Prev: Version control and the GAC
Next: Final Reminder - Microsoft Responds to the Evolution of Community
From: Joe Monnin on 28 May 2010 13:09 I'm very puzzled about the code signing system in place in Visual Studio. I can sign ClickOnce deployments with a certificate from the certifcate store. Why can I not do the same thing when signing an assembly? For that, I need to have a .pfx or .snk file. My company does not want to give the Verisign certificate password to the development team, and rightly so since they could then take that .pfx home an start singing any sort of trash they wanted with the company certificate. So instead, they have installed the certificate with the private key in the certificate store and disabled the ability to export the private key. The only way to sign code is then to use signtool.exe. Code signing in Visual Studio is not possible. Why aren't the code signing mechanisms for ClickOnce and assemblies the same? It seems like I must be missing something here, but I can't imagine what it could be.
From: John Vottero on 28 May 2010 16:57 "Joe Monnin" <JoeMonnin(a)discussions.microsoft.com> wrote in message news:5436EBC4-70BA-413E-9266-F1D244736763(a)microsoft.com... > I'm very puzzled about the code signing system in place in Visual Studio. > I > can sign ClickOnce deployments with a certificate from the certifcate > store. > Why can I not do the same thing when signing an assembly? For that, I > need > to have a .pfx or .snk file. My company does not want to give the > Verisign > certificate password to the development team, and rightly so since they > could > then take that .pfx home an start singing any sort of trash they wanted > with > the company certificate. So instead, they have installed the certificate > with the private key in the certificate store and disabled the ability to > export the private key. The only way to sign code is then to use > signtool.exe. Code signing in Visual Studio is not possible. Why aren't > the > code signing mechanisms for ClickOnce and assemblies the same? It seems > like > I must be missing something here, but I can't imagine what it could be. I have the same questions. It doesn't make sense to me. Further, I don't think you can digitally sign an assembly in Visual Studio, not even in 2010. The assembly signing is for a strong name, not a public code signing certificate. Still, you don't want to be handing out your strong name key either. I have found that you can strong name sign with a key from the certificate store by editing your *.csproj file and adding: <KeyContainerName>YourKeyName</KeyContainerName> Add this right after the <AssemblyName>. <SignAssembly> should be left as false. You still have to use signtool.exe (or Set-AuthenticodeSignature) to sign the assembly with your Verisign certificate.
|
Pages: 1 Prev: Version control and the GAC Next: Final Reminder - Microsoft Responds to the Evolution of Community |