Does anyone know how to disable authenticode signature verification in a .NET executable (to avoid slow startup) without using an application config file? In other words, do this: <configuration> <runtime> <generatePublisherEvidence enabled="false"/> </runtime> </configuration> without an app.config. Is it possible? ...
I'm writing a function for an installer DLL to verify the Authenticode signature of EXE files already installed on the system. The function needs to: A) verify that the signature is valid. B) verify that the signer is our organization. Because this is in an installer, and because this needs to run on older Win2k installations, I...
I'm using CAPICOM in a .NET 3.0 C# app to check an Authenticode signature on an exe file. I need to make sure that the certificate is listed as a Trusted Publisher. Using signedCode.Verify(true) will show a dialog if the certificate is not already trusted, so the user can choose whether or not to do so. However, signedCode.Verify(false) ...
We want to add automatic software updates to our application, but our company isn't yet ready to buy a code-signing certificate from a trusted root CA, so we'll be using a self-signed certificate to sign code updates (.exe and .dll) for now. Question: how to verify a binary signed with a self-signed certificate, without having to instal...
We have an exe file delivered by an ASP.NET application. This binary is actually modified on the fly in memory. Is there any way to sign the modified exe with authenticode in memory without writing to disk? There's probably no way to sign the original exe and still keep the signature valid after modification. We thought about using ra...
I'm looking at options to buy a code signing certificate for my company. I want it to be usable for MS Authenticode and also for Java and I want it to be trusted with the default trusted authority list that ships with a new install of Windows (ie. I don't want the use to have to add a new trusted authority). I've seen previous discussio...
I am writing a windows service which takes an uploaded file, runs signtool.exe on it to do the signing and timestamping and then serves the signed file back. The code for this works when run as a standalone server using twisted however if I try and run it as a service it fails with the error "Signing succeeded, but an error occurred whi...
I have created an MSI installer using Visual Studio 2008. I then sign this with signtool.exe and my authenticode certificate. On a Vista x64 test PC, when the MSI is run the expected dialog appears identifying my company as the publisher. However, when the program is uninstalled from Add/Remove Programs, the yellow "Unidentified Publis...
Hello, I have an authenticode certificate (.pfx) which I use to sign executables. How can I configure Team Build so that it signs every single executable (.exe, .dll, ...) automatically while building the project? ...
I purchased an authenticode certificate from a well known provider. Now I want to strong name an assembly and later on digitally sign it. This is what I've done so far: Extracted public key from pfx by running sn.exe -p keypair.pfx key.snk Checked both "Sign the assembly" and "Delay sign only" checkboxes on project properties signing...
After a TeamBuild project built all files, how can I create a collection of all built .exe and .dll files? For instance, I update all AssemblyInfo versions by creating a property and an itemgroup like so: <PropertyGroup> <AssemblyInfoSpec>AssemblyInfo.*</AssemblyInfoSpec> </PropertyGroup> <Target Name="AfterGet" Condition="'$(IsDesk...
We publish an update patch to our software package in a single executable file. The file is signed with an Authenticode digital signature, using the certificate issued to us. The file is downloaded to Windows XP or Vista systems that our customers operate, where they run it in order to update our software. Our PCI compliance auditor h...
This may be a duplicate, though I can't find it at this time. If so please point me in the right direction. I recently purchased an authenticode certificate from globalsign and am having problems signing my files for deployment. There are a couple of .exe files that are generated by a project and then put into a .msi. When I sign the .e...
I'm looking for the convenient signwizard in signtool.exe but cannot find it anymore in the Windows SDK 7.0. Is it in a separate tool now or is there only the CLI left? ...
I use an assembly of a 3rd party vendor. In an older version this assembly used authenticode. This caused the assembly loading to last quiet long. The developer of the vendor told me that the new version is not signed with authenticode. How can I check if this is true. On my development machine the assembly loading was quiet fast. Only ...
Should a Software Publisher Certificate granted by a third-part Certification Authority be used to generate a Strong Name Key for use with .NET assemblies? Edit: Another way of stating the question is whether code-signing and strong name keys have anything to do with each other or are they each worlds unto their own? ...
When the user visits a page that contains a signed ActiveX control that has never been seen before, I'd expect IE to ask the user for permission to install the control. But sometimes IE puts up a security warning instead. For example, consider this site, which has a test control: http://www.pcpitstop.com/testax.asp I'd expect to get th...
I just purchased a code signing cert (MS authenticode) from THAWTE and have installed it apparently on my build machine. I am logged in as a user and when I open a cmd prompt I can sign EXEs using the cert with signtool.exe. Unfortunately this same command line does not work in the hudson process that is running on the machine. the er...
I'm trying to sing an ActiveX control with a code signing certificate issued by Thawte. I was able to successfully sign the control using signtool.exe. When I look at the file properties, it says "The certificate in the signature cannot be verified." When I view the certificate it says "Windows does not have enough information to ve...
I have some signed .ps1 script, I need to verify they are properly signed from a C# project, is there any algorithm or library to do this? Thanks! ...