Code Signing in Visual Studio

J

Joe Monnin

I'm very puzzled about the code signing system in place in Visual Studio. I
can sign ClickOnce deployments with a certificate from the certifcate store.
Why can I not do the same thing when signing an assembly? For that, I need
to have a .pfx or .snk file. My company does not want to give the Verisign
certificate password to the development team, and rightly so since they could
then take that .pfx home an start singing any sort of trash they wanted with
the company certificate. So instead, they have installed the certificate
with the private key in the certificate store and disabled the ability to
export the private key. The only way to sign code is then to use
signtool.exe. Code signing in Visual Studio is not possible. Why aren't the
code signing mechanisms for ClickOnce and assemblies the same? It seems like
I must be missing something here, but I can't imagine what it could be.
 
J

John Vottero

Joe Monnin said:
I'm very puzzled about the code signing system in place in Visual Studio.
I
can sign ClickOnce deployments with a certificate from the certifcate
store.
Why can I not do the same thing when signing an assembly? For that, I
need
to have a .pfx or .snk file. My company does not want to give the
Verisign
certificate password to the development team, and rightly so since they
could
then take that .pfx home an start singing any sort of trash they wanted
with
the company certificate. So instead, they have installed the certificate
with the private key in the certificate store and disabled the ability to
export the private key. The only way to sign code is then to use
signtool.exe. Code signing in Visual Studio is not possible. Why aren't
the
code signing mechanisms for ClickOnce and assemblies the same? It seems
like
I must be missing something here, but I can't imagine what it could be.
Click to expand...

I have the same questions. It doesn't make sense to me. Further, I don't
think you can digitally sign an assembly in Visual Studio, not even in 2010.
The assembly signing is for a strong name, not a public code signing
certificate. Still, you don't want to be handing out your strong name key
either.

I have found that you can strong name sign with a key from the certificate
store by editing your *.csproj file and adding:

<KeyContainerName>YourKeyName</KeyContainerName>

Add this right after the <AssemblyName>. <SignAssembly> should be left as
false.

You still have to use signtool.exe (or Set-AuthenticodeSignature) to sign
the assembly with your Verisign certificate.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

code signing problem 2
Signing WinForms ClickOnce app with Certificate Chain 0
signing certificate error... 1
ClickOnce fails to load after digital signature expired / renewed 1
Code Signing and Time Stamping 2
Strong naming problem 2
Anybody use Strong Name Signing? 7
Windows cannot verify certificate of ClickOnce application 1

Top