ClickOnce and application certificate
The company I'm working for is developing a ClickOnce application. Until recently I neglected the notification
Unknown publisher. 开发者_StackOverflow社区Are you sure you want to run.. since it was solely used internally.
Now that the application is ready for product launch we start thinking about certifying. The discussion goes like this. Our products needs to be installed at the customer's server. The customers get their own copy of the application and launch them locally. We do have an official company certificate but the guy who has to install it says that this is unsafe because the installation takes place on site by the customer and we shouldn't provide our official company certificate, because it can be misused.
I'm not familiar with this stuff, so I'm wondering is there sort of 'customer' certificate possible, so it can only be used to run the program but not to sign the application itself?
Do you mean that another company wants to publish your software to their servers so their employees can install it? In that case, the guy is right, you should NOT provide your certificate or its key to another company to publish. If you purchase a certificate, it chains back to you and you are ultimately responsible for anything signed with that certificate. Giving this information to another company makes you vulnerable.
If the other company has an IT department, they can make a certificate for their domain that chains back to them as a trusted authority. Or they can buy one and re-sign the deployment with it. Or they can give you the installation URL and you can fill it in and sign it with your certificate, and they can just put the deployment files on the webserver
Note: you don't need a certificate at runtime. It is used at publish time to sign the deployment files. When the user installs that deployment, it will see that it is signed and that it chains back to a Certificate Authority and show the name of the company instead of "unknown publisher".
精彩评论