问题
When using Set-AuthenticodeSignature, there is an option called IncludeChain. While there is documentation about what each of the options are, I haven't been able to uncover much guidance surrounding the advantages/disadvantages of each setting (when you would pick one setting over another).
Everywhere I see IncludeChain in examples, it is always set to All. I think All is likely the best answer, but I'd like to understand the benefits and disadvantages of each of the settings.
SignerNotRoot(default)All
Other than All making the file quite a bit bigger, what are the specific advantages and disadvantages of each of the settings?
References
- https://technet.microsoft.com/en-us/library/hh847874.aspx
- http://go.microsoft.com/fwlink/?LinkID=113391
- How Can I Prevent Needing to Re-sign My Code Every 1 or 2 Years?
Example
$certPfx = "super secret location"
$certPassword = "super secret password"
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($certPfx, $certPassword)
Set-AuthenticodeSignature -Filepath "ps1 file location" `
-Cert $cert `
-TimeStampServer "url to timestamp server" `
-IncludeChain All `
-HashAlgorithm SHA256
回答1:
Default NotRoot is the best option.
- Signer
pros: when you put only signer certificate, signature size is relatively small.
cons: if recipient do not have all information to construct the chain, valid signature may become invalid. In addition, certificate retrieval from the internet causes noticeable delays during signature validation.
- NotRoot
pros: reduces signature validation time by speeding up chain building with attached intermediate CA certificates. In the case when no extra information about chain certificates available (say, through local store or AIA extension), these certificates fill the gap and greatly help in chain building.
cons: signature size is increased by about 2kb per each intermediate CA certificate.
- All
pros: reduces signature validation time by speeding up chain building with attached intermediate CA certificates.
cons: signature size is increased by about 2kb per each CA certificate. This option includes root CA, which is redundant information. If client already have root certificate trusted (as the result it is already installed), included root CA certificate do not provide any helpful information. If client do not have root certificate, its inclusion in the signature doesn't make sense either.
来源:https://stackoverflow.com/questions/36202269/powershell-set-authenticodesignature-includechain-options-advantages-disadvant