SN v2.0 Works With PFX Files
One enhancement to the v2.0 SN tool that may not get noticed right away is that it now has the ability to work with PKCS #12 PFX files in addition to SNK files. The logic here is that a self signed certificate stored in a PFX file is the moral equivalent of an SNK key, except that it gives you the added benefit of storing your key in encrypted form rather than in the SNK's plain text format.
This feature should be entirely transparent -- anywhere that SN takes a key file as input, you can now specify a PFX file instead. SN will detect this and prompt you for a password:
Microsoft (R) .NET Framework Strong Name Utility Version 2.0.50727.42
Copyright (c) Microsoft Corporation. All rights reserved.
Enter the password for the PKCS#12 key file:
Assembly 'DelaySigned.exe' successfully re-signed
Your password will not echo to the screen as you type it.
There are a few limitations to this feature however. Since it was designed with self signed certificates in mind, SN will not accept a PFX file which contains multiple certificates (there's no way to tell it which certificate you wish to use).
Also, SN will not allow you to redirect standard input and load the password from a pipe. (In this case it gives a rather cryptic error message "Failed to parse the PKCS#12 blob in KeyPair.pfx -- The handle is invalid." ... we'll replace that message with something a bit more descriptive in a future release).
Finally, the PFX file must have a password, even if that password is blank. SN will never attempt to read a certificate with a NULL password.
If you want to create a self signed PFX key, the easiest way is to use Visual Studio 2005. In the project properties Signing tab, tell Visual Studio to create a new strong name key file. VS will show you this dialog:
Selecting "Protect my key file with a password", the default option, creates a PFX file. If you uncheck that option, you'll create a traditional SNK file. VS will enforce that your password be at least six characters long. It also provides the ability for you to change the password of an existing key pair.
# SN v2.0 Works With PFX Files
# cogito ergo vagus » SN v2.0 Works With PFX Files
# re: SN v2.0 Works With PFX Files
Great post! While I have yet to use this feature of VS2k5/SN yet, I look forward to in the future.
I really appreciate your clarification regarding self-signed certs. This was/is something that I've struggled with when it came to strong-naming/signing assemblies: where do the keys come from?? Any Joe can use SN to generate key pairs and the Fx 1.1 docs did not go into much detail as to where the keys came from - just generate them using the took and sign away.
I take it that the real intent here is for companies to sign their binaries using their cert they purchase from Thawte http://www.thawte.com/ssl-digital-certificates/code-signing/index.html, or whomever), or if you're so fortunate enough to have a robust PKI implementation - use your own.
Is this correct?
Thanks again! Your blog is awesome.
Harris
# re: SN v2.0 Works With PFX Files
# re: SN v2.0 Works With PFX Files
You need to use the /keyname command line switch to do this. Since VS doesn't have store browsing UI, you might want to consider filing them a feature request on the MSDN Product Feedback Center.
-Shawn
# re: SN v2.0 Works With PFX Files
The keys generated with the sn -k command are actually randomly generated. We ask the default CSP to give us a new key, and it goes ahead and creates one for us :-)
-Shawn
# Authenticode and Strong naming ("signing")
It kills me that the names for these processes are "Code signing" and "Strong Name signing". So this