSS v1 之後,您將無法再下載用來簽署檔案的分葉憑證。As a result, after DGSS v1 is retired at the end of December 2020, you will no longer be able to download the leaf certificates used to sign your files.

下列功能將可透過下列 PowerShell Cmdlet 取得:The following functionality will be available via these PowerShell cmdlets:

  • 取得 CI 原則Get a CI policy
  • 簽署 CI 原則Sign a CI policy
  • 簽署目錄Sign a catalog
  • 下載根憑證Download root cert
  • 下載簽署作業的歷程記錄Download history of your signing operations

我們將在2020年10月之前共用詳細的指示和 NuGet 位置。We will share detailed instructions and NuGet location before mid-October 2020. 如有任何問題,請與我們聯絡, DGSSMigration@microsoft.com 以取得有關遷移的詳細資訊。For any questions, please contact us at DGSSMigration@microsoft.com for more information on migration.

Device Guard 簽署 是商務用 Microsoft Store 和教育版中提供的裝置防護功能。Device Guard signing is a Device Guard feature that is available in the Microsoft Store for Business and Education. 它可讓企業保證每個應用程式都來自受信任的來源。It enables enterprises to guarantee that every app comes from a trusted source. 從 Windows 10 Insider Preview 組建18945開始,您可以在 Windows SDK 中使用 SignTool,以 Device Guard 簽署簽署 MSIX 應用程式。Starting in Windows 10 Insider Preview Build 18945, you can use SignTool in the Windows SDK to sign your MSIX apps with Device Guard signing. 這項功能支援可讓您輕鬆地將 Device Guard 簽署併入 MSIX 套件建立和簽署工作流程中。This feature support enables you to easily incorporate Device Guard signing into the MSIX package building and signing workflow.

Device Guard 簽署需要商務用 Microsoft Store 中的許可權,並使用 Azure Active Directory (AD) 驗證。Device Guard signing requires permissions in the Microsoft Store for Business and uses Azure Active Directory (AD) authentication. 若要使用 Device Guard 簽署簽署 MSIX 套件,請遵循下列步驟。To sign an MSIX package with Device Guard signing, follow these steps.

  1. 如果您尚未這麼做,請 註冊商務用 Microsoft Store 或教育用 Microsoft StoreIf you haven't done so already, sign up for Microsoft Store for Business or Microsoft Store for Education.

    注意

    您只需要使用此入口網站來設定 Device Guard 簽署的許可權。You only need to use this portal to configure permissions for Device Guard signing.

  2. 在商務用 Microsoft Store (或教育用 Microsoft Store) 中,為您的角色指派執行 Device Guard 簽署所需的許可權。In the Microsoft Store for Business (or or Microsoft Store for Education), assign yourself a role with permissions necessary to perform Device Guard signing.
  3. 使用適當的設定在 Azure 入口網站 中註冊您的應用程式,讓您可以使用 Azure AD 驗證商務用 Microsoft Store。Register your app in the Azure portal with the proper settings so that you can use Azure AD authentication with the Microsoft Store for Business.
  4. 取得 JSON 格式的 Azure AD 存取權杖。Get an Azure AD access token in JSON format.
  5. 執行 SignTool 以使用 Device Guard 簽署簽署您的 MSIX 套件,並傳遞您在上一個步驟中取得的 Azure AD 存取權杖。Run SignTool to sign your MSIX package with Device Guard signing, and pass the Azure AD access token you obtained in the previous step.

下列各節會更詳細地說明這些步驟。The following sections describes these steps in more detail.

設定 Device Guard 簽署的許可權Configure permissions for Device Guard signing

若要在商務用 Microsoft Store 或教育用 Microsoft Store 中使用 Device Guard 簽署,您需要 Device Guard 簽署者 角色。To use Device Guard signing in the Microsoft Store for Business or Microsoft Store for Education, you need the Device Guard signer role. 這是具有簽署能力的最低許可權角色。This is the least privilege role that has the ability to sign. 其他角色(例如 全域管理員計費帳戶擁有 者)也可以簽署。Other roles such as Global Administrator and Billing account owner can also sign.

注意

當您簽署為應用程式時,會使用 Device Guard 簽署者角色。Device Guard Signer role is used when you are signing as an app. 當您以登入的身分登入時,會使用全域管理員和帳單帳戶擁有者。Global Administrator and Billing Account Owner is used when you sign as a logged in person.

若要確認或重新指派角色:To confirm or reassign roles:

  1. 登入商務用 Microsoft StoreSign in to the Microsoft Store for Business.
  2. 選取 [ 管理 ],然後選取 [ 許可權]。Select Manage and then select Permissions.
  3. 查看 角色View Roles.

如需詳細資訊,請參閱商務與教育用 Microsoft Store 的角色和權限For more information, see Roles and permissions in the Microsoft Store for Business and Education.

在 Azure 入口網站中註冊您的應用程式Register your app in the Azure Portal

以適當的設定註冊您的應用程式,讓您可以使用 Azure AD 驗證與商務用 Microsoft Store:To register your app with the proper settings so that you can use Azure AD authentication with the Microsoft Store for Business:

  1. 登入 Azure 入口網站 ,並遵循快速入門中的指示 :使用 Microsoft 身分識別平臺註冊應用程式 ,以註冊將使用 Device Guard 簽署的應用程式。Sign in to the Azure portal and follow the instructions in Quickstart: Register an application with the Microsoft identity platform to register the app that will use Device Guard signing.

    注意

    在 [重新 導向 URI ] 區段下,建議您選擇 [ **公用用戶端] (行動 & 桌面) **。Under Redirect URI section, we recommend you choose Public client (mobile & desktop). 否則,如果您選擇 [ Web ] 作為應用程式類型,當您稍後在此程式中取得 Azure AD 存取權杖時,就必須提供 用戶端密碼Otherwise, if you choose Web for the app type, you will need to provide a client secret when you obtain an Azure AD access token later in this process.

  2. 註冊您的應用程式之後,請在 Azure 入口網站的應用程式主頁面上,按一下 [ api 許可權],在 [ 我的組織使用的 api ] 下,按一下 [新增商務用 Windows Store api的許可權]。After you register your app, on the main page for your app in the Azure portal, click API permissions, under APIs my organization uses and add a permission for the Windows Store for Business API.

  3. 接著,選取 [ 委派的許可權 ],然後選取 [ user_impersonation]。Next, select Delegated permissions and then select user_impersonation.

取得 Azure AD 存取權杖Get an Azure AD access token

接下來,為您的 Azure AD 應用程式取得 JSON 格式的 Azure AD 存取權杖。Next, obtain an Azure AD access token for your Azure AD app in JSON format. 您可以使用各種程式設計和指令碼語言來執行此作業。You can do this using a variety of programming and scripting languages. 如需此程式的詳細資訊,請參閱 使用 OAuth 2.0 程式碼授與流程授權存取 Azure Active Directory 的 web 應用程式For more information about this process, see Authorize access to Azure Active Directory web applications using the OAuth 2.0 code grant flow. 我們建議您連同存取權杖一起抓取重新整理 權杖 ,因為您的存取權杖將會在一小時內到期。We recommend that you retrieve a refresh token along with the access token, because your access token will expire in one hour.

注意

如果您將應用程式註冊為 Azure 入口網站中的 Web 應用程式,則必須在要求權杖時提供用戶端密碼。If you registered your app as a Web app in the Azure portal, you must provide a client secret when you request your token. 如需詳細資訊,請參閱上一節。For more information, see the previous section.

下列 PowerShell 範例示範如何要求存取權杖。The following PowerShell example demonstrates how to request an access token.

function GetToken()
{

    $c = Get-Credential -Credential $user
    
    $Credentials = New-Object System.Management.Automation.PSCredential -ArgumentList $c.UserName, $c.password
    $user = $Credentials.UserName
    $password = $Credentials.GetNetworkCredential().Password
    
    $tokenCache = "outfile.json"

    #replace <application-id> and <client_secret-id> with the Application ID from your Azure AD application registration
    $Body = @{
      'grant_type' = 'password'
      'client_id'= '<application-id>'
      'client_secret' = '<client_secret>'
      'resource' = 'https://onestore.microsoft.com'
      'username' = $user
      'password' = $password
    }

    $webpage = Invoke-WebRequest 'https://login.microsoftonline.com/common/oauth2/token' -Method 'POST'  -Body $Body -UseBasicParsing
    $webpage.Content | Out-File $tokenCache -Encoding ascii
}

注意

我們建議您儲存 JSON 檔案以供稍後使用。We recommand that you save your JSON file for later use.

簽署您的套件Sign your package

取得 Azure AD 存取權杖之後,您就可以開始使用 SignTool 來簽署您的套件與 Device Guard 簽署。After you have your Azure AD access token, you are ready to use SignTool to sign your package with Device Guard signing. 如需使用 SignTool 簽署套件的詳細資訊,請參閱 使用 SignTool 簽署應用程式套件For more information about using SignTool to sign packages, see Sign an app package using SignTool.

下列命令列範例示範如何使用 Device Guard 簽署簽署封裝。The following command line example demonstrates how to sign a package with Device Guard signing.

signtool sign /fd sha256 /dlib DgssLib.dll /dmdf <Azure AAD in .json format> /t <timestamp-service-url> <your .msix package>

注意

  • 我們建議您在簽署封裝時,使用其中一個時間戳記選項。We recommend that you use one of the timestamp options when you sign your package. 如果您未套用 時間戳記,簽署將會在一年內到期,而應用程式將需要重新簽署。If you do not apply a timestamp, the signing will expire in one year and the app will need to be resigned.
  • 請確定套件資訊清單中的發行者名稱與您用來簽署套件的憑證相符。Make sure that the publisher name in your package's manifest matches the certificate you are using to sign the package. 使用這項功能時,它將會是您的分葉憑證。With this feature, it will be your leaf certificate. 例如,如果分葉憑證是「 公司名稱」,則資訊清單中的發行者名稱必須是 CN = 「公司名稱」。For example, if leaf certificate is CompanyName, than the publisher name in the manifest must be CN=CompanyName. 否則,簽署作業將會失敗。Otherwise, the signing operation will fail.
  • 僅支援 SHA256 演算法。Only the SHA256 algorithm is supported.
  • 當您使用 Device Guard 簽署簽署套件時,您的套件不會透過網際網路傳送。When you sign your package with Device Guard signing, your package is not being sent over the Internet.

測試Test

若要測試 Device Guard 簽署,請從商務用 Microsoft Store 入口網站下載您的憑證。To test the Device Guard signing, download your certificate from the Microsoft Store for Business Portal.

  1. 登入商務用 Microsoft StoreSign in to the Microsoft Store for Business.
  2. 選取 [ 管理 ],然後選取 [ 設定]。Select Manage and then select Settings.
  3. 查看 裝置View Devices.
  4. View 下載您組織的根憑證以與 Device Guard 搭配使用View Download your organization's root certificate for use with Device Guard
  5. 按一下 [下載]Click Download

將根憑證安裝到您裝置上的 受信任根憑證授權 單位。Install the root certificate to the Trusted Root Certification Authorities on your device . 安裝新簽署的應用程式,確認您已使用 Device Guard 簽署成功簽署應用程式。Install your newly signed app to verify that you have successfully signed your app with Device Guard signing.

常見錯誤Common errors

以下是您可能會遇到的常見錯誤。Here are common errors you might encounter.

  • 0x800700d:這個常見的錯誤表示 Azure AD JSON 檔案的格式無效。0x800700d: This common error means that the format of the Azure AD JSON file is invalid.
  • 您可能必須先接受商務用 Microsoft Store 的條款及條件,才能下載 Device Guard 簽署的根憑證。You may need to accept the terms and conditions of Microsoft Store for Business before downloading the root certificate of Device Guard Signing. 這可以藉由在入口網站中取得免費的應用程式來完成。This can be done by acquiring a free app in the portal.