问题
I've a self-extracting .exe created with 7zip (7z.sfx). I've signed it with signtool. The signing certificate is in my Local Machine store, and it's root certificate is in the "Trusted root certificate authorities" and "Trusted publishers" folders.
I would like the signature details to appear in the publisher field of the UAC prompt, but it still shows "Unknown Publisher". Anyone know what's going on? The certificate does not have the "Code signing" EKU. Will this cause the problem?
This person had a similar problem, with no answers. This question covers code signing in detail but it's still not working for me.
回答1:
Ok, perhaps as I suspected, the EKU for code signing is essential for UAC. There's no problem generating the signature with a vanilla certificate, but UAC will ignore signatures generated with non code-signing certificates, even if those certificates are in Trusted Publisers, Trusted Root Authorities etc..
the eku for code signing is 1.3.6.1.5.5.7.3.3
The following PowerShell command gets you a self signed code signing cert...
New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname sby-port -type CodeSigningCert
来源:https://stackoverflow.com/questions/40633643/can-i-sign-a-self-extracting-exe-with-a-certificate-without-the-code-signing-eku