Sign your distributables free and easy!

I was using signtool.exe a while ago to see what it does and learned that it is a security tool to sign any executable or dll (thus not .net only). Maybe even other weird filecontainer formats that Microsoft made are supported.

Anyway, I was struggling with openssl and makecert alot to make it work. Well, not really struggling but if you don’t have a lot of PKI knowledge then your in for a treat! Months passed and then I found the nice and free certificate provider CAcert. I registered and scored enough points to get me a nice personally named certificate. The system is comparable with Thawtes web of trust but I think Thawte’s certificates can only be used for e-mail signing and encryption.

I am busy with a tool that can backup running virtual server machines. Don’t know if this functionality is already made by somebody or that it is available in the R2 release. More on this in a future post. I thought that it would be nice if would sign those assemblies and started signtool in the wizard mode.

    signtool.exe signwizard

It was really easy to sign my assemblies with my personal CAcert certificate. I really don’t understand why major software providers like Mozilla took so long before they started signing there Windows downloads when it is so easy to do.

The signwizard is a bit problematic in an automated build environment like a nightlybuild (or even better a nice continious integrated one). Luckily for us were also able to do all of this from the commandline.

    signtool.exe sign /a /d "Ramon Smits" /du http://bloggingabout.net/  *.exe *.dll

This assumes that the certificate it stored in the personal store without
There is also a timestamp option. Verisign has a public timestamp service and you only have to add the following to make use of it.

    /t http://timestamp.verisign.com/scripts/timstamp.dll

After signing you can view the results by viewing the properties of your application and selecting the digital signatures tab that has become available. Selecting details will bring up the following dialog.

The most important thing about signatures is that you check if you trust the specified party including it’s certification path. Any application can have a valid certificate but that doesn’t mean I will trust everyone :-).


"After viewing the certification path I decided that I trust this dude…"

My favorite browser is FireFox but is has doesn’t have the nice security option that internet explorer has. When you download an executable with internet explorer and this executable is opened locally then you will see the following dialog.

Windows shows this message because Internet Explorer had added meta information about the download in an alternate filestream. Downloading it with firefox and then run it will not have any check performed. I don’t remember this very well but I think Windows Vista does show this message with any application. Clicking on the first url will navigate to blogginabout.net (the /du param of signtool.exe) and the second shows the same dialog as explorer (Digital Signature Details).

A major benefit of codesigning downloads is that you can easily host your download at other locations without the risk that others can modify it. Downloaders have a quick and easy way to check it the download is valid and not been tampered with.

Use command line option ‘/keyfile’ or appropriate project settings instead of ‘AssemblyKeyFile’

I got the following error after converting an old project.

Use command line option ‘/keyfile’ or appropriate project settings instead of ‘AssemblyKeyFile’

So I did what it asked me and then suddenly it added my keyfile to my project! Well… that wasn’t really what I wanted because now it would be part of my project that is saved in my code repository (subversion by the way..). So I did a rollback (sometimes having version control is a big plus), run the build again and voila the warning appeared again. My fingers hit the F1 button to see what the microsoft help propaganda had to say about this and then the following text appeared:

There were security issues due to the attributes being embedded in the binary files produced by the compiler. Everyone who had your binary also had the keys stored in it.

Well I was in shock when I read this. But this is an error I presume? Shouldn’t this be "Everyone who had your binary also had the PUBLIC keys stored in it" ? Well I hope that is the case or else my strongnamed assemblies would be worth shit security wise!

So I continued reading and read the following:

There were usability issues due to the fact that the path specified in the attributes was relative to the current working directory, which could change in the integrated development environment (IDE), or to the output directory. Thus, most times the key file is likely to be ..\..\mykey.snk. Attributes also make it more difficult for the project system to properly sign satellite assemblies. When you use the compiler options instead of these attributes, you can use a fully qualified path and file name for the key without anything being embedded in the output file; the project system and source code control system can properly manipulate that full path when projects are moved around; the project system can maintain a project-relative path to the key file, and still pass a full path to the compiler; other build programs can more easily sign outputs by passing the proper path directly to the compiler instead of generating a source file with the correct attributes.

Well yes! Exactly.. that is why I wanted to use the attribute this way! 🙂 But they are correct with all that relative path mess so I thought let’s install the keypair in a key container. This is all working well with the good old AssemblyKeyName attribute! But now again a compiler warning.

Use command line option ‘/keycontainer’ or appropriate project settings instead of ‘AssemblyKeyName’

So I browsed the project properties to see if there is an option to select a key container to sign the assembly but that isn’t possible. Opening the project file (*.csproj) revealed an element named AssemblyKeyContainerName but Microsoft Visual C# 2005 Express Edition doesn’t use it when compiling because the resulting output is still unsigned.

The help doesn’t show me how to use a key from a container so I am currently stuck with leaving the last warning as is.

If anybody knows how to solve this then leave your comment please 🙂

Update:
I can atleast disable the warning with the new #pragma keyword (found that one here, it also shows a different settings screen then in VC#2005 ED).

#pragma warning disable 1699
[assembly: AssemblyKeyName(@"MyCoolKeyContainer")]
#pragma warning restore 1699

Debug and Release build in Visual Studio Express edition

So.. where did it go? It took me a couple of minutes to find it but it seems to be an "advanced" feature 🙂

Go to:
Tools –> Options…

Check the ‘Show all settings’ box in the lower right corner

Then go to:
Projects and Solutions –> General

Check the ‘Show advanced build configurations’ box somewhere in the middle section.

Visual Studio Express advanced features
(Click to enlarge)

Now you will have the option to quickly toggle between debug and release builds in the toolbar and see all sort of ‘advanced’ features in the solution and project properties.

PS:
This also gives access to the option to use tabs instead of spaces. Don’t know why the default is spaces. I want to decide myself how many spaces a tab should be ;-).

String Resource Generator (SRG) and VS2005

I thought that VS2005 or well.. Visual Studio Express edition would have the string resource generator (SRG) feature build in. Turns out that it only has the resources as strongtyped properties and lacks the cool parameterized methods. So I installed the string resource generator but visual studio express edition couldn’t run it. Seemed that more people had problems with it when browsing the feedback. The problem is that visual studio doesn’t run/use generators from previous versions (VS2002/VS2003). I added the following  information to the registry to make it works again:

Visual Studio Express

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftVCSExpress8.0Generators{fae04ec1-301f-11d3-bf4b-00c04f79efbc}]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftVCSExpress8.0Generators{fae04ec1-301f-11d3-bf4b-00c04f79efbc}SRCodeGen]
@="String Resource Class Generator"
"CLSID"="{75eb777f-aeba-492a-8a66-faea696086de}"
"GeneratesDesignTimeSource"=dword:00000001
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftVCSExpress8.0Generators{fae04ec1-301f-11d3-bf4b-00c04f79efbc}StringResourceTool]
@="String Resource Class Generator"
"CLSID"="{75eb777f-aeba-492a-8a66-faea696086de}"
"GeneratesDesignTimeSource"=dword:00000001

Sorry for the bad lay-out but the "smart" editor that we use is a bit too smart so it f**ks up my post.

Visual Studio 2005

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftVisualStudio8.0Generators{fae04ec1-301f-11d3-bf4b-00c04f79efbc}]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftVisualStudio8.0Generators{fae04ec1-301f-11d3-bf4b-00c04f79efbc}SRCodeGen]
@="String Resource Class Generator"
"CLSID"="{75eb777f-aeba-492a-8a66-faea696086de}"
"GeneratesDesignTimeSource"=dword:00000001
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftVisualStudio8.0Generators{fae04ec1-301f-11d3-bf4b-00c04f79efbc}StringResourceTool]
@="String Resource Class Generator"
"CLSID"="{75eb777f-aeba-492a-8a66-faea696086de}"
"GeneratesDesignTimeSource"=dword:00000001

Sorry for the bad lay-out but the "smart" editor that we use is a bit too smart so it f**ks up my post.

You can also download the registry file here.

Christmass coding : RGB Plasma

It seems that I wasn’t the only one with some demoscene nostalgia as Frans was first today with his cheesy rotozoomer!

Way to go Frans! 🙂 You can see his christmass coding rotozoomer here.

Well I was more in the mood for a simple plasma. I started with the usual math stuff like how did that cos / sin stuff worked and after that I had more questions like how to have a fps indepandant time correct effect and unsafe code for performance . But I wasn’t really satisfied with the standard XOR’ed circles and decided to use the RGB components and merge them. Below is a screenshot but I seriously suggest you download the archive and see it running.

Most code was written today but some was in the fridge for months. Waiting for a day to finish it and well.. today was the codes lucky day.

Download c# RGB plasma (needs visual studio express to build)

I also included a rotating star field as a bonus ;-).. it was the first effect to see if the crappy gdi based code actually worked. Right click the effect for a context menu to select the framerate. Press F12 for a bitmap save of the effect.

Effect source is included.

MSN like idle behaviour in your application

I posted an article that includes a link to a class file I wrote today that can detect if a user is idle for a certain period and triggers an event.

This is my own quoted text from the article.

I’ve just created a little nice class that helps in building applications that need MSN like behaviour regarding detecting a users idle time. This can be very handy when your application notifies the user for some special event through a non intrusive popup for example. But will the user see this popup when it isn’t behind it’s computer?

This is where this class comes in. When you detect that the user is idle you stack the notification events until the user is active again to show them to your user.

I have seen some implementations that detect a user idle’ness this way but not a single one also includes an event that get’s fired when a user is available again.

Click here to read the IdleTimer to have MSN like behaviour in your application article.

IdleTimer to have MSN like behaviour in your application

I’ve just created a little nice class that helps in building applications that need MSN like behaviour regarding detecting a users idle time. This can be very handy when your application notifies the user for some special event through a non intrusive popup for example. But will the user see this popup when it isn’t behind it’s computer?

This is where this class comes in. When you detect that the user is idle you stack the notification events until the user is active again to show them to your user.

I have seen bad implementations that use hooks to intercept window messages. But those are real nasty and have impact on system performance. This class uses the GetLastInputInfo api call to ask the system once in a while if there has been user activity. Just take a look at the code by downloading the class IdleTimer.cs.

I have seen some implementations that detect a user idle’ness this way but not a single one also includes an event that get’s fired when a user is available again. So that is my UDP (unique download point…).

WSE2 : KerberosToken and WSE policies

I had a weird problem today with a computer in our development domain. We currently use encryption and signing for webservice calls with WSE2. We use a WSE policy to achieve this but today a collegue of mine got an error when he tried to run the code on his machine. The first thing was that the webservice wasn’t running under the SYSTEM account. This account does not have enough priviledges to access the active directory information so it can’t access the data for the kerberos token. This isn’t a problem on Windows 2003 because .net webapplications run under a certain application pool.

But then we had a problem where the code didn’t run while it should! It was a very frustrating thing and we got keeping exceptions that said the username was incorrect. So we triple checked everything and couldn’t any problem. As a last resort I removed the computer from the domain and added it again and guess what. It worked afterwards.

So remove and add the machine to your domain if you are experiencing problems with kerberos token exceptions with WSE on one computer but not on another.

This isn’t mentioned at the WSE FAQ or it’s wiki. I will try to contribute to it this evening 🙂

Passed for Implementing Security for Applications 070-340 exam

And yes I did it again :-). I posted a few hours earlier that I still had to do the Implementing Security for Applications 070-340 exam today. I just finished it and passed with a score of 785! I really have to be honest that I was a bit nervous for the results because I didn’t really had a good feeling about it. This is because you don’t use all security and encryption related stuff in the framework/tooling thus isn’t knowledge that you use all the time. Another issue was that the exam was different from the previous exams (315, 316, 320). Those had 42 questions and this one only had 30. So when you don’t know the answer for a question it probably weigths more in the results. So I am really happy with the score of this exam. It seemed like the online knowledge assesments (also 30 questions) but than with twice as much time 🙂

So what to do now? Well.. I still have one more exam to go to become MCSD. And after that it will probably be best to become MCAD .net 2005…. Hurray!

  • Recent Posts
  • Recent Comments
  • Archives
  • Categories
  • Meta