24 January 2010

Code Signing in Visual Studio 2008

I recently purchased a code signing certificate from GoDaddy.  After a great deal of trouble getting the certificate fully downloaded and installed (more about that later), I then tried to sign the assemblies for an application I had just completed.  To my surprise, I received the an error: “Error Importing Key.  Object already exists.”

After all of the trouble I encountered getting the certificate, I was sure I had the right PFX file, with the private key embedded.  I had chosen that certificate in the signing tab in the assemblies properties correctly.  I was also very sure that I supplied the right password for the private key.  Unfortunately, despite my best efforts, I kept getting the same error.

Thanks to the magic of search with Google, I found loads of articles and discussion groups where users were having similar troubles with the built-in VS signing.  Lots of different solutions were provided.  Unfortunately, none of the approaches worked.  One particular discussion within the forums on MSDN gave a good, though long, summary of all of the ways some developers have tried to fix the code signing problem in Visual Studio 2008.  If you have the patience to review the source material, you’ll find that most blogs or discussions revolve around the same sorts of options; again, none worked for me.

However, I then came across a blog article by John Robbins on code signing.  John gave useful details about a lot of aspects of his challenges, but he also mentioned something I hadn’t seen before: using the sign tool from the Windows SDK to sign the complied assemblies worked for me [NOTE: I’m developing on Windows 7; if you’re using a different version of Windows, you’ll need to download the right version of the SDK for your environment].

While I’m not much for loads of steps and external utilities, John also gave a simple post-build macro you can have VS run.  Based on this blog, this is what is in my post-build for signing the compiled assembly:

"C:\Program Files\Microsoft SDKs\Windows\v7.0\Bin\signtool.exe" sign /f [CERTIFICATE PATH] /p [PASSWORD] /t http://tsa.starfieldtech.com "$(TargetPath)"

The [CERTIFICATE PATH] sequence should be replaced with the path where you stored the certificate locally (the PFX file).  The [PASSWORD] sequence should be replaced with your private key password (not the key itself, but the password you used to secure the key).  The rest of the post build event is pretty generic, except the URL parameter for the timestamp server (the stuff that follows /t).  That particular URL is GoDaddy’s timestamp server.  If you’re using a different CA, you should use the server they provide.

I hope this helps other struggling with the same issue.  If anyone has solved the problem of getting VS to handling signing through the properties dialog, I’d love to hear it. 

6 comments:

Ed Alexander said...

I am currently having trouble getting the key from godaddy in the right format.... any advice?

Shawn said...

Ed:

GoDaddy, in my experience, supplies the certificate in a certificate package (SPC is the extension). This is the right starting format, but I suspect you want to get to the PFX format no? You actually need to create this on your own by combining the SPC file with the PVK (your private key file).

Let me know if this helps.

Shawn

Unknown said...

I have a certificate from GoDaddy, and I can get the SPC file. I never say a PVK file. That means I don't have a PFX or a way to get one.

Could you suggest where I went wrong? Where does this PVK file come from? I have a Win7 box.

Shawn said...

Skip:

The PVK file should be automatically downloaded when you "keyed" your certificate. This is the bit I initially missed and, in my experience, the process doesn't work properly in IE 8 (GoDaddy confirmed they didn't support IE 8 at the time I wrote the post). Ultimately, I had to use FireFox to make the process work properly, get the PVK when I keyed my certificate and then extract the PFX using FireFox's certificate store (you can export the PFX after you import the certificate. To sign your code, just follow the article.

I hope this helps.

Shawn

Shawn said...

Skip:

The PVK file should be automatically downloaded when you "keyed" your certificate. This is the bit I initially missed and, in my experience, the process doesn't work properly in IE 8 (GoDaddy confirmed they didn't support IE 8 at the time I wrote the post). Ultimately, I had to use FireFox to make the process work properly, get the PVK when I keyed my certificate and then extract the PFX using FireFox's certificate store (you can export the PFX after you import the certificate. To sign your code, just follow the article.

I hope this helps.

Shawn

Anonymous said...

Also use the /d switch, otherwise vista shows a bad product name in the UAC popup for your installer.