Trust an assembly?

[William Stacey]

Is there a cmdline version of the "Trust an Assembly" wizard in w2ks ".Net
Wizards" tool? Put another way, can I run a command that will trust an
assembly (by name or by key pair) without having to run this wizard? TIA

 

[Consultant]

caspol

http://msdn.microsoft.com/library/d...fCodeAccessSecurityPolicyUtilityCaspolexe.asp

 

[William Stacey]

So the user needs to run this tool to reg the app. Wonder if this could be
part of the install process. Could this be run from MS Installer package?.
TIA

 

[Tian Min Huang]

Hello William,

Thanks for your post.
Yes, it can be run as a Custom Action in an msi.

In addition, there is another method as described in the KB article 815173
if overwriting the current policy is acceptable:

HOW TO: Build and Deploy a .NET Security Policy Deployment Package
http://support.microsoft.com/?id=815173

Please feel free to let me know if any further is needed.

Have a nice day!

Regards,

HuangTM
Microsoft Online Partner Support
MCSE/MCSD

Get Secure! -- www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

 

[William Stacey]

Thinking outload here. What would stop me from, in my setup app, running
caspol.exe in a Process.start with the required command line. Do you need
to be Admin to run caspol? It would be nice if you could put an Attribute
on your main class that says "This app needs to be in admin policy" and the
Framework would put up a dialog for the user with a Yes/No dialog that would
make the updates for them and start the app. Maybe the msi thing you posted
does the same, but my idea would not require setup package, just run the app
and Framework does the rest.

2) Also I noticed that running my app from network drive puts up an error
diag (permissions), but running from c:\temp worked. I assume this is
normal behavior and user would need to set assembly permission for the app
*at the network path if they want to run from there.

3) I should now this, but have been in the IDE too long and not deploying
applications so I am fuzzy on this. When user first runs app, it gets jited
and takes a bit longer. Is the exe cached so each time started it is not
compiled or do they need to put in the GAC. Could you run down for me what
happens again for a normal exe copied to C: drive (for example) and has a
strong name (if that matters.) Do they need to ngen and put into GAC to
avoid recompile. TIA

 

[Yan-Hong Huang[MSFT]]

Hello William,

Thanks for your post.

For the quesiton:

1) Yes, I think we need to be admin to do so. This command can modify
security policy for the machine policy level. So a powerful user account is
needed.

2) Your assumption is right. The problem may be caused by the security
policy affecting to the file share. I suggest you to give the file share
FullTrust permission as described in the MSDN article below:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vsintro7/ht
ml/vxurfprojectfoldernotsecuredialogbox.asp

3) GAC is used for storing strong name assemblies. It is not related to
assembly loading. Each time when an application is started, it got compiled
to native image. Only the necessary part is compiled and it will be cached.
So in one execution, the same code don't need to be compiled again. For
assemblies in GAC, framework could find it automatically. If you just put
it in c: drive, framework can't find it for you unless you set it in probe
path. NGen can be used to make IL code to native code. If we use Ngen, then
the output code won't be compiled when executed since they are native image
already. This is not related to strong name directly.

If there is anything unclear, please feel free to post here. Thanks very
much.

Best regards,
Yanhong Huang
Microsoft Community Support

Get Secure! ¨C www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[kali_mist]

Hello Folks,
Bear with me here. IVe been trying to automate deployment of security
permissions for a while now through msi deployment packages to no
avail.
I have intranet applications that need sqlclient permissions to access
local db's. I create my apps with a strong key and then go around
each of the client machines and configure them through the framework
wizard to trust all assemblies based on that strong key.
Ive tried creating the security deployment package for enterprise
using the config tool and installing it on the client machiens but
this way they still error out with security sqlclientpermission
errors when database access is attempted from within the program.
What do I need to do?
Cheers
Michael Lennon