Delay Signing

[Trevor Hardwick]

Hi

I'm Delay Signing an assembly. The Register for Com Interop property is set
to true for all output files.

When I build the solution I get the following error:

"COM Interop registration failed. The check of the signature failed for
assembly [Output file name]"

Can you explain what is causing this error? I am currently unable to build
any solutions that are delay signed and registered for com interop.

Regards

Trevor Hardwick

 

[Ying-Shen Yu[MSFT]]

Hi Trevor,

Registering an assembly for COM interop needs first load the assembly.
For loaing a strong named assembly , CLR will validate the strong name
before loading it.
So delay-signed assembly will failed to be loaded and then unable to do COM
Interop registeration.
To work around this problem, You may disable the strong name verification
on this assembly.
use command sn -Vr <assembly name>, Then the CLR will skip the verification
on this assembly then COM Interop registration will work.(you might need
restart the VS.NET IDE to take effect.
Note, disable the strong name verification should only be used in
development. You should remove the assembly from the skip verification list
by using sn -Vu <assembly name> after you signed this assembly.

Does my reply solve your problem?
Please be free to reply this thread, if you still have problem on it.
Thanks!

Best regards,

Ying-Shen Yu [MSFT]
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

This posting is provided "AS IS" with no warranties and confers no rights.
This mail should not be replied directly, "online" should be removed before
sending.

 

[Trevor Hardwick]

Hi

Thanks for replying. Does this mean that if I wanted to Delay Sign an
assembly that is registered for com interop I would have to:

1) Build the assembly with Register For Com Interop set to false
2) Use the sn.ex to disable the strong name verification for the assembly
3) Build the assembly with Register For Com Interop set to true
4) Use the sn.exe to reapply the strong name verification

Surely this is very long winded and isn't very practical for commercial
applications that have many development cycles and release cycles. Although
a script could be put together you are effectively building the assemblies
at least twice and it means that all developers must follow the above steps
when ever they make any changes to the source code and have to rebuild an
assembly, rather that just clicking the rebuild solution menu option in the
VS.NET IDE . Is this really how microsoft planned this to work?

Regards

Trevor

 

[Ying-Shen Yu[MSFT]]

Hi Trevor,

Thanks for your reply.

When developing a delay-signed assembly, we need first add it to the skip
verification list before using this assembly. However, we needn't first
generated the assembly specially for adding to the strongname skip
verification list. Sn.exe support the input form "*, strongname" to add
all assemblies which signed with a certain public key to the list. Here
strongname should be specified as the string of hexadecimal digits
representing the tokenized form of the public key. See the -t and -T
options to display the public key token.

So the development steps might be:
1) sn -Vr *,<strongname>, if you have more than one public keys, you need
repeat this step to add them.
2) write your delay signed assembly with "Register for COM Interop" = true
3) debuging, if code change goto 2)
4) sign the assembly for release
5) sn -Vd *,<strongname>
6) release

In development cycle, you need keep this assembly in the skip verification
list, or you program might meet problem because of the assembly load
failure caused by the strongname validation failed. Since it is still in
the skip list, developers will still be able use the rebuild solution menu
option to do build operation. You may remove the assembly from the list
after it is fully signed.

Here is just some basic idea for this issue, if you still have problem on
it, please let me know more detail about your secenario. I'll look into it
and see if I could find some workaround.
Thanks!

Best regards,

Ying-Shen Yu [MSFT]
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

This posting is provided "AS IS" with no warranties and confers no rights.
This mail should not be replied directly, "online" should be removed before
sending.

 

[Ying-Shen Yu[MSFT]]

Sorry, There is a typo.
5) sn -Vd *,<strongname>
should be
5) sn -Vu *,<strongname>
Thanks!

Best regards,

Ying-Shen Yu [MSFT]
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

This posting is provided "AS IS" with no warranties and confers no rights.
This mail should not be replied directly, "online" should be removed before
sending.

 

[Trevor Hardwick]

Hi

Thanks for your help. The information you have given me is fine. Due to
the complications of delay signing I think I will try a different approach.

Cheers

Trev

 

[Ying-Shen Yu[MSFT]]

Hi Trevor,

I fully understand you feeling,
However, in order to be make the system safer, currently .NET framework
requires you change the skip verification list manually, then you will have
a clear mind on which assemblies' strong name is not checked by CLR. You
need only add to the skip verification list for one time before you start
developing the delay signed assemblies, I'm not clear what the
"complication" you referrs to? Of course, it will be easier if you develop
this assembly without strong name at first and
fully sign it when you are going to relase it.

If you have any ideas on how to integrating delay-sign with other IDE
features, please be free to let us know, thanks!

Best regards,

Ying-Shen Yu [MSFT]
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

This posting is provided "AS IS" with no warranties and confers no rights.
This mail should not be replied directly, "online" should be removed before
sending.