.NET 2.0: code access security / authentication

[Lloyd Dupont]

I'm writing a .NET 2.0 app
I want to deploy it in the net.
Apparently (due to an "unknow publisher warning" while downloading in the
browser) I have to give a strong name to my installer & my components.

My (.NET 2.0 beta2) project is a mix of C# & MC++.
- To authenticafe my MSI I need a .spc & a .pvk file
- To strongly named my C# assemblies with VS.NET 2005 I need to use a .pfx
file or a .snk file
- To strongly named my C++ assembly I guess I should use a .snk and the
assembly attributes
- Verisign could provide me certificate (is it a .cer???) from a .pvk file
- apparently I could create a .pvk file with makecert
- apparently I could create a .spc from a .cer with cert2spc

Now the questions are:
- how do I get a .pfx or .snk from, either, the .spc, .cer, .pvk files?
- I also tried (without success) all the 3 below line in my ManagedC++
project
[assembly:AssemblyKeyFileAttribute("..\\..\\novamind.snk")];
or [assembly:AssemblyKeyFileAttribute("..\\novamind.snk")];
or [assembly:AssemblyKeyFileAttribute("novamind.snk")];
but always get:
Error 2 fatal error LNK1256: ALINK operation failed (80040414) : Error
reading key file '..\..\novamind.snk' -- The system cannot find the file
specified. GnuStepCPP
what should I do?!?!


Now, could anyone give me simple direction!
I understand the concept! I just don't manage to put them into practice :-(
And the pratical documentation is awfully thin,
while the many article's author like to linger for an awfull number of pages
on the concepts it's very hard to find any practical implementation :-(
:-( :-(
which bring an other question:
I have found verisign, is there any other authentication 'registrar'?

 

[Nicole Calinoiu]

I'm writing a .NET 2.0 app
I want to deploy it in the net.
Apparently (due to an "unknow publisher warning" while downloading in the
browser) I have to give a strong name to my installer & my components.

There are two types of code signing used for .NET assemblies: strong name
signing and authenticode signing. The one that addresses the "unknown
publisher" issue is authenticode signing, not strong name signing. While
there's nothing preventing you from strongly naming your assemblies as well
(and there may be some potentially compelling reasons to do so), a strong
name is not necessary in this scenario.

My (.NET 2.0 beta2) project is a mix of C# & MC++.
- To authenticafe my MSI I need a .spc & a .pvk file
- To strongly named my C# assemblies with VS.NET 2005 I need to use a .pfx
file or a .snk file
- To strongly named my C++ assembly I guess I should use a .snk and the
assembly attributes
- Verisign could provide me certificate (is it a .cer???) from a .pvk file
- apparently I could create a .pvk file with makecert
- apparently I could create a .spc from a .cer with cert2spc

Let's ignore strong naming for the moment since it's adding unnecessary
complexity. For authenticode signing, you need a code signing certificate
and the private key that corresponds to the public key contained in that
certificate. Once you have the certificate and private key in hand, you
would use the signcode tool
(http://msdn.microsoft.com/library/en-us/cptools/html/cpgrfFileSigningToolSigncodeexe.asp)
to sign your compiled assemblies. It makes no difference whether those
assemblies were originally written in C# or MC++.

While you can create test certificates with makecert, you should obtain your
production certificates from a CA (certification authority) that will be
recognized by your clients. If your application will be distributed outside
of a single enterprise, you will probably want to use a commercial CA like
Verisign or Thawte. (If you want a wider choice of CAs that are likely to
be trusted on Windows machines, a good place to start is the trusted root
CAs list on your machine.) If you are distributing your application only
within a single enterprise which runs its own CA, acquiring your
authenticode certificate from that CA may be more cost-effective.

As for delivered file formats and certificate application processes, these
can differ between CAs. The larger commercial CAs provide detailed guides
on both how to apply for their certificates (including the processes around
private key issuing), as well as how to use the files they will return to
your in order to actually sign your executables with makecert.

Now the questions are:
- how do I get a .pfx or .snk from, either, the .spc, .cer, .pvk files?

You can use the pvkimprt tool
(http://www.microsoft.com/downloads/details.aspx?FamilyID=F9992C94-B129-46BC-B240-414BDFF679A7)
to either convert spc+pvk file pairs to a pfx file or a certificate (with
associated private key) in your certificates store. (The snk files used for
strong naming keys are not relevant to authenticode signing.)

- I also tried (without success) all the 3 below line in my ManagedC++
project
[assembly:AssemblyKeyFileAttribute("..\\..\\novamind.snk")];
or [assembly:AssemblyKeyFileAttribute("..\\novamind.snk")];
or [assembly:AssemblyKeyFileAttribute("novamind.snk")];
but always get:
Error 2 fatal error LNK1256: ALINK operation failed (80040414) : Error
reading key file '..\..\novamind.snk' -- The system cannot find the file
specified. GnuStepCPP
what should I do?!?!

See http://blogs.msdn.com/shawnfa/archive/2005/07/14/438963.aspx. However,
keep in mind that you don't need to strongly name your assemblies simply in
order to use authenticode signing.

 

[Lloyd Dupont]

Thanks, very interesting and well explained!

I'm writing a .NET 2.0 app
I want to deploy it in the net.
Apparently (due to an "unknow publisher warning" while downloading in the
browser) I have to give a strong name to my installer & my components.

There are two types of code signing used for .NET assemblies: strong name
signing and authenticode signing. The one that addresses the "unknown
publisher" issue is authenticode signing, not strong name signing. While
there's nothing preventing you from strongly naming your assemblies as
well (and there may be some potentially compelling reasons to do so), a
strong name is not necessary in this scenario.

My (.NET 2.0 beta2) project is a mix of C# & MC++.
- To authenticafe my MSI I need a .spc & a .pvk file
- To strongly named my C# assemblies with VS.NET 2005 I need to use a
.pfx file or a .snk file
- To strongly named my C++ assembly I guess I should use a .snk and the
assembly attributes
- Verisign could provide me certificate (is it a .cer???) from a .pvk
file
- apparently I could create a .pvk file with makecert
- apparently I could create a .spc from a .cer with cert2spc

Let's ignore strong naming for the moment since it's adding unnecessary
complexity. For authenticode signing, you need a code signing certificate
and the private key that corresponds to the public key contained in that
certificate. Once you have the certificate and private key in hand, you
would use the signcode tool
(http://msdn.microsoft.com/library/en-us/cptools/html/cpgrfFileSigningToolSigncodeexe.asp)
to sign your compiled assemblies. It makes no difference whether those
assemblies were originally written in C# or MC++.

While you can create test certificates with makecert, you should obtain
your production certificates from a CA (certification authority) that will
be recognized by your clients. If your application will be distributed
outside of a single enterprise, you will probably want to use a commercial
CA like Verisign or Thawte. (If you want a wider choice of CAs that are
likely to be trusted on Windows machines, a good place to start is the
trusted root CAs list on your machine.) If you are distributing your
application only within a single enterprise which runs its own CA,
acquiring your authenticode certificate from that CA may be more
cost-effective.

As for delivered file formats and certificate application processes, these
can differ between CAs. The larger commercial CAs provide detailed guides
on both how to apply for their certificates (including the processes
around private key issuing), as well as how to use the files they will
return to your in order to actually sign your executables with makecert.

Now the questions are:
- how do I get a .pfx or .snk from, either, the .spc, .cer, .pvk files?

You can use the pvkimprt tool
(http://www.microsoft.com/downloads/details.aspx?FamilyID=F9992C94-B129-46BC-B240-414BDFF679A7)
to either convert spc+pvk file pairs to a pfx file or a certificate (with
associated private key) in your certificates store. (The snk files used
for strong naming keys are not relevant to authenticode signing.)

- I also tried (without success) all the 3 below line in my ManagedC++
project
[assembly:AssemblyKeyFileAttribute("..\\..\\novamind.snk")];
or [assembly:AssemblyKeyFileAttribute("..\\novamind.snk")];
or [assembly:AssemblyKeyFileAttribute("novamind.snk")];
but always get:
Error 2 fatal error LNK1256: ALINK operation failed (80040414) : Error
reading key file '..\..\novamind.snk' -- The system cannot find the file
specified. GnuStepCPP
what should I do?!?!

See http://blogs.msdn.com/shawnfa/archive/2005/07/14/438963.aspx.
However, keep in mind that you don't need to strongly name your assemblies
simply in order to use authenticode signing.

Now, could anyone give me simple direction!
I understand the concept! I just don't manage to put them into practice
:-(
And the pratical documentation is awfully thin,
while the many article's author like to linger for an awfull number of
pages on the concepts it's very hard to find any practical implementation
:-( :-( :-(
which bring an other question:
I have found verisign, is there any other authentication 'registrar'?

--
NovaMind development team
NovaMind Software
Mind Mapping Software
<www.nova-mind.com>