问题
How can I securely pass the password to signtool.exe?
Here's the code:
[Setup]
SignTool=mysigntool signtool.exe" sign /f <path_to_pfx_certificate> /p <certificate's_password> $f
I know there's a method like GetSHA1OfString, but here I need the opposite.
回答1:
If you are asking how to encrypt the password, it does not make sense. An encryption needs a key (aka a password). So you end up with another password, which you again need to store somewhere in plain text. It's a kind of a chicken or the egg problem.
All you can do is to obfuscate the password.
Consider protecting the certificate by putting it into the Windows certificate store instead of a password-protected file. This is the same question you have, just for MSBuild: How do I securely store a .pfx password to use in MSBuild? The answer is pretty much generic. You just replace the MSBuild's %(SignFiles.Identity) with Inno Setup's $f in the signtool command line:
signtool.exe sign /sha1 <value> /t ... $f
Other related questions:
- How do I securely configure a CI server to digitally sign binaries?
- Automated Code Signing - Protecting the private key
来源:https://stackoverflow.com/questions/64785809/how-can-i-securely-pass-the-certificate-password-to-signtool-exe-in-inno-setup