473,320 Members | 1,802 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

.NET 2.0: code access security / authentication

I'm writing a .NET 2.0 app
I want to deploy it in the net.
Apparently (due to an "unknow publisher warning" while downloading in the
browser) I have to give a strong name to my installer & my components.

My (.NET 2.0 beta2) project is a mix of C# & MC++.
- To authenticafe my MSI I need a .spc & a .pvk file
- To strongly named my C# assemblies with VS.NET 2005 I need to use a .pfx
file or a .snk file
- To strongly named my C++ assembly I guess I should use a .snk and the
assembly attributes
- Verisign could provide me certificate (is it a .cer???) from a .pvk file
- apparently I could create a .pvk file with makecert
- apparently I could create a .spc from a .cer with cert2spc

Now the questions are:
- how do I get a .pfx or .snk from, either, the .spc, .cer, .pvk files?
- I also tried (without success) all the 3 below line in my ManagedC++
project
[assembly:AssemblyKeyFileAttribute("..\\..\\novamin d.snk")];
or [assembly:AssemblyKeyFileAttribute("..\\novamind.sn k")];
or [assembly:AssemblyKeyFileAttribute("novamind.snk")];
but always get:
Error 2 fatal error LNK1256: ALINK operation failed (80040414) : Error
reading key file '..\..\novamind.snk' -- The system cannot find the file
specified. GnuStepCPP
what should I do?!?!
Now, could anyone give me simple direction!
I understand the concept! I just don't manage to put them into practice :-(
And the pratical documentation is awfully thin,
while the many article's author like to linger for an awfull number of pages
on the concepts it's very hard to find any practical implementation :-(
:-( :-(
which bring an other question:
I have found verisign, is there any other authentication 'registrar'?

--
NovaMind development team
NovaMind Software
Mind Mapping Software
<www.nova-mind.com>
Sep 15 '05 #1
2 5824
"Lloyd Dupont" <net.galador@ld> wrote in message
news:eV*************@tk2msftngp13.phx.gbl...
I'm writing a .NET 2.0 app
I want to deploy it in the net.
Apparently (due to an "unknow publisher warning" while downloading in the
browser) I have to give a strong name to my installer & my components.
There are two types of code signing used for .NET assemblies: strong name
signing and authenticode signing. The one that addresses the "unknown
publisher" issue is authenticode signing, not strong name signing. While
there's nothing preventing you from strongly naming your assemblies as well
(and there may be some potentially compelling reasons to do so), a strong
name is not necessary in this scenario.

My (.NET 2.0 beta2) project is a mix of C# & MC++.
- To authenticafe my MSI I need a .spc & a .pvk file
- To strongly named my C# assemblies with VS.NET 2005 I need to use a .pfx
file or a .snk file
- To strongly named my C++ assembly I guess I should use a .snk and the
assembly attributes
- Verisign could provide me certificate (is it a .cer???) from a .pvk file
- apparently I could create a .pvk file with makecert
- apparently I could create a .spc from a .cer with cert2spc
Let's ignore strong naming for the moment since it's adding unnecessary
complexity. For authenticode signing, you need a code signing certificate
and the private key that corresponds to the public key contained in that
certificate. Once you have the certificate and private key in hand, you
would use the signcode tool
(http://msdn.microsoft.com/library/en...igncodeexe.asp)
to sign your compiled assemblies. It makes no difference whether those
assemblies were originally written in C# or MC++.

While you can create test certificates with makecert, you should obtain your
production certificates from a CA (certification authority) that will be
recognized by your clients. If your application will be distributed outside
of a single enterprise, you will probably want to use a commercial CA like
Verisign or Thawte. (If you want a wider choice of CAs that are likely to
be trusted on Windows machines, a good place to start is the trusted root
CAs list on your machine.) If you are distributing your application only
within a single enterprise which runs its own CA, acquiring your
authenticode certificate from that CA may be more cost-effective.

As for delivered file formats and certificate application processes, these
can differ between CAs. The larger commercial CAs provide detailed guides
on both how to apply for their certificates (including the processes around
private key issuing), as well as how to use the files they will return to
your in order to actually sign your executables with makecert.

Now the questions are:
- how do I get a .pfx or .snk from, either, the .spc, .cer, .pvk files?
You can use the pvkimprt tool
(http://www.microsoft.com/downloads/d...0-414BDFF679A7)
to either convert spc+pvk file pairs to a pfx file or a certificate (with
associated private key) in your certificates store. (The snk files used for
strong naming keys are not relevant to authenticode signing.)

- I also tried (without success) all the 3 below line in my ManagedC++
project
[assembly:AssemblyKeyFileAttribute("..\\..\\novamin d.snk")];
or [assembly:AssemblyKeyFileAttribute("..\\novamind.sn k")];
or [assembly:AssemblyKeyFileAttribute("novamind.snk")];
but always get:
Error 2 fatal error LNK1256: ALINK operation failed (80040414) : Error
reading key file '..\..\novamind.snk' -- The system cannot find the file
specified. GnuStepCPP
what should I do?!?!
See http://blogs.msdn.com/shawnfa/archiv...14/438963.aspx. However,
keep in mind that you don't need to strongly name your assemblies simply in
order to use authenticode signing.



Now, could anyone give me simple direction!
I understand the concept! I just don't manage to put them into practice
:-(
And the pratical documentation is awfully thin,
while the many article's author like to linger for an awfull number of
pages on the concepts it's very hard to find any practical implementation
:-( :-( :-(
which bring an other question:
I have found verisign, is there any other authentication 'registrar'?

--
NovaMind development team
NovaMind Software
Mind Mapping Software
<www.nova-mind.com>

Sep 16 '05 #2
Thanks, very interesting and well explained!

"Nicole Calinoiu" <calinoiu REMOVETHIS AT gmail DOT com> wrote in message
news:%2****************@TK2MSFTNGP14.phx.gbl...
"Lloyd Dupont" <net.galador@ld> wrote in message
news:eV*************@tk2msftngp13.phx.gbl...
I'm writing a .NET 2.0 app
I want to deploy it in the net.
Apparently (due to an "unknow publisher warning" while downloading in the
browser) I have to give a strong name to my installer & my components.


There are two types of code signing used for .NET assemblies: strong name
signing and authenticode signing. The one that addresses the "unknown
publisher" issue is authenticode signing, not strong name signing. While
there's nothing preventing you from strongly naming your assemblies as
well (and there may be some potentially compelling reasons to do so), a
strong name is not necessary in this scenario.

My (.NET 2.0 beta2) project is a mix of C# & MC++.
- To authenticafe my MSI I need a .spc & a .pvk file
- To strongly named my C# assemblies with VS.NET 2005 I need to use a
.pfx file or a .snk file
- To strongly named my C++ assembly I guess I should use a .snk and the
assembly attributes
- Verisign could provide me certificate (is it a .cer???) from a .pvk
file
- apparently I could create a .pvk file with makecert
- apparently I could create a .spc from a .cer with cert2spc


Let's ignore strong naming for the moment since it's adding unnecessary
complexity. For authenticode signing, you need a code signing certificate
and the private key that corresponds to the public key contained in that
certificate. Once you have the certificate and private key in hand, you
would use the signcode tool
(http://msdn.microsoft.com/library/en...igncodeexe.asp)
to sign your compiled assemblies. It makes no difference whether those
assemblies were originally written in C# or MC++.

While you can create test certificates with makecert, you should obtain
your production certificates from a CA (certification authority) that will
be recognized by your clients. If your application will be distributed
outside of a single enterprise, you will probably want to use a commercial
CA like Verisign or Thawte. (If you want a wider choice of CAs that are
likely to be trusted on Windows machines, a good place to start is the
trusted root CAs list on your machine.) If you are distributing your
application only within a single enterprise which runs its own CA,
acquiring your authenticode certificate from that CA may be more
cost-effective.

As for delivered file formats and certificate application processes, these
can differ between CAs. The larger commercial CAs provide detailed guides
on both how to apply for their certificates (including the processes
around private key issuing), as well as how to use the files they will
return to your in order to actually sign your executables with makecert.

Now the questions are:
- how do I get a .pfx or .snk from, either, the .spc, .cer, .pvk files?


You can use the pvkimprt tool
(http://www.microsoft.com/downloads/d...0-414BDFF679A7)
to either convert spc+pvk file pairs to a pfx file or a certificate (with
associated private key) in your certificates store. (The snk files used
for strong naming keys are not relevant to authenticode signing.)

- I also tried (without success) all the 3 below line in my ManagedC++
project
[assembly:AssemblyKeyFileAttribute("..\\..\\novamin d.snk")];
or [assembly:AssemblyKeyFileAttribute("..\\novamind.sn k")];
or [assembly:AssemblyKeyFileAttribute("novamind.snk")];
but always get:
Error 2 fatal error LNK1256: ALINK operation failed (80040414) : Error
reading key file '..\..\novamind.snk' -- The system cannot find the file
specified. GnuStepCPP
what should I do?!?!


See http://blogs.msdn.com/shawnfa/archiv...14/438963.aspx.
However, keep in mind that you don't need to strongly name your assemblies
simply in order to use authenticode signing.



Now, could anyone give me simple direction!
I understand the concept! I just don't manage to put them into practice
:-(
And the pratical documentation is awfully thin,
while the many article's author like to linger for an awfull number of
pages on the concepts it's very hard to find any practical implementation
:-( :-( :-(
which bring an other question:
I have found verisign, is there any other authentication 'registrar'?

--
NovaMind development team
NovaMind Software
Mind Mapping Software
<www.nova-mind.com>


Sep 26 '05 #3

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

3
by: Rudi Groenewald | last post by:
Hi there... I use SQL server integrated security so when a user opens a database in access it prompts the username & password in a small popup box on connection, but I'd like to use my own...
1
by: Saravanakumar | last post by:
Recently I have changed the VB Application for Authentication method to connect to the SQL Server 7.0 database using the Windows NT Authentication. Later I had created permissions for Select,...
3
by: Glen Scott | last post by:
Hi, I'm writing an ASP app that administers an ISA server remotely. The fact that it's an ISA server isn't my problem I believe. My question? What is the security difference between disabling...
7
by: Champika Nirosh | last post by:
Hi All, We are about to develop a Content management system, that can view, edit content online. In our system, we have a file called "sample business letter" workers... in ur system... are...
5
by: Dave Kolb | last post by:
Is there any other solution for an ASPNET application to access network resources other than running as SYSTEM, using delegation (a nightmare to get to work) or the COM+ solution? I cannot seem to...
0
by: William F. Zachmann | last post by:
A web site that will run on Windows Server 2003 and IIS 6.0 needs to provide three levels of access, one for the public and two others for two levels of subscribers. This is a port of a prior site...
6
by: Jéjé | last post by:
Hi, I have a custom aspx page which access RS (Reporting Services) using the webservice interface. I'm using the delegation (defautcredentialcache) to send the user authentication to RS. RS...
2
by: Roger | last post by:
Hi, I'm completely stumped with an issue of authentication. I have an ASP.net application which is supposed to retrieve data from a remote database. It is supposed to access the database using...
3
by: serge calderara | last post by:
Dear all, How to configure in config file, the fact that all users get access to the root web folder but only some of them to a restricted forlder Any sample ? thnaks for your help regards...
4
by: TrinityPete | last post by:
Hi all, We have a web application that uses web services for data access and retrieval. The web app and web services reside under IIS on the same server(WIN2003). The virtual directories have...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
0
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.