Re: .NET 2.0: code access security / authentication
From: Lloyd Dupont (net.galador_at_ld)
Date: 09/26/05
- Next message: Nicole Calinoiu: "Re: enumerate runtime permissions"
- Previous message: Martin Høst Normark: "Logon with Digital Siganture (PKI/OCES - or what else they're called)"
- In reply to: Nicole Calinoiu: "Re: .NET 2.0: code access security / authentication"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 26 Sep 2005 17:10:31 +1000
Thanks, very interesting and well explained!
"Nicole Calinoiu" <calinoiu REMOVETHIS AT gmail DOT com> wrote in message
news:%23zRu2gruFHA.3452@TK2MSFTNGP14.phx.gbl...
> "Lloyd Dupont" <net.galador@ld> wrote in message
> news:eVVl95ZuFHA.904@tk2msftngp13.phx.gbl...
>> I'm writing a .NET 2.0 app
>> I want to deploy it in the net.
>> Apparently (due to an "unknow publisher warning" while downloading in the
>> browser) I have to give a strong name to my installer & my components.
>
> There are two types of code signing used for .NET assemblies: strong name
> signing and authenticode signing. The one that addresses the "unknown
> publisher" issue is authenticode signing, not strong name signing. While
> there's nothing preventing you from strongly naming your assemblies as
> well (and there may be some potentially compelling reasons to do so), a
> strong name is not necessary in this scenario.
>
>
>> My (.NET 2.0 beta2) project is a mix of C# & MC++.
>> - To authenticafe my MSI I need a .spc & a .pvk file
>> - To strongly named my C# assemblies with VS.NET 2005 I need to use a
>> .pfx file or a .snk file
>> - To strongly named my C++ assembly I guess I should use a .snk and the
>> assembly attributes
>> - Verisign could provide me certificate (is it a .cer???) from a .pvk
>> file
>> - apparently I could create a .pvk file with makecert
>> - apparently I could create a .spc from a .cer with cert2spc
>
> Let's ignore strong naming for the moment since it's adding unnecessary
> complexity. For authenticode signing, you need a code signing certificate
> and the private key that corresponds to the public key contained in that
> certificate. Once you have the certificate and private key in hand, you
> would use the signcode tool
> (http://msdn.microsoft.com/library/en-us/cptools/html/cpgrfFileSigningToolSigncodeexe.asp)
> to sign your compiled assemblies. It makes no difference whether those
> assemblies were originally written in C# or MC++.
>
> While you can create test certificates with makecert, you should obtain
> your production certificates from a CA (certification authority) that will
> be recognized by your clients. If your application will be distributed
> outside of a single enterprise, you will probably want to use a commercial
> CA like Verisign or Thawte. (If you want a wider choice of CAs that are
> likely to be trusted on Windows machines, a good place to start is the
> trusted root CAs list on your machine.) If you are distributing your
> application only within a single enterprise which runs its own CA,
> acquiring your authenticode certificate from that CA may be more
> cost-effective.
>
> As for delivered file formats and certificate application processes, these
> can differ between CAs. The larger commercial CAs provide detailed guides
> on both how to apply for their certificates (including the processes
> around private key issuing), as well as how to use the files they will
> return to your in order to actually sign your executables with makecert.
>
>
>> Now the questions are:
>> - how do I get a .pfx or .snk from, either, the .spc, .cer, .pvk files?
>
> You can use the pvkimprt tool
> (http://www.microsoft.com/downloads/details.aspx?FamilyID=F9992C94-B129-46BC-B240-414BDFF679A7)
> to either convert spc+pvk file pairs to a pfx file or a certificate (with
> associated private key) in your certificates store. (The snk files used
> for strong naming keys are not relevant to authenticode signing.)
>
>
>> - I also tried (without success) all the 3 below line in my ManagedC++
>> project
>> [assembly:AssemblyKeyFileAttribute("..\\..\\novamind.snk")];
>> or [assembly:AssemblyKeyFileAttribute("..\\novamind.snk")];
>> or [assembly:AssemblyKeyFileAttribute("novamind.snk")];
>> but always get:
>> Error 2 fatal error LNK1256: ALINK operation failed (80040414) : Error
>> reading key file '..\..\novamind.snk' -- The system cannot find the file
>> specified. GnuStepCPP
>> what should I do?!?!
>
> See http://blogs.msdn.com/shawnfa/archive/2005/07/14/438963.aspx.
> However, keep in mind that you don't need to strongly name your assemblies
> simply in order to use authenticode signing.
>
>
>>
>>
>> Now, could anyone give me simple direction!
>> I understand the concept! I just don't manage to put them into practice
>> :-(
>> And the pratical documentation is awfully thin,
>> while the many article's author like to linger for an awfull number of
>> pages on the concepts it's very hard to find any practical implementation
>> :-( :-( :-(
>> which bring an other question:
>> I have found verisign, is there any other authentication 'registrar'?
>>
>> --
>> NovaMind development team
>> NovaMind Software
>> Mind Mapping Software
>> <www.nova-mind.com>
>>
>
>
- Next message: Nicole Calinoiu: "Re: enumerate runtime permissions"
- Previous message: Martin Høst Normark: "Logon with Digital Siganture (PKI/OCES - or what else they're called)"
- In reply to: Nicole Calinoiu: "Re: .NET 2.0: code access security / authentication"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
