Philippsen's Blog

Everyday findings in my world of .net and related stuff

Codesigning struggles

Posted by Torben M. Philippsen on March 14, 2011

Do you also keep asking yourself something like this:

  • Why does something so simple always turn out to be so relatively hard and timeconsuming?
  • Once you have aquired your certificate, shouldn’t it be easy to apply to you project?

In my oppinion Visual Studio 2010 offers limited support for wanting to codesign your apps before distribution. In my experience You will only experince a fair ammount of success when dealing with clickonce applications. In those cases it is pretty much straigth forward to apply your certificate (pfx file) and You may remember a screen like this:

Codesigning screendump from VS2010

Codesigning screendump from VS2010

The troubles start when you want to sign the assembly. This never works the first time for me. Either I keep some strange errors stating that the certificate can not be imported or that a reference to a token can not be found and so on and so on and so on… All these errors have always turneed out to be less than helpfull and today I had enough and once and for all I wanted to find a nearby bulletproof way to sign my apps in the future.

Reading various blogs I noticed that a lot of people have had the same frustrations as I, and a lot of those people had turned to external signing tools. Since I am pretty keen on using the standard tools from Microsoft I chose to go along with the Signtool util that Microsoft provides along with Visual Studio. I also learned something new called “Post build events” until now I didn’t know they existed, but in this case they come in pretty handy – let me explain… I’am usually required to deliver my apps as a MSI package. When building the MSI package based on the primary output from my assembly the assembly gets rebuild. If the assembly is not signed during this process, you will end up having an unsigned assembly. This is where the post build event comes into play.

 

Sign the assembly using signtool.exe and the post build event (VB.net)

  1. Right click your project file of your assembly – select “properties”
  2. Select the “Compile” tab and notice the “Build events” button in the lower left corner
  3. Click that button. You will now be able to provide a pre-build event command and/or a post-build event command
  4. Enter the signtool command that applies to your needs. You can use the visual studio command prompt to test the command. In that way you don’t have to wait while all projects are being recompiled.
    A piece of advice is to use the built-in macros. Using those macros it is pretty easy to supply the correct paths.
  5. Choose when to run the post-build event – for instance “on successful build”
  6. click “ok” to exit
  7. Recompile your assembly. If you have put in the signtool command correctly, your assembly will be signed.

To get the signtool command to work properly I had to try out various commands. The one thing that kept getting in my way, was to supply the proper paths. Here is what you need to know:

  • When putting the signtool command into visual studio it does not know where to locate the signtool.exe file. You will have to put in the exact path to the signtool.exe. Using Visual Studio 2010 my path was “C:\Program Files\Microsoft Visual Studio 8\SDK\v2.0\Bin\signtool”. Notice that the signtool is located in a previous version of Visual Studio. You might need to perform a search to find it in your environment.
  • If you have any spaces in your file paths, remember to but the path in quotes <“path”>
  • Remember to use the exact filepath when pointing to your certificate
  • Remember to supply the password for the certificate
  • Remember to use the full filepath to the assembly that needs to be signed – this is done by using the build-in macros

Here’s a sample command that worked for me:

“C:\Program Files\Microsoft Visual Studio 8\SDK\v2.0\Bin\signtool” sign /f “$(ProjectDir)resources\eg_codesigning.pfx” /p mypassword “$(TargetPath)”

 

Sign the installer using Signtool.exe (VB.net)

Once the assembly is signed you can move forward to have your installer signed. I will assume you know how to add a setup project to your solution.

  1. Select the “setup project” project file and view the properties.
  2. Notice that you will have a property called “PostBuildEvent”. Click the browse button to enter the command line screen.
  3. As you did before you need to build the command. I will not go into further details since the process is pretty much the same as described above.
  4. Once you have entered your command rebuild the setup project.

Things you need to know:

  • If you do not put in a description using the signtool, You will notice that when installing your app, a funny name like 77eu891.msi will show up in the UAC prompt. To avoid this, just remember to use the /d option in the signtool command. This will add a description to the MSI package and this description will display in the UAC prompt.

Here’s a sample that worked for me:

“C:\Program Files\Microsoft Visual Studio 8\SDK\v2.0\Bin\signtool” sign /f “$(ProjectDir)eg_codesigning.pfx” /p mypassword /d “EGPackageMaker – Corporate software administration tool” “$(BuiltOuputPath)”

 That’s it. For now my struggles regarding codesigning have ended – and maybe this article can be of use to someone else.

Advertisements

One Response to “Codesigning struggles”

  1. facebook]Technology tips]mobile…

    […]Codesigning struggles « Philippsen's Blog[…]…

Sorry, the comment form is closed at this time.

 
%d bloggers like this: